BYOD: Can everyone bring toys to the office?

“BYOD” denotes “Bring Your Own Device”; whereby are just some of the considerations, as outlined by Cesare
employees bring their own home-purchased technology Garlati, Co-Chair of the Cloud Security Alliance Mobile
into work. It’s a phenomenon that’s here to stay. Jessica Working Group:
Keyes, Ph.D. is president of high-tech management
consultancy, New Art Technologies, Inc., and an Honorary  Getting everything to work together. When a
Lecturer at the University of Liverpool. She says, “Technical business could dictate its technology, it was always
wizardry is no longer purely the domain of the IT consistent. Homogenous technology is cheaper to
department. Geeks are now everywhere. Many of them buy, maintain and connect. But with everyone
have grown grow up with computers from birth. These connecting different smartphones, laptops, tablets
workers want to make their own technology choices, and even home computers to the company
whether they are on the ‘approved’ list or not, and whether network, it makes managing them – and the many
the company pays for it or not.” different applications they may be running - very
complicated.
This is, surely, a win for your business. Employees pay for
their own equipment, and pay to  Controlling security.
maintain it, too. It’s also usually up to “Technical wizardry is no longer purely Whether you have an IT department
current specifications: better than the domain of the IT department. (as large companies do), an IT
you might be able to afford; and likely Geeks are now everywhere. Many of contractor (as midsize companies do)
full of current software and apps, too. them have grown grow up with or you try to juggle technology for
Plus, your team are happier, because yourself (as small businesses do),
computers from birth. These workers
they get to use kit with which they’re BYOD represents a security
want to make their own technology
already comfortable. There’s no need nightmare. You can’t completely
choices, whether the company pays for prevent your employees from
for training or familiarisation; indeed
it or not.” accidentally uploading nasties like
most users of consumer IT won’t
even have bothered to read the viruses or spy-software onto their
manual. It’s a world of turnkey machines; or visiting dodgy websites.
computing. Garlati adds, “Plus, the technology and
applications are both consumer-grade, not
Keyes adds that the comfort factor can directly lead to enterprise grade; and will need third party security
productivity gains: “It has even been suggested that products which previously would have been
employees will work longer hours because they will be able provided by the IT team”. As these devices are
to interact with their systems, using their tools of choice, at mobile, that security regime needs to be delivered
any time of day or night.” over the air, too. A range of new services like
Microsoft’s Windows Intune deliver systems
So, what’s not to love? Well, imagine if you ran a taxi firm,
management from the Cloud, and are evolving to
and any driver could turn up with any old jalopy and start
include mobile device security regimes. It’s not a
ferrying passengers about. This is a good analogy for the
moment too soon: as Keyes notes, “McAfee, the
sort of challenges associated with unregulated BYOD. Here
 security company, says that over 4% of
smartphones are lost or stolen each year. Each
unsecured stolen or lost phone opens the
organization up to the chance of a breach of
corporate systems and/or data.”
 Providing support. If you do have a support
contractor or in-house function, the cost of trying
to solve problems on users’ home machines (which
might even be their problem, not yours…) can
easily outweigh all the cost savings derived from
having them use their own equipment.
 These, however, pale into insignificance next to
the operational and legal challenges which could
be presented by the lack of an Acceptable Use
Policy (AUP) which accounts at least in some way
for BYOD. If you don’t have one, BYOD should be
your cue for action. That said, you’re in good
company: Garlati says that, having conducted over
two years of extensive research in large
organisations, less than 10% of businesses had
BYOD-specific language in their Acceptable Use
policy, leaving at least 80% exposed to employee
litigation. See ‘Design your BYOD Acceptable Use
Policy’ for more details.
So, should we panic and close the doors to outside kit?
Keyes says no: “Despite all the brouhaha over BYOD, the
world has not radically changed.” The key to successful
BYOD is a comprehensive policy, plus some good
technology. Says Garlati, “Management of the device needs
to be non-touch, somehow, because either you don’t have
an IT team, or if you do, they won’t be able to cope anyway.
So the Mobile Device Management layer is crucial.” Luckily,
says Keyes, “traditional asset management has been
improved just for this purpose. MDM functionality typically
includes over-the-air distribution of applications, data and
configuration settings for all types of mobile devices,
company-owned or BYOD.”
HOW MICROSOFT CAN HELP
Microsoft Office 365 brings together online
versions of the best communications and
collaboration tools from Microsoft. Subscribe
to web-enabled tools that let you access your
email, documents, contacts, and calendars
from virtually anywhere, on almost on any
device. Microsoft Office 365 is available from
£3.90 per user per month for up to 50 users
and from £5.20 per user per month for 50+
users.
Case study: Toyota Racing Development
One of the reasons for BYOD’s unstoppable popularity
is the clear business benefits of portability and
mobility. Businesses of all sizes have purchasing
challenges: small businesses are cash-poor; larger
companies are slow-moving. Employees find it easier
to bring their own smartphones, tablets and laptops
into work – because it makes their work-lives easier.

But with security a major concern and improvements

in productivity essential, can Microsoft’s mobility
platforms meet the most stringent of business and
security needs? Well, if you’ve ever watched Formula
1 on TV, you’ll know that, in motor racing, every tenth
of a second counts, and technology is key to saving
time on the track. That’s true at every level of the
game.
Toyota Racing Development (TRD) differentiates itself
within the hyper-competitive racing business through
technology innovation. During testing, a typical
Toyota stock car is equipped with more than a million
dollars’ worth of instrumentation that monitors car
and driver performance; and since 2007, TRD has
developed racing software for teams to analyse this
information to improve performance and win races.
“One of the biggest differentiators between TRD and
our competition is that we have invested heavily in
Windows software,” says Steve Wickham, VP of
Chassis Operations at Toyota Racing Development.
“Recently, however, we’ve been getting pressure from
teams to improve communications and to introduce a
more mobile computing platform that can be used
trackside.”
To deliver a more intuitive, mobile computing
platform for trackside information exchanges in the
garage, TRD upgraded its racing software to run on
the Windows 8 Enterprise operating system. It
deployed its new, touch-enabled application, called
‘TRD Trackside’, on the Surface Pro tablet.
“Competitors are working all around us in nearby
garage stalls, so protecting our data is critical,” says
Darren Jones, Group Lead for Software Development
at TRD. “We chose Windows 8 instead of the iOS
because we get enterprise-ready security, the
familiarity of the Windows development environment,
and a touch-enabled interface.” Wickham adds, “It’s
an exciting new software tool for us. Now I’m just
waiting for that email after a race weekend that says,
‘Thanks for the software - it helped us win the race.’”
Design your BYOD Acceptable Use Policy

Lawyers are still arguing over the intricacies of BYOD

Acceptable Use Policies (AUP). In truth, it is probably
impossible to define a watertight legal framework at this
moment. However, even the smallest company can benefit
from identifying the challenges and mitigate them by
having clarity on paper where possible. Our experts, Cesare
Garlati (CG) and Jessica Keyes, Ph.D. (JK) offer this powerful
Top Ten as a starting point:

1. Privacy (CG). Mobile Device Management tools are

the software which secure company information
when it’s on a mobile device, whether connected
to the company network or not. That’s fine when
it’s a company computer, but what if you’re
monitoring traffic on an employee’s PC? Without
clear rights and responsibilities, this represents an
invasion of privacy, or possibly even hacking.
2. Who pays for what? (JK). When an employee uses
their own device for both work and play, overages
of both phone and data usage can easily occur.
Who pays for what must be clearly spelled out.
Your policy should precisely define which
categories the business will cover, and which not.
This will also indemnify you against any potential
fringe benefit tax issues.
3. Third Parties (CG). Personal devices are often
shared around the family – think of the laptop or
tablet which Dad shares with the kids, for example.
Even a watertight acceptable use policy can’t be
signed on behalf of other family members. Your
employees cannot be held responsible for their
kids’ use of a family device: if that affects your
attitude to data, then it also ought to affect your
attitude to BYOD.
4. Work v. Play: what we do after hours (JK). The
fundamental challenge of BYOD is differentiating
between work activities and what employees do
when off the clock. As ever, on a company-
purchased device, AUPs can clearly define what
users may do. On an employee-owned device,
things are much less clearly defined. There are
plenty of situations where an employee may be
using their device, in their own time, and therefore
the relevance of their actions may only be
apparent because the company has been able to
discover it at a later date; a discovery which would
not have been possible if the home/work gulf had
not been breached. What, for example, if an
employee makes a defamatory or discriminatory
remark on a social network, or even in a private
email?
5. Work v. Play: what we do in work (JK). The same
issues apply on the job. Even on their own device,
it’s unacceptable for an employee to engage in
 harassment, or to compromise workplace safety
(for example by texting whilst driving).
6. Company responsibility for personal data (CG).
Garlati notes that his own son woke up one
morning and, in an understandably desperate bid
to play Angry Birds, tried multiple passwords on a
tablet and thus triggered the Remote Wipe
security function. That’s a great security tool,
rightly mandated by the company to protect its
data. But when the wipe occurred, what about all
the personal photos etc. on the machine? It is
arguable that the business could be responsible for
them – even if the wipe was caused by a genuine
thief!
7. Licensing (CG). Home computers usually include
home-use licensing of software. If that software is
then used for commercial purposes, not only is the
employee breaching the terms of their license, but
the company can be accountable as an accessory
to the license infringement. Microsoft offers
licenses of Office software under Office 365 Small
Business Premium to resolve precisely this
problem.
8. Your HR Conduct (JK). The electronic record of an
employee’s device usage may be used against you-
especially after acrimonious terminations. It could,
for example, show that an employee is working all
hours of the day and night (even without your
knowledge) – which might bring up issues of
liability for unrecorded overtime, or minimum
wage problems.
9. Device Disposal (CG). It’s an employee’s right to
dispose of their old property however they want.
There are apocryphal stories of phones left on
planes and in taxis ending up on eBay. Businesses
must, of course, require Remote Wipe functions to
be activated, and an AUP should also include the
condition that company data is rigorously removed
before planned disposal.
10. Litigation (CG). Finally, if your company should find
itself mired in litigation, the court can seize devices
for ‘e-discovery’; i.e. the hunt for electronic
evidence; even if it’s a personally owned device.
Your employee probably won’t get it back soon, if
at all; and their personal content will likely be
exposed.
Using the Cloud to control BYOD
Kevin Meager – Olive Communications
BYOD and the Cloud are both buzzword trends right now,
but neither is particularly new. The Cloud has been around
as long as the internet itself, and people have used their
own devices for a long time too – you may remember
putting syncing your contacts to a ‘Palm Pilot’!
What’s changed is that both technologies are
now prevalent, mass market, connected by wi-fi
rather than cable, and therefore what IT people
call ‘frictionless’ – i.e. ridiculously easy.
Anyone can do it, and that’s why the perceived
risk of insecurity with BYOD is greater. IT people
aren’t being spoil-sports: BYOD is fabulously
powerful, but it can mean that both employers
and any IT Support they may have completely
relinquishing control over the corporate
network, and that’s an open invitation to
hackers.
The ideal outcome is therefore to get the benefits of BYOD
– better, faster business from happier employees– whilst
keeping enough control to minimise the security mistakes
that untrained people can make. This is where cloud
services like Office 365 and Windows Intune are useful.
With Cloud tools, you can have many of the security
functions and policies of a server without the maintenance
price tag which so many smaller companies found
prohibitive (and therefore lived without). With Office 365,
you can block unauthorised or hopelessly insecure devices.
You can make sure that mobile devices are password
protected; essential if they get lost – which they do. It
allows business owners and employers to maintain at least
some control over connected devices.
Another function of professional Cloud services in bringing
control back into the business is in reducing the use of
mobile Apps. There is a huge proliferation of messenger
and file storage Apps – there are literally thousands on the
market. Many are free, and we think they’re safe because
they’ve passed the test to be allowed onto a
manufacturer’s App Store. But the legal position regarding
personal or company-confidential data may be
very different indeed.
An unauthorised App could be storing personal
data about customers on a system which
doesn’t conform to the Data Protection Act at
all. It could be hosted in a wholly unregulated
country. If, instead, you store your information
in the Microsoft Cloud using Skydrive Pro or in a
SharePoint Workspace using Office 365, you
absolutely know that the data storage is
compliant with EU Safe Harbour laws. By setting
up Office 365, it’s the business, rather than the
non-expert employee, who chooses where file
storage and use happens.
In the same vein, sometimes even when a paid App is up to
scratch, the free version of an App will have no encryption
of information when stored or transmitted. Employees
obviously like free Apps, and in any case, we expect to use
free Apps to ‘try out the service’ anyway. Again, by giving
employees secure cloud tools of the company’s choosing,
the temptation and risk are very much reduced.
Employees (and managers!) are always going to make
mistakes. Wise Cloud decisions, however, can minimise
those mistakes by keeping a modicum of control within the
company’s four walls; all at manageable and predictable
cost and with plenty of productivity benefits, too.