BYOD: The great small biz security headache
The great reseller opportunity
After surveying more than 1600 IT professionals late last year, the analyst firm Freeform Dynamics concluded that the consumerisation of IT is a real thing, and it is not just down to those pesky young people and their shiny iPads.
Company founder Dale Vile says the trend is driven not just by the so-called digital natives, but by more senior staff who have the disposable income to afford cool devices, and the seniority to override rules and use them at work if they want to.
IT staff are the most likely to want to use their own kit, but the senior and mid-level management, people Freeform dubs “high contributing employees”, are also keen.
These people are a double threat to security. They are senior enough that saying “No” to them is a difficult option, but they are also likely to have access to just the kind of data you most want to protect: confidential sales projections, business strategy or sensitive IP, perhaps.
"The risks of not managing it are real," warns channel player Phydos Neophytou. “If you have corporate data on a device and it is lost or stolen – that data is compromised. If an individual leaves, taking their device with them, you also risk losing the data that way. You have no idea what is on a device, you could have valuable data just walking out the door. If you can manage access to data in the first place, or have the ability to wipe a device, that puts you back in control.”
Neophytou and Vile have experience of the Bring Your Own Device (BYOD) phenomenon from the other side of the table.
If it moves, encrypt it!
Dale Vile (left) says the answer for him was encryption on everything. “You have to think about how you want your employees to be using the devices. It might be that locking it all down is the most straightforward way of dealing with the problem,” he told us.
“There is nothing new under the sun. Small companies have been dealing with BYOD for ages. It is just that the mobile devices are getting so much smarter. You need to manage this with a policy. You have to say yes, you can bring your phone in, you can access email and documents, but only if you let us encrypt it, or you run this software on it.”
Neophytou recently took his firm Caretower, a London-based IT security provider, through the process of implementing a BYOD policy. He describes it as a useful learning experience: “We find the so-called digital natives [young folk] are using their own kit more and more, so we had to put a policy in place. It means we’re in a good position to be able to offer advice based on our own experience; we can recommend the security products, but also help on building policies.”
Now, he says, his advice to clients is to work in three stages: “First, you have to decide if you are going to allow it. Then you work out how you are going to manage it from a tech and policy point of view. After that, you need to work out how you run the remuneration side of things.”
Back off - it's mine
Lack of information
When Caretower started work on the policies, they spoke to various employment organisations for advice, but time and again, the advisors came up short. That lack of information is a theme picked up by other analyst houses.
Gartner, although focused on the enterprise space rather than SMBs, notes particularly that companies might lack the proper organisational structure to develop and implement policies to manage the influx of unofficial gadgets.
Smaller firms could at least be more agile in their response to a changing landscape, but they will also need help writing and enforcing policies.
It makes sense for firms to seek advice from their IT partners on this. There are plenty of products out there that can help you manage who has access to what data and from which device, but working out how they are best applied is more of a challenge.
Gartner is clear, too, that the issue is not technical. It holds that legal considerations are likely to drive policy decision making.
BYOD ends up being a more expensive option
And what of employer-funded devices? Can you save cash by letting people buy their own technology? The short answer, according to Vile, is no.
He says that the regulatory environment in the UK just isn’t cut out for BYOD. Not in the same way as the US, with an employer subsidising a purchase. “You lose the economies of scale, for a start. Then you have to pay employers NI on the device, employee NI. Then the device is seen as a benefit and taxed. It ends up being a more expensive option.”
He says that when Freeform investigated that kind of scheme, they found it would end up costing them one-and-a-half times as much per device than if the company continued providing laptops.
Headache for small firms
Ben Gower, MD of Perspicuity, a Microsoft reseller, agrees: “We’re not seeing much of it in small firms, largely because it is still too much of a headache to implement. HR, tax and other business integration issues make what ought to be a really good idea very cumbersome to implement,” he told us. “I can see it happening with phones, though. Lots of SMBs see smartphones as very expensive items now, and lots of people will already be bringing their own.”
Breaking down official and unofficial device use by type, the Freeform Dynamics research found just about every form factor represented, with smartphones of every fruiting variety, but particularly Android and BlackBerry, featuring consistently.
PCs and laptops also show up on the unofficial side of the chart, indicating that users really are logging on from home and accessing data.
One way of dealing with the security threat, Gower argues, is to go into the cloud. “If you’re cloud based, you can access data locally, but the data is held centrally, so when you log off, the data goes too.”
But this is really an extension of the same theme: it is about how you manage access to data.
And let's not lose sight of the revenue opportunities that BYOD brings to IT security resellers. “End point security is going to shift to the mobile phone,” Neophytou says. “It is a great opportunity to start a conversation with a customer.” ®
We are running a super-short survey on cloud security, SMEs and resellers. Helping hand, please.
Sponsored: Becoming a Pragmatic Security Leader