Advisory Note: BYOD - 70335

Bring Your Own Device (or “BYOD” for short) may seem like the latest hype, but in fact it isn’t really all that new. Employees have been bringing their smartphones or iPads to work for quite some time now, mostly with their employers’ explicit (or at least implicit) consent. And ever since, IT departments have been worrying about losing control and how to halt the spread of privately owned mobile devices. Sadly, they are missing the point. They need to accept that smartphones and tablets are a fact of life in the networked economy, and that they are poised to proliferate far quicker than corporate IT departments can follow by adopting their new management tools. Instead of trying to stick their fingers in the dyke, IT professionals should concentrate of information security and accountability; things that are well within their reach even today.

Any viable BYOD strategy must cover all types of devices and operating systems. Any attempt to limit yourself to certain types of devices will automatically lead to a dead end; users will simply bring their own devices from home and there is now way IT can stop them. Yes, IT can block access to corporate networks and information, like it is done sometimes today. But over time, such a policy of locking your own people out will just not work.

BYOD will lead to a fundamental shift in areas such as desktop management, endpoint security man-agement, and information security management. Since users will increasingly choose to access corporate applications and information from their own, uncontrolled devices, IT departments would be well advised to follow an information-centric strategy versus the traditional, device-centric approach to security.

The best way to limit the risks of BYOD is to define clearly which information can be accessed by whom and under which circumstances, and then to make sure these policies are monitored and logged. And yes, some information should not be made available on BYOD devices. Enterprises and organizations must focus on technologies that best provide information security in a BYOD world and then execute on them as quickly as possible.