Feeds

BYOD: A bigger headache for IT bosses than Windows Metro?

Your survival guide to giving users what they want

Next gen security for virtualised datacentres

Be honest: Who is in control of your workplace IT? You or the user?

The severity of these risks varies with the business and the laws governing the jurisdictions in which they operate. Most clandestine IT deployments are - at their heart - an effort by employees to bypass company policies and procedures they feel are too restrictive. In some cases (I'd argue in most cases) it is simply a desire on the workers' part to feel that they have a sense of control. This can too easily get mixed up with a feeling that IT policies exist only so that some management types can justify their existence.

For others, it is the belief - accurate or not - that the ability to use their preferred service, software or device will make their job easier. As soon as this happens, corporate information moves beyond corporate control. The lost employee iPhone could contain millions of credit card numbers; the lost Surface tablet, an entire province's medical records.

Vulnerability to malware or even physical access attacks are greatly increased with a personal device over corporately controlled units. The effectiveness of centralized antivirus and mandated unlock passwords evaporate if users start walking around with unmanaged endpoints.

Beyond the obvious headline-grabbing security and privacy risks lurk far more mundane threats. Document retention legislation could result in serious fines if critical business communication begins occurring outside of corporate retention mechanisms. Regulations such as Sarbanes-Oxley and certifications including PCI compliance require certain levels of corporate security be applied to various bits of corporate information.

Industrial espionage is a lot harder to prove if information access occurs outside audited systems. Gaffes and mistakes can present an unprofessional corporate image. Is your salesman communicating with clients from his personal Gmail account? Is such communication purposeful, or did he mean to select the corporate account in his mail client but forgot?

Four ways to grab the reins

There are three basic approaches to dealing with the consumerisation of IT. The first (and often the instinctual) response is the Fortress IT approach: introducing or reinforcing policies forbidding the use of non-approved devices, software, or services. This is typically followed by a vicious crackdown, "education" of users and firings. The odd legal action against an employee for emphasis is periodically employed.

Digital natives don't seem to take particularly kindly to this approach. Unless there is an exceptionally good reason to be working at your company, Fortress IT will result in nothing except the assurance that you will not attract tomorrow's best and brightest.

The second approach, diametrically opposed to the first, is embracing the chaos. Far more popular among small businesses than large, this approach relies on training and trust in employees to treat corporate data with respect. It is typically enacted with fixed allowances for devices and paired with complete freedom for the employee to choose what they wish to use. If the user wants a better device than the corporate allowance, they must stump up the extra. Issues of who owns the device if the employee leaves before three years are common.

While companies using this approach are generally less carpe diem regarding software and services, they have far more open policies than other approaches. The focus of companies embracing the chaos is giving employees the tools they need to do their job. This comes with an implicit acknowledgement that the subject matter experts - the employees - are in a better position to determine what those tools are than management or IT.

Embracing the chaos requires understanding and clearly communicating the risks data loss pose to the company. Above all it requires honesty and trust by both the employer and the employee.

The third approach to coping with the consumerisation of IT is "Deploy Desired Devices" (DDD). The DDD approach relies on accepting that in any instance where we are dealing with employees who are not completely interchangeable, the "least cost" approach to IT has been a failure.

Instead of deploying rickety $400 Acer specials whose performance hasn't changed since the line was introduced six years ago, the DDD approach would require deploying hardware, software and services that people actually want to use. Instead of forcing a Blackberry or a Windows Phone on an employee, options are expanded to include desirable devices such as Android phones or iPads.

The DDD approach requires that companies talk to their staff, find out what people want to use, and why. It requires moving from supporting the smallest possible range of devices, software, and services to embracing "the new" even if that includes Apple in the enterprise.

There is also an implicit fourth approach: pretend that the consumerisation of IT isn't happening. Doing nothing is its own approach. It is even potentially valid if clandestine IT has not yet started it's inevitable infiltration. In the long run the "doing nothing" approach will ultimately fail.

Each approach will bear a cost. Clamping down on your staff will result in either high turnover or in having to provide alternative incentives for staff retention (pension plans, etc). Embracing the chaos requires true jack-of-all-trades systems administrators with a wide range of experience. And those are expensive.

DDD can be accomplished with existing support staff, but requires a corporate attitude of not skimping on the digital tools of the trade. Doing nothing is a gamble that will lead inevitably to data loss and possibly expensive legal concerns.

Still, it's not as bad as all that

Controlling a heterogeneous environment or doing testing on new software or services has traditionally been difficult and expensive. Vendors are aware of this. As demand for new technology has increased so too has the ease of meeting those demands.

Mobile device management software has come a long way. Popular enterprise endpoint management software now regularly supports Apple and even Linux. Virtualization allows the creation and destruction of test environments with ease. RDS, VDI, and ThinApp-style technologies allow the delivery of corporate applications or entire managed environments to unmanaged devices. Cloud aware inventory software is increasingly capable of tracking and monitoring clandestine IT.

The tools and resources necessary to support a broader range of devices, software, and services are becoming commonplace, even if the manageability of some devices lags behind.

Excepting in exceptional circumstances, "it's too hard" is no longer a valid excuse for failing to set policy regarding the consumerisation of IT. We have the technologies required to deal with this issue. What remains is choosing whether or not to acknowledge the reality of it, and what approach your business will take. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
6 Obvious Reasons Why Facebook Will Ban This Article (Thank God)
Clampdown on clickbait ... and El Reg is OK with this
No, thank you. I will not code for the Caliphate
Some assignments, even the Bongster decline must
Kaspersky backpedals on 'done nothing wrong, nothing to fear' blather
Founder (and internet passport fan) now says privacy is precious
TROLL SLAYER Google grabs $1.3 MEEELLION in patent counter-suit
Chocolate Factory hits back at firm for suing customers
Mozilla's 'Tiles' ads debut in new Firefox nightlies
You can try turning them off and on again
Sit tight, fanbois. Apple's '$400' wearable release slips into early 2015
Sources: time to put in plenty of clock-watching for' iWatch
Ex-IBM CEO John Akers dies at 79
An era disrupted by the advent of the PC
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?