Should You Allow Personal Devices on the Company Network?

Tablets and smartphones are necessary business tools, and an increasing number of employees want to retire their company-owned hardware, opting instead to work from their personal devices. And while organizations are skeptical about letting workers save corporate data on the same gadgets where they download their favorite Justin Bieber songs, this trend can lower costs and improve workflow.

There are risks, however, the biggest of which is opening up your business’ network to viruses, malware, and security breaches. There is also the issue of protecting a company’s authority over data if an employee quits. As a result, businesses are looking to security experts for help in developing protocols for the BYO practice. “It’s definitely a huge growth area,” said John Pescatore, lead security analyst for Gartner Research.

So how can an organization reap the benefits of allowing its employees to work on their own devices without compromising its network and corporate data in the process?

Benefits of Going Personal

Employees who use personal devices at work need fewer training sessions on using a gadget, which in turn enables them to begin working sooner. Employees are also generally able to purchase the newest and fastest gear at a much quicker rate than a business can. With better equipment, workers can increase their overall productivity.

For technology and web-oriented companies, allowing employees to use their personal devices can be seen as a plus for potential hires. And then there’s the reduction in corporate spending on new devices—although some companies will carry the cost over as a stipend for employees to purchase a new phone or other hardware.

Setting Guidelines

Before you let your employees connect to the corporate network, establish some basic guidelines. According to Leslie Fiering, research vice president at Gartner, many companies are not following this advice. And though some companies have policies in place, not all of these businesses are actively enforcing them.

Ultimately, a company’s policies on device use will determine its network’s susceptibility to viruses, malware, and security breaches, explained Vizay Kotikalapudi, senior manager with Symantec’s Endpoint Management and Mobility Group. IT departments should also take the additional step of educating employees about the risks and threats that come with ignoring those policies.

Guidelines should define which employees can use their own devices, the types of devices they can use, and which applications and data they can use or save on their devices, Kotikalapudi said. According to Brian Duckering, product marketing manager at Symantec, those rules directly impact the security measures a company can take against viruses, security breaches, and the loss of confidential information.

For example, Android and Apple devices require different levels of protection because their operating systems and app stores function differently. Apple vets each and every application in its App Store to prevent the spread of malicious code. Apps are also sandboxed, meaning they are unable to communicate with each other once they are installed on an Apple device, which ensures that a single app cannot completely take over an entire device.

The Android operating system, on the other hand, is open source, which means anyone can access or alter its code. Android apps also go through a less stringent vetting process, making the likelihood of encountering a security threat through the Android Market much higher than running into a similar problem with Apple’s App Store. “If you are going to go allow Android devices, you should have a much more robust security system in place,” Duckering said.

Overall, the types of strategies a company implements depend on the type of business it conducts. “The industries and regulations associated with those industries are going to dictate to a certain degree the things that you have to do versus the things that you choose to do,” Duckering said. For example, banks and healthcare providers, which deal with confidential personal data, need to develop tighter rules and require more control over data being stored on employees’ personal devices than manufacturing or retail organizations.

Protecting Your Network

Once employees attach their personal devices to a corporate network, it’s even more criticial to protect that network against viruses and other intrusions. “There can be a major denial of service because a user’s 13-year-old son could have visited an inappropriate website and infected their machine with a bot, which then gets onto the corporate network and can take as much as 30 days to clean out,” Gartner’s Fiering explained. Repeated security incidents can quickly overwhelm a support services staff.

IT departments and security experts look at the world in terms of managed and unmanaged devices, explained Scott Emo, head of product marketing at Check Point Software Technologies. Unmanaged systems are those owned by employees, and may or may not be loaded with any security software.

“Allowing an unmanaged employee device to access your network is a bit like getting unwrapped candy at Halloween. Because number one, you don’t know where it’s been, and it’s kind of risky to consume it,” Emo said. The first step is requiring employees to install (and regularly update) some form of anti-virus and anti-malware software.

VPNs and MDMs

Companies can also limit employees’ access to the corporate server by forcing them to connect to it through a virtual private network instead of connecting directly to the server. Signing into a VPN is generally a two-step process. It involves authenticating an employee through a username and password and the device they are trying to connect with by way of an electronic certificate check.

For the uninitiated, certificate checks are basically a network’s way of confirming that a device has been pre-approved by a company’s IT department to connect to the corporate network. Certificate checks can also determine if a device is running the correct operating system and the antivirus and anti-malware software required by an IT department. VPNs can also be used to limit an employee’s access to software that is not directly related to their job. For instance, software engineers wouldn’t be able to access a company’s financial software.

Similar policies can be implemented for smartphones and tablets through the use of a Mobile Device Management platform. MDMs such as McAfee’s Enterprise Mobility Management and Symantec’s Mobile Management can also be deployed to automatically enable or disable various device settings, force employees to use passwords to unlock their devices, block access to app stores, and lock a device’s camera.

Confidential Information

Personal and corporate-owned mobile devices run the risk of being lost or stolen. But unlike a corporate-owned device—which an IT department can quickly wipe when it is reported missing—an employee’s missing device is harder for a company to control. You would be hard pressed to find an employee who would willingly give his or her employer the ability to completely erase all of the files stored on a personal device.

“The lawyers are very nervous about this in particular because there is no case law,” Fiering said. Reports have already surfaced of employers deleting their employees’ data accidentally, and it’s just a matter of time before it becomes a serious problem for employers. There are, however, products available that can digitally mark corporate data, giving a company the ability to wipe their data from an employee’s device while still preserving the employees’ control over their own information.

This “containerization” of corporate information on an employee’s private device can also be used to deploy privacy and security protocols for corporate data, as well as control an employee’s ability to export corporate data from his or her device to another device, among other actions.

Such products as AirWatch’s Enterprise MDM, Mobile Application Development Partners’s Mobile Active Defense, and Verizon’s Managed Mobility Portal can also automatically distribute software to users’ devices, manage and track them, and enforce user policies. Most of the major MDM providers are platform-agnostic as well, meaning you can monitor one employee’s iOS device while also ensuring that your other employees’ Android phone is meeting all of your policy standards.

Get Started Now

Allowing employees to use their personal devices at work is an issue that many businesses will have to deal with in the coming months. “It’s a trend that is not going to lessen, Fiering said. “It’s a direction that the industry is going in.”

The best way to take control of the situation is to begin planning today. With the appropriate guidelines and a strong corporate strategy in place, companies will be able to reap the benefits of improved employee productivity and reduced spending without fear. But ignoring the issue now and playing catch-up later could prove costly and result in massive losses. “As a friend of mine use to say, pay me now, or pay me later, but pay me you shall,” Fiering said.

Daniel P. Howley
LAPTOP Senior Writer
A newspaper man at heart, Dan Howley wrote for Greater Media Newspapers before joining Laptopmag.com. He also served as a news editor with ALM Media’s Law Technology News, and he holds a B.A. in English from The Richard Stockton College of New Jersey.