Balance security and productivity in consumerisation policy

The consumerisation of IT and bring-your-own-device (BYOD) programmes have become headline-grabbing issues, but in the rush to be seen to be doing something about it, organisations risk compromising security, warns Rob Bamforth.

Consumerisation and bring-your-own-device (BYOD) policies have become headline-grabbing issues, but in the rush to be seen to be doing something about it, organisations risk making mistakes.

The consumerisation of IT is nothing new. Even when the first PCs appeared on or below desks, they were often brought in without IT departmental knowledge or centralised purchase control. Essentially consumer products, they could be easily bought with departmental budgets or even expenses, but they were – the odd game as an exception perhaps – used exclusively for business purposes.

My first consumer IT for business purchase was a Sinclair Spectrum that we programmed in BASIC to model certain satellite dynamics at British Aerospace in 1981. The reason for the purchase then, and in most instances since, was expediency and cost. A business issue needed resolving and going through official routes would take too long and too much precious budget.

The reason for the panic now is that the devices in question now are mobile and dual-purpose – business and personal.

Mobility brings flexibility but much greater risk, not only from loss or theft of the device but, more importantly, from what it contains or has access to. For a fully locked-down corporate issue device, this is less of a problem, but times - or rather familiarity and appetite for all things digital - have changed. Many people now have more access to better technology at home than at work.

The growing use of technology is not only for fun, frivolity and Facebook, but also for managing other elements of lifestyle, shopping and household chores like paying bills. These are no longer conducted huddled over a beige PC hidden away in a study, but anywhere on anything connected to the network – TVs, tablets, smartphones and gaming gadgets.


Preferred choice

This has led to preferences, fads, style and image trumping the old techie favourites of functionality and features. Technology has become so affordable and accessible that users want to choose. Businesses are caught between the extremes of "allow anything" and "ban everything".

One way to retain control is to allow users to select from a list of popular consumer devices, which the organisation has worked out how to bring under some element of corporate control, securing the organisations assets but still allowing users their own space to do their own thing. This may be offered with some form of stipend so users have a free choice, but partly subsidised – a shared ownership model.

The arrival of tablets has made this an interesting option for many organisations, but they need to tread carefully. What happens when devices break, are lost or stolen? What is the process for upgrade, or when the employee leaves? Many companies might think they have already build up similar processes for managing their company car fleets and, to some extent, there are similarities with the open selection model that used to be prevalent in the IT industry. However, few companies cared what employees put in their cars, but they might be more concerned about what they put on their shared ownership mobile devices.

The ownership, responsibilities and liabilities of any network connections and ongoing contracts will also cloud this model. This is especially true for cellular contracts, when minutes and megabytes are paid as they are used, rather than in the all-you-can-eat bundles prevalent in Wi-Fi. Does the company pick up the tab for everything to ensure the economies of scale of corporate contracts, or leave it down to each individual to choose and potentially lose out on net benefits? Can the organisation bill employees for personal use and what does that mean for data? What are the tax implications?

Most importantly, is this sufficient to control the BYOD challenge, because the problem rapidly extends to bringing your own device as well as the one issued by the organisation? While there may be an argument for the arrival of the post-PC era that is boosting sales of tablets, there is no single universal mobile device and nor is each new shape of device completely replacing the use of older form factors. Employees will carry mobile phones, tablets, notebooks, netbooks and so on, and expect any one of them at any time to be able to access corporate resources – at the very least e-mail. It is very unlikely that standard and corporate issue units will fulfill the entirety of employees’ device needs.

So what should an IT manager do when an employee turns up with gadget X and asks to connect it to the network? Some would say it will depend on the level or importance of the employee – CEOs wielding iPads being hard to refuse – but seniority should not be the overriding criteria, especially as senior executives access more sensitive information than juniors.

Refusal at any level is unlikely to be accepted in all but the most undemocratic work places, so the role of the IT manager is to balance access and functionality with caveats and consequences.

It is also unlikely that a single solution will be sufficient, but there are 4 ‘P’s that might be put to good use:



First, set some. It might seem overly bureaucratic, but every society needs some rules and boundaries setting, including the social set of mobile workers. Keep them simple, objective and well communicated. Ideally get mobile workers to develop the guidelines so they are readily accepted and practical. Above all, ensure they can be universal. Policy around use of personally identifiable data is expected by data protection law, whatever the device. Exceptions for CEOs and tetchy so-and-sos defeat the purpose.


There are plenty of different devices and ways to use them, but a poll of employees will quickly reveal a core set of key applications and most desirable devices. These are the ones to address; pick the top five or so, set them up in a secure fashion to meet business needs, promote as primary choices to employees. These could even be offered as "free" to cost-centre managers, with further options available at cost, (for example, if anyone in your team wants to have e-mail access on their own BlackBerry or iPhone they can have it for free, but access to corporate calendars on Android devices will hit your budget).


It is vital that, whether devices are employee-owned, corporate-sanctioned or occasionally attached, they need to be identified and managed. Mobile device management tools and services are already being built to cope with both corporate and personal devices. These provide a solid grounding of network intelligence on which to enforce more robust controls and policies. Such tools can be installed on-premise or provided as cloud-based services, from boutique specialists to multi-national mobile operators, so can be chosen to scale to any organisation. Not having any form of mobile device awareness or even the lightest-touch management tools is no longer an option.


Individually owned and supplied mobile devices will continue to proliferate and there is no way employees will allow employers to take complete control of their devices. But organisations cannot expect employees to adequately protect or take care of even their own devices, and have to assume all devices are unsafe and potentially compromised. The only fully safe way to keep control, yet allow employee choice, is to project "bubbles" of secured corporate control onto the device. This is an extension of the concept of the virtual private network (VPN) and can be delivered in any number of ways. These include virtualised sandboxes on the mobile device, through secured gateways and enterprise app stores to broadcast models such as those originally employed in network computers in the 1990s (and further back, as dumb terminals in the 1970s and 80s).

The key for the organisation is to establish the differential levels of importance of its digital assets – the IT services and data – and what access and usage permissions to grant, based on the mobile context – user, device, location, time. Taking the starting point that every mobile endpoint is completely insecure, policy – supported by appropriate tools – can dictate just how much to open up. Employees can bring their own devices, but the organisation can bring its own rules. Both sides should then be happy and – just as importantly – productive.

Rob Bamforthis principal analyst at Quocirca focusing on communication, collaboration and convergence.


Read more on IT risk management