Five Commandments for Safe BYOD Adoption

Consumerization is a well established norm in the enterprise and will drive continued transformation of IT models in the coming years. Employees want device choice beyond the ones stipulated by the company and at the same time, want to be mobile and productive. Organizations are moving quickly to design strategies to allow flexible work styles with bring-your-own devices (BYOD) concept.
Why BYOD?
BYOD empowers the employees to choose their own computing device such as laptops, tablets, or smartphones, to get their work done. Simultaneously, it benefits the organizations by increasing productivity with a workforce which is accessible all the time, reducing cost for IT assets and maintenance, and enabling new-age work styles such as work shifting, flexible working.
BYOD comes in many forms, from the ad hoc use of personal devices to supplement corporate endpoints to replacing corporate-owned devices entirely. Whatever approach an organization chooses to take, a complete, well thought-out policy is essential for embracing BYOD without increasing risk. The lack of a structured BYOD policy leaves many organizations exposed to problems such as security gaps, compliance issues, and rising IT complexity.
Before embarking on their BYOD adoption journey, CIOs may consider the following best practices for CIOs to ensure a safe adoption of BYOD:
Construct a Well Orchestrated BYOD Policy-The first step in enforcing a BYOD policy should be laying down a framework which can be implemented through the organization's web portal or intranet. This should be an open policy for which the IT team collaborates with various departments including HR and finance. However the onus of this policy lies with the IT team that needs to consider the following employee categorization while devising BYOD policies:
#1 New Joinees-to embark them on the program as early as possible
#2 Employees with PCs/Laptops and Nearing their Refresh Cycle-to frame appropriate policies on what should be done with the PCS and laptops
The policy should also include aspects of authorization from superiors and other departments so that only the deserving employees will be involved in the program.
When an employee wishes to be part of the BYOD program, he/she should be able to send the request through a portal/intranet which reaches the manager. The managers can approve or reject the request basis on the privileges earned, the nature of the job requirement, data security concerns or combination of all these situations.
The approved request can then be routed to finance to check if there is necessary budget to provide BYOD for the employee. When the request is approved, HR can provide compensation for the employee to purchase the device, or an organization can fix up a stipend for employees who have already purchased the devices and want to get the devices to access corporate information.
Adopt the Right Technology: Once the BYOD policy framework has been decided, the IT department should evaluate the different technologies for implementing BYOD. This technology selection will decide the types of endpoint devices that the employees can bring. The selection process will largely depend on the availability of services and apps on BYOD devices and whether they differ by work groups, user types, device types and network utilized. Once the technology is decided after analyzing the organizational requirements and priorities including application landscape and access, the second step would be to invest in the right technology partner to set up the BYOD program.
Freedom of Device-Any Device, Anywhere: BYOD is about user empowerment. BYOD policies should allow people to use whatever type of device best meets their needs. However depending on the technology, IT should lay down minimum specifications criteria for OS and applications. A key advantage of BYOD is that it helps to reduce the manageability surrounding the end point device. It is better to let the employees buy their personal devices rather than the company arranging them since this ensures there is no ambiguity in terms of ownership. This also ensures that each participant has direct relationship with their vendor taking care of the situation when the device requires maintenance.
Security and Data Management: Security is the primary concern when an organization embraces BYOD. Confidential business information should reside on the endpoint only in isolated, encrypted form, and only when absolutely necessary. Multi-layered security should include granular policy based user authentication with tracking and monitoring for compliance; control over print capabilities and client-side storage; and mandated anti-virus/anti-malware software. The organizations are weary of the use of corporate data through the end point device when BYOD is implemented. This can be addressed in many ways.
The IT should ensure:
Corporate data is not allowed to reside on the end-point device Ability to remote kill applications in the event that the device gets stolen or lost
The end-point device be properly authenticated before it enters the corporate network
The device has the latest version of the anti-virus software installed
Recently, desktop virtualization technology has received favorable adoption because of its inherent advantages of offering secure handling of corporate data. Since the data is not moving out from the data center, IT needs not worry about scenarios of device being stolen or lost. The device is just an access point; hence even if the device gets stolen or lost, data will be still residing at the company's data center.
In cases where data does need to reside on the endpoint, it can be protected through isolation, encryption and remote wipe mechanisms. To prevent exfiltration, IT can implement policies to disable printing or access to client-side storage such as local drives and USB storage. Participants should also ensure that anti-virus/anti-malware software is installed and updated on their endpoint.
End-user Induction
No BYOD program can be successful without the end-user participation and training. There should be training videos which can be accessed through company's portal or intranet for employees to go through. The organization can also organize training sessions to train the end user.