BYOD Strategy Should Start With Data-Centric Security

It's human nature that when confronted with something new, we try to deal with it as though it's something we already understand. And the longer we've done something a certain way, the harder it is to adjust. My current car has keyless entry and ignition--you just push buttons. I've had it for a while now, but if my mind is the least bit preoccupied as I walk up to the vehicle, my reflex is to pull keys out of my pocket. Likewise, understanding new mediums takes time. If we had called radio "phonograph as a service," we would have missed much of the interactive potential.

It's not surprising then that as consumerization becomes the norm and more employees bring their own smartphones and tablets into the workplace, IT's first reaction is to treat these devices just like the ones they're used to dealing with--the ones the company purchased.

Understandable or not, if "your device is now our device" is the approach your team is taking, you need to rethink things.

It's tempting to paint all devices with the same brush. The justification goes something like: "We have a policy that everyone can understand; it's fair and serviceable." However, when it comes to gear that IT doesn't own, it's a risky strategy.

[For more advice on protecting data, see InformationWeek's research report on mobile device management trends and technologies.]

How will you deal with the irate user who had unique personal data on that device, until your team accidently remotely wiped it or sent a software update that blew away non-company content? Do you really want responsibility for unarchived irreplaceable family pictures, or bank records, or the office fantasy football pool, or whatever? Telling the user he should have had a backup won't get you far. It certainly won't win you the admiration and respect of your coworkers, and inevitably, somewhere, sometime, lost personal data will lose someone a lawsuit. Managing devices you don't own is a risk you shouldn't be willing to take.

When a device is owned by the company and workers clearly understand what data they should and shouldn't keep on it (because you have well written policy and it's been well communicated), any loss of personal data on the part of the employee can fairly be assigned as the employee's own risk. When an employee owns the device, the implicit contract is different--unless the employee explicitly bought the device for use at work. That's going to be less and less the case.

What most employees want is one device (or potentially one set of devices) to carry around. They can understand the need for work-only laptops. And they can understand why the company might not want to buy tablets, even though many people find tablets useful in their work. But they don't want two phones. And, what they won't understand, and shouldn't accept, is the company's insistence on managing personal devices as though they are company devices, including device management software that implements among other things, complex password policies and remote wipe capabilities.

And yet that's what many IT teams are doing, mostly because they've conflated "device management" with "data security." They do this sometimes because of poorly thought out compliance requirements, and in other cases because they themselves haven't thought it through.

The thing is, device management and data security have never been the same thing, and in this era of BYOD, they really need to be treated as completely separate issues.

Device management is something IT does for its own benefit to economically ensure delivery of apps to its constituents. When it's not the company's phone or tablet or laptop, that's no longer IT's problem. But appropriately securing sensitive data always is.

The good news is that, as it pertains to most employees in most industries, a better solution is easily achievable and won't cost you anything other than some training--an investment you should already be making. First, data should be protected at its native-use level. Got a spreadsheet of employees and proposed raises? Put a password on it. Keeping lots of personally identifiable information for business purposes? Encrypt it, make it very hard for that data to walk out the door, and consider making anonymized versions easily available. But the biggest and most important thing that IT must do is to stop viewing its customers as the problem and start viewing them as the biggest part of the solution. Educate your users. Make them aware of the ways they can access and use data safely, and how they should protect sensitive information. Well-meaning but uneducated users are your biggest risk. So teach them, and make them your biggest asset.

Art Wittmann is director of InformationWeek Analytics, a portfolio of decision-support tools and analyst reports. You can write to him at [email protected].

To find out more about Art Wittmann, please visit his page.