Employee Owned Devices

It is difficult for any enterprise level IT hardware supply to keep up with the trend for new, shiny, consumer devices. Most businesses have a multi-year cycle of purchasing assets, testing them, rolling them out and then, given the cost, it is expected that they will remain in use for at least a couple of years before a technology refresh is initiated.

Staff IT demands are always increasing
Technological progress can outstrip business processes, do you have a plan to accommodate this?

While this is normal for business, it is alien for a new generation of staff who are used to being connected to data networks pretty much 24 hours a day. With devices like the iPhone/iPad, Android tablets and a dizzying array of more traditional hardware, people have become used to the productivity benefits of using the latest and fastest devices. Understandably, these same people get frustrated that their work ends up being done on antiquated, slow, cumbersome machines and it is inevitable that more and more will press to be allowed to connect their own devices to the corporate infrastructure.

I recent IDC survey (reported by Computer World) revealed that 40% of devices used to access business applications were personally owned. This is a 10% increase over 2010, and the chances are that this trend, often referred to as “consumerisation” is going to continue to increase.

There are very positive business drivers for this – staff have improved morale, vastly increased productivity and there can be significant reductions on the IT costs for the business (as staff take on the cost of maintaining and supporting their own devices). Consumerisation has a lot in common with allowing for remote working (e.g. “Home Working”) in that the weight of research shows a tremendous benefit to employee productivity.

Consumerised devices - a threat or benefit to the enterprise network?
How do your employees connect to the network?

In fact a lot of organisations allow their staff to connect via consumerised devices without really knowing it. Employees will use their own knowledge of the enterprise architecture to connect mobile devices (iPhones etc) to the email server and if you have any web-based portals, it is almost certain that your staff will connect from their own machines.

However, as with all great opportunities there are some risks involved. Understanding and managing these risks can make the difference between being able to securely embrace a consumerised workforce and having to choose between totally prohibiting your staff, or leaving your network wide open.

First and foremost, view consumerisation as a significant business project. It is and even trial runs will need some detailed planning if you want to have any hope of success.

Next, you need to make sure you plan ahead. Decide how far into consumerisation you want to go – for example is it allowing staff to connect with smartphones, or do you want all employees to use their own laptops for work?

An important part of this planning is making sure you have the involvement of your legal experts. At this early stage you will absolutely need to decide what your contractual terms (employment contracts, acceptable use policies etc) will mandate and you need to decide on how much authority you want over your employees devices.

Possibly the biggest stumbling block for consumerisation plans is deciding where to draw the line between employer ownership of the data and the employee’s device. If you allow your employees to access data on your own devices, then you must ensure that you have a suitable agreement in place that will enable you to enforce its proper disposal if the employee leaves your service. You may, depending on circumstances, also need to have the right to search the device for relevant data – such as responding to an eDiscovery request or other legal investigations – and it seems likely that in the event of court action (criminal or civil) claiming a device is employee owned will not be sufficient to prevent its seizure & investigation. You need to make staff aware that this is a possibility and, if this happens, they may find their own data is subjected to scrutiny.

Also, you need to consider support for the device. Will you expect your employees make the proper arrangements to repair / replace as needed? If so, this has to be documented and put in the agreement. Unless your staff are very tech-savvy, it is likely that if the device breaks, they will be without it for several days – if your business cant allow this, then make sure your contract says what they must put in place to prevent it. The same goes with data backup. Most home users are terrible at backing up data and once the device is not part of your own support infrastructure it may fall out of scope for back up routines.

On a related note, you will also have to consider how you carry out internal investigations. If you would normally do this without alerting your employees, you may discover you can no longer do this as the employee will have control over who can, and cant, connect to their device – covert inspections become almost impossible and are actually almost certainly going to break the law.

Once you have considered the possible ramifications, both in terms of impact on you business and your employees, you will have a better idea of what is the most suitable course of action for your organisation.

No two consumerisation experiences are the same, and as every business has different needs it is worth considering the options available to you. For example, a good solution to controlling the employee data is to allow them to connect via Citrix front end, or use the freely available VMWare players to create a virtual machine. This will enable them to segregate personal use of the device with their work use. It will also mean that, when the employee moves on, you have a simple way to sanitise the data off their machine.

In summary, consumerisation is growing in popularity, it has significant benefits in both employee morale and productivity, and it can result in drastically reduced enterprise costs. However, there are some pitfalls – including some very major ones if you are subject to an eDiscovery request – that have to be considered and designed out from the very start.

While we dont suggest everyone rush headlong into widespread consumerisation, there is no need to immediately dismiss it. Consider the options, and if it is right for your business then take advantage of the consumerisation benefits in a secure manner. If you want assistance with this, from initial scoping to drawing up policy documents, then get in touch with our security team who will be glad to help.

Halkyn Security

Halkyn Security Consultants.