Implementing Cloud-Based BYOD Policies Safely

Implementing Cloud-Based BYOD Policies Safely 150 150 Kerry Butters

BYOD adoption is on the rise in SMEs. Cloud based services have opened up businesses to the world of bring-your-own-device, allowing SME business managers to save internal spending by encouraging employees to use their own laptops, phones and tablets.

However, these devices are often only intended for personal use, not commercial. This means that they can be ill-suited to the security needs of your company and you may end up spending the money you thought you were saving on implementing new security for these phones. There are still plenty of benefits to a BYOD environment however, so the best thing we can suggest is that you familiarise yourself with the potential downfalls of a BYOD office and plan for it appropriately.

Increased Threats

Some SMEs have been struggling with the new threats presented by a BYOD environment, so it’s important to ensure that if you do adopt BYOD you have the security infrastructure to cope with it.

Using unofficial, personal technology can expose businesses to viruses of all types, especially when it comes to Android devices. If an employee makes ill-advised browsing decisions on their own time, or downloads a dodgy app, but is still networked to your business, this can have an impact on their workspace and beyond.

You can’t neglect security on personal devices. If anything you need to increase it. Personal devices will be exposed to public Wi-Fi, non-secure websites and various other threats. You should also consider the possibility of a device going missing outside of the office, and the implications of that if a device contains sensitive information.

Loss of Professionalism

There’s been a lot made of the fact that smartphones bring the office home with you, but the reverse can also be said. If someone is using his or her device for both personal and business purposes then it’s likely that at some point one world will bleed into the other.

That’s why a lot of SME’s are looking into cloud-based mobile device management software for personal devices. MDMs ensure that even though a device is used for both personal and business purposes, there is a clear divide between the two worlds. This acts as a constant reminder to the user that they should remain professional when logged into the business elements of their device.

Data Loss

Remote workers and BYOD employees may sometimes, either by no fault of their own or user error, delete important files from their device. I once had a colleague who accidentally deleted an entire years work of important documents that sent the department into a panic until IT managed to restore said files. We were fortunate that there had been a recent backup of our information that we could use. This is not always immediately possible within a BYOD office. Whilst services such as Dropbox and OneDrive provide you with cloud backup, these are not always ideally suited for corporate use. That’s why you might want to consider implementing a cloud-based MDM system or some similar system that regularly backs up remote devices and stores copies in a secure, centralised location.

Lost Devices

People can be more careless with devices which they consider to be theirs, which can in turn lead to important documents making their way into the public sphere when a device is misplaced. That’s why it’s imperative that any BYOD solution your company settles on should include the option to manually erase specific files from a secure, centralised location as long as the device is connected to the internet.

Correct Implementation is Key

A good network security solution should be easy to implement, simple to use and be flexible enough to work on multiple platforms and OS’s. There are a number of businesses available who specialise in implementing cloud-based networks that will complement a BYOD device strategy without compromising the security of your business. Most of these are normally quite expensive, and could end up costing you more than what you’d save by going BYOD.

However, the MDM provider Meraki, recently acquired by communications giant Cisco, is a hugely competent system which provides a BYOD office with all the features that are needed to ensure that any company data on personal devices is comprehensively protected and backed up.

You would be right to wonder what the catch of such a comprehensive free service is. Fortunately, there’s nothing diabolical about the offer. Whilst Cisco Meraki’s MDM is an excellent resource, the company makes their money selling networking hardware. This, if anything, is beneficial to your business.

When the time comes to expand there will be no need to implement a new MDM system to work with your new infrastructure. Instead Meraki will slot right in, reducing down-time for your company and allowing you to move seamlessly into your next stage of growth.

Move Carefully

The BYOD office is a hot topic for SMEs. And rightfully so, it promises significant savings and improved worker engagement. However, there are also undoubtedly opportunities for things to go wrong along the way. That’s why it’s important that you consider the issues highlighted in this article, and give serious consideration to the implementation of a robust MDM system that’s capable of managing a whole range of devices running different operating systems.

This kind of caution will pay dividends. Moving too quickly could put your data and your company at risk.

BYOD: What Every Company Needs to Know

BYOD: What Every Company Needs to Know 150 150 Simon Randall

This in-depth look at BYOD and its increasing use in the workplace gives a great overview of what every company needs to consider when thinking about implementing a BYOD scheme. Whilst for many, security remains an issue, with strong policies and MDM software, BYOD is now completely manageable.

Bring your own device (BYOD) describes a situation where employees use their personal computing devices in the workplace. It’s employees using smartphones, tablets, netbooks etc., to access business enterprise content or networks.

BYOD also takes in software and services, as employees use cloud resources and other tools on the web in order to connect to the company intranet.

Benefits of BYOD

Familiarity with their own equipment, and the option to work flexible hours can lead to improved job satisfaction and increased efficiency for employees. As workers explore the technical capabilities of their phones and PDAs, organisations can reap the benefits of employee collaboration, through greater productivity and creativity.

BYOD can also provide cost savings. These range from initial capital expenditure, to on-going usage and IT helpdesk support, as employees invest in their own devices. Through extensive Wi-Fi networks, workers have access to back office infrastructure, regardless of their location.

 In today’s offices, BYOD is fast becoming the norm, rather than the exception.

The Downside

Allowing employees to use their own devices to access company information gives rise to a number of issues.

Primarily, the employee owns and, to some extent, maintains and supports the device. As such, management will have much less control, in comparison to equipment owned by the company.

In order to address this, companies need to enforce security policies at a device level, and protect intellectual property and customer details if that device is ever lost or stolen. Breaches of customer data can significantly affect trust and business relationships, which take time and effort to rebuild. It can also lead to large fines being imposed on a company that doesn’t enable encryption on the employee device.

Critical Issues

To comply with its data protection obligations, a business must have answers to some critical questions.

·         Who owns the device? In the past, the company owned the devices. With BYOD the devices are owned by the user

·         Who manages the device? Today it could be either the company or the end user

·         Who secures the device? Bearing in mind that the data carried on it is company-owned. Just because they personally own the device, a user can’t escape some accountability for this.

As an employer, you’ll need to address these BYOD issues before enabling employees to bring their own devices to work. For example, by:

·         Ensuring that work data won’t be merged with an employee’s personal data

·         Ensuring that non-employees (such as family members who use the device) do not access work data

·         Setting protocols for what happens when an employee loses a device or resigns.

Plugging the Leaks

Sensitive company data could find its way onto employee-owned devices in any number of ways. The following are most common:

1. When an employee adds his or her company email details to a smartphone. A personal device is now storing sensitive corporate data, as well as all the employee’s private information. If it’s an iOS or Android device, the employee will probably synchronise it with their personal computer.

2. Google Docs, file-sharing services like Dropbox, and the apps that work with them, such as Documents To Go or Quickoffice, represent another risk. Such services are sometimes blacklisted in BYOD set-ups.

3. Text and instant messages may contain sensitive information that could be unwittingly stored on a mobile device – especially if an attachment is involved.

4. Employees will often copy business information directly from a desktop or laptop to a smartphone. A convenient way to collaborate on the move but of course, it also loads the mobile device with potentially sensitive data.

5. With many handheld devices supporting VPN software, remote access to corporate networks is increasingly common. Once connected via a VPN, a smartphone becomes a node on the internal network (with all the rights and privileges of its user), making it easy to copy sensitive data to the phone’s hard drive.

6. Many users don’t protect their phones with a PIN or password. All the information on the device is exposed to anyone who picks it up. And if the device supports remote access, the data on corporate servers may be vulnerable, too.

Security Policy

If it hasn’t already, your company’s acceptable use policy must be updated to embrace smartphones and tablets. You’ll need a clear BYOD policy, so employees connecting their devices to the company IT systems clearly understand their responsibilities.

Employees should be made to understand that their personal data (such as bank details, logons and private emails) needs to be secure – as does the business information on mobile devices.

An audit should be carried out on the types of personal data to be accessed, and the specific devices to be used.

A policy should also clarify who owns the data on the consumer devices, and what the users’ responsibilities are. It should require users to:

·   Register their personal devices before using them for company business

·   Notify the company if devices are lost or stolen

·   Protect their devices with a secure password

·   Only access the company network using an approved method, such as a VPN

·   Install (and regularly update) security software, like antimalware and remote-wipe applications

You may also want to restrict the sensitivity of information that employees can access on their devices. This is especially true if you have protectively marked data.

Overseeing Personnel

A multidisciplinary team should be formed to develop a co-ordinated BYOD policy. This should include IT, human resources and legal. Their aim should be to identify business objectives and benefits, while taking into account security, audit and data protection requirements.

A blanket ban on personal devices is unlikely to work. Employees may simply go underground – ending up unmonitored by your security policies.

The challenge your security officers face is to implement BYOD policies while reassuring your employees that Big Brother’s only watching in a benign way. They’ll be more willing to use their personal devices within the rules you set for them.

BYOD Checklist

A BYOD agreement checklist (PDF) from the Security for Business Innovation Council recommends the following:

  • ·          Ensure that end users are responsible for backing up personal data
  • ·          Clarify lines of responsibility for device maintenance, support and costs
  • ·          Require employees to remove apps at the request of the organisation
  • ·          Disable access to the network if a blacklisted app is installed, or if a device has been jail-broken
  • ·          Specify the consequences for any violations to the policy


The mobile device management (MDM) market offers many integrated and standalone tools to manage sandboxed enterprise applications, corporate data containers, and secure web browser environments.

Some MDM products can be configured to collect and display location and call histories from corporate devices, but not BYODs. Such options emerged in response to privacy regulations and concerns across international boundaries.

By providing safeguards against the deletion of personal data from apps or content, MDM allows a company to extend BYOD to a much larger audience.

Multi-National Concerns

Many employers are reluctant to allow BYOD as a convenience, as they discover they’re not in compliance with some country’s regulations. Though rules vary from country to country, many require informed consent to access personal information.

This has led to enrolment processes that notify users about all possible MDM capabilities – whether employed or not. Customised “terms of service” then describe how the employer intends to manage the BYOD.

Employers must specify what information will be collected, what actions can be taken, and what workers must agree to in order to complete enrolment and gain access to business data and systems.

The ICO Guidelines

The UK Information Commissioner’s Office (ICO) recently published BYOD guidance for employers on how to comply with the UK Data Protection Act 1998. The ICO guidance cites data security as a prime concern for employers. Significantly, BYOD should not introduce vulnerabilities into existing secure environments.

Employers should consider the use of a sandbox or ring-fencing of data, e.g. by keeping data contained within a specific app. And if a device is lost, the data on it should be kept confidential, and retained via a backup facility.

In terms of data protection and security breach risks, the ICO guidance recommends companies consider the following:

·   Which type of corporate data can be processed on personal devices?

·   How to encrypt and secure access to corporate data

·   How the corporate data should be stored on personal devices

·   How and when corporate data should be deleted from personal devices

·   How data should be transferred from a personal device to the company servers

The ICO also recommends:

·   installing antivirus software on personal devices

·   providing technical support to the employees on their personal devices when used for business purposes

·   a “BYOD Acceptable Use Policy” providing guidance to users on how they can use their own devices to process personal data and corporate – but only process corporate personal data for corporate purposes.

·   Companies must inform employees of the extent of monitoring, and ensure they’re satisfied that the monitoring is justified by real benefits and does not unnecessarily infringe on privacy

Legal Implications

In terms of legal risk, losing employee or client data could result in a company breaching the UK Data Protection Act. This could leave the company vulnerable to legal claims brought by the employee or client in question, or a fine imposed by the ICO.

What the Government Also Says

As of September 2013, the UK government has issued security approval for public sector organisations to offer BYOD schemes for employees to access data and applications using their own smartphones and tablets.

The End User Devices Security and Configuration Guidance policy was issued by CESG, the information security arm of GCHQ. It follows numerous public bodies, such as local councils, in seeking to introduce BYOD schemes.

The guidance states that any mobile device must be returned to factory settings before it can be used to access government data. Also, the device must be able to be fully managed by the employing organisation throughout the life of its use for mobile working.

The policy also provides detailed advice for a wide range of possible products and operating systems. Devices using Android 4.2, BlackBerry 10.1, Apple iOS6, Windows 7 and 8, Windows Phone 8 and RT, Ubuntu 12.04, OS X 10.8 and Google ChromeOS 26 are all on the list.

CESG recommends 12 security controls that need to be considered, including:

·         in-transit and at-rest data assurance

·         authentication

·         secure boot

·         application sandboxing

·         whitelisting apps

·         malicious code detection and prevention

·         an incident response plan for security issues such as lost devices

·         Geo-Fencing

Geo-fencing is the process of combining current location with BYOD policy. Disabling cameras on mobile devices when they are inside high-security areas would be an example.

Geo-fencing has been used in education, to enforce policies that prohibit taking pictures of students or require secure web browsing on campus. Similar measures have been put in force for retail environments.

Using GPS technology, geo-fencing can be applied in cases where it’s helpful to re-provision a device based on its location.

Other Real-world Applications

One way to restrict the flow of corporate data onto employee devices is to use technologies like Microsoft’s ActiveSync. Users can manage their mail, contacts and calendars without a direct connection to the corporate network.

Instead of allowing BYODs to access core network resources, employers can selectively publish enterprise data to new mobile apps. Users get the data they need, while the company ensures it can be accessed securely and wiped quickly and easily if necessary.

Selective wipe – deleting only corporate settings, data and apps – can protect business assets while leaving personal data and settings intact. Users must agree to give IT some control. For example, if a device goes missing, calling in first so that the phone can be wiped, before calling the provider.

Image: Michael Coghlan

The Truth about BYOD

The Truth about BYOD 150 150 Simon Randall

5 Top Tech Trends for 2014

5 Top Tech Trends for 2014 150 150 Simon Randall

Yup, it’s that time of year again when we all speculate on what’s going to be hot this coming year in the world of technology and what’s on the way out. As the majority of our readers already know, technology moves at an increasingly fast pace, so let’s have a look at what we can expect to be hearing more about in 2014.

#1: Mobile

OK, so this isn’t a trend on its own, mobile has been evolving rapidly over the past few years and is now well integrated into working practices and the enterprise. We’ve seen BYOD rise in popularity and with it, this has caused concerns and issues around security. This means that this year, we can expect to see movement in:

·         Mobile Device Management (MDM) Solutions

·         Mobile Apps

According to Gartner these will continue to be important through to 2018 as: “the growing variety of devices, computing styles, user contexts and interaction paradigms will make “everything everywhere” strategies unachievable.”

The use of MDM solutions are critical to managing BYOD and it will be vital for organisations to develop strong user policies and ensure employees are fully aware of how they can use their device for work and when on the company network. To this end, Gartner recommend that firms “[b] alance flexibility with confidentiality and privacy requirements”.

With regard to apps, HTML5 will enable better usability and it’s necessary for firms to start thinking in terms of device development when it comes to any redesign.

#2: Embracing the Cloud

As PC sales continue to plummet, not only does it add to the above trend, but it will mean that many consumers will really begin to connect with cloud technology. Of course this relates to storage for the average consumer and perhaps more use of SaaS services.

Saying that, the growing use of IaaS in the enterprise is something that is also likely to take off even more in 2014, as server sales slow and more companies turn to the data centre in order to supply many of their IT needs. Of course, this doesn’t mean that the company intranet will cease to exist, but some of it will be hosted in the cloud, especially when it comes to smaller businesses.

#3: The Internet of Things (IoT)

This is already becoming a big buzzword for 2014 and basically refers to how the internet will begin to power everyday devices that can be found in the home and whilst ‘about town’. According to a Business Insider  report published in January, the IoT market is going to be “massive”. It’s thought that at the moment, there are around 1.9bn devices in use today and this is expected to rise to 9bn by 2018. This “will be roughly equal to the number of smartphones, smart TVs, tablets, wearable computers, and PCs combined”.

#4: 3D Printing

Gartner predict that global shipments of 3D printers will grow by a huge 75% in 2014 and will double again in 2015. The market is growing quickly and whilst 3D printers were out of the price range of many businesses, they now retail for anywhere between £500 – £50K. The use of 3D printers is likely to be seen in organisations that develop any kind of prototype, architecture and more. This allows for reduced costs when conducting research and development projects and the ROI has the potential to be significant when it comes to streamlining manufacturing processes.

#5: Wearable Technology

It could be argued that this was something that is ‘last year’s news’ what with the introduction of the Samsung Galaxy Gear and similar devices. Apple are also expected to join the fray and there’s talk of wearable video coming soon, not to mention Google Glass, which can be controlled with a wink.

It’s also thought that these devices will talk to each other and existing tech, such as your PC and tablet and, of course, some of the health-related devices that measure your heart rates, steps and fitness levels are already doing well on what is set to become a very lucrative market.

The great thing about technology is that it’s never dull. There’s always some exiting new innovative ideas and products appearing and it makes business increasingly easier to manage. This means that companies have the ability to become more agile and increase revenue, whilst maintaining excellent customer relationships through CRMs, CMSs and other intranet resources.

Preparing a Business Case for BYOD

Preparing a Business Case for BYOD 150 150 Simon Randall

It’s fair to say that technology has
evolved in such a way that most businesses and individuals can no
longer do without it, and in recent years, relatively new
technologies such as the cloud are helping to push the
comsumerisation of IT into becoming the norm.

This has led to an increasing trend
across enterprises to implement a Bring-Your-Own-Device scheme in
which the employee uses their personal devices to access the company
network. This means that there are also increasing concerns
surrounding security, especially when the cloud is also added to the
mix, although many of these concerns are unfounded, to some extent.

The cloud in particular tends to more
secure for smaller businesses than on site networks, as small
businesses tend not to have decent disaster recovery plans in place,
or robust enough backup procedures. On the other hand, cloud is often
based at a data centre, where all of the data is easily backed up and
in the event of hardware failure, it can be easily routed to another
part of the network.

That’s not to say that it’s the right
solution for all businesses though, just as BYOD schemes might not
be. Whatever the case, if you’re thinking about putting such a scheme
in place, it’s wise to look at options and reasons that you may want
to first.

Liaise with IT

you have an IT department, then they need to be in on it from the
planning stage right up to implementation. If you don’t and use an IT
support consultancy, then head to them first to seek advice.


  • The business case & ROI

  • Which devices you will allow

  • How the devices are used on a
    personal level

  • How the devices will access the

  • How you are going to manage
    said devices

  • What impact BYOD will have on

BYOD carries
numerous benefits to the company, such as less need for capital
expenditure and better collaborative practices which in turn lead to
increased productivity and potentially, an increase in revenue.

Analysts at
Forrester Research state
that there are four key considerations when making a case for
implementing a BYOD scheme.

  • The company’s overall goals

  • When the BYOD scheme will impact
    various business units

  • Which processes need to be
    modified in order to accommodate BYOD

  • How long it will take to achieve
    potential benefits

This means that in the first instance,
it’s necessary to look at justification on a financial level, paying
attention to all of the resources which may be necessary for the
scheme’s success. This means that in order to justify
the need for BYOD
, the company will have to come up with a report
on the following:

  • Network infrastructure:
    every time a device is added you will have to create a new
    connection to the network, so you will need to look at whether the
    current network can support this.

  • Supported platforms: Apple
    devices are popular and more secure than Android but the latter are
    hugely popular choices for many on a personal level. You will need
    to price in the monthly licensing costs for a mobile device
    management (MDM) solution and possibly, some additional security
    solutions to address the variety of supported devices.

  • Software licensing: As
    well as MDM software, you will need to think about licensing for the
    products that your employees might use, such as MS Office and other
    applications as well as maintenance.

  • Physical resources:
    You will need to assess if you currently have the resources when it
    comes to IT staff both internally and externally and if this will
    need investment in order to support the scheme.

  • Security: This will
    have to be assessed and solutions put in place to protect the
    network and sensitive data.

Potential BYOD benefits

In order to prove ROI to the finance
department, you will need to look at exactly what implementing a BYOD
scheme can do for the business. It’s pretty much a proven model now,
so this shouldn’t be too difficult, but let’s look at a couple of
benefits that affect the majority of businesses.

  • Enhanced productivity: This
    is the most widely reported benefit, as it’s been found that
    employees that use mobile devices at work are better communicators,
    as they can collaborate effectively and efficiently at any time,
    from any place with a connection.

Employees are happier in their
work, which also increases productivity and they can connect quickly
with clients and colleagues, no matter where they are in the world,
in real time. This means that rather than sit around waiting for
documents to be couriered over, or email to come through, so
everything gets done that much quicker.

  • Less capital expenditure: This
    isn’t always the case, but for the most part employees that use
    their own devices won’t need access to high-end machines at work.
    However, this is very much dependent on individual scenarios and the
    size and location of the network (on-premise or in the cloud).

  • Increased revenue: Again,
    this depends on the company, but let’s imagine a scenario where a
    company has a sales team out on the road. Using his own device, a
    salesman can close a deal there and then, without the need to go
    back to the office to do the paperwork, enter it onto the system
    etc., which in turn means that the sale is more likely to stick.

It also means that sales staff
can manage their own accounts and complete paperwork on the fly,
increasing their productivity substantially. This could lead to an
increase in revenue as the sales person increases the amount of
accounts they can manage.

Further considerations

Once you’ve looked at the ins and outs
of putting BYOD in place, you’ll also need to think about policies
and this is something that gives many a CIO a headache. Yes, they are
personal devices but they also connect to a business network so it’s
vital that employees know what they can and can’t do.

For example, an employee might enjoy
playing games on a device or social networking; however, you may not
want him to download apps that might compromise the security of the
network. This can be managed with the MDM, but it’s wise to ensure
that workers know what they can and can’t access when using the
device for work.

It’s a fine balance, as you want users
to be able to have an experience which isn’t too intrusive, but at
the same time, you have to consider security. Too intrusive an
experience and productivity will be affected, which then impacts the
business case, so if the solution is going to have a huge impact on
usability, then perhaps you need to reconsider.

Think about the use of corporate apps
in order to overcome this, such as file sharing apps that are
business grade rather than consumer, Dropbox being an ideal example
of this. However, putting sound policies in place should overcome
many of these concerns.

to Gartner
, half of all employees will be using BYOD by 2017 and
it’s something that carries a strong case for improving many aspects
of a company. In fact, “[e]xpanding access and driving innovation
will ultimately be the legacy of the BYOD phenomenon,” said
Gartner’s David Willis.

“However, the business case for BYOD needs to be better
evaluated,” he continued. “Most leaders do not understand
the benefits, and only 22 percent believe they have made a strong
business case. Like other elements of the Nexus of Forces (cloud,
mobile, social and information), mobile initiatives are often
exploratory and may not have a clearly defined and quantifiable goal,
making IT planners uncomfortable. If you are offering BYOD, take
advantage of the opportunity to show the rest of the organization the
benefits it will bring to them and to the business.”

Bearing this in mind, perhaps you shouldn’t be asking yourself if
your company can afford BYOD and should be asking if it can’t.