We are a society that knows no bounds. Technology has propelled us into a state of omnipresence and an intense desire for omniscience via channels such as Twitter, Facebook, LinkedIn, Instagram and a plethora of other social media. The rise in the number of millennials entering the workforce – the first of whom have now reached their 30s – is already posing a challenge to traditional work practices. These gen Y folks, representing one of the fastest growing segments in today’s workforce, have been exposed to a rapid evolution in technology as they grew up. The next generation, known as the pluralists or gen Z, is also coming of age; and it’s not unusual for these kids to be reading e-books on Kindles at primary school. Baby boomers and those belonging to gen X are trying to keep their feet on the ground amidst the technology explosion and learning to understand the ways of the next generation.
Given this state of play, it is critical to understand the nature of the workforce when organizations formulate and implement BYOD policies. The main dilemma that security experts are now facing is how to implement a long term BYOD strategy in line with strategic business priorities when competition for acquisition and retention of talent is fierce.
According to Gartner, CIOs in 2013 have rated ‘mobile technologies’ as the number 2 most important technology priority. This coupled with their business priorities that include ‘reducing enterprise costs’ and ‘attracting and retaining the workforce’ at number 7 and 8 respectively, proves how critical it is for them to implement BYOD policies that work in their favor with minimal risks for security breaches while achieving their business and technology objectives. However, this wish list is a double-edged sword that requires careful planning after undertaking a thorough audit of their workforce demographics.
We have entered an era where presidential campaigns are won and lost based on the market segmentation and strategic use of social media and its reach. A blanket BYOD policy that enforces a ‘one size fits all’ edict by blocking or limiting access to social media or Internet is not going to win an organization talent, let alone loyalty. Any policy that sounds like a Biblical commandment of ‘thou shalt not’ will be resisted by the tech-happy millennials who are profiled as outspoken and very comfortable with the prospect of changing many jobs before they settle into the one they like. Consumerization of IT is real and it’s not only here to stay, but grow both in size and scope. So how can an organization manage the generational divide when creating BYOD policies?
Treat them like adults
The old adage of ‘you reap what you sow’ is extremely pertinent in this case. Never lose sight of the human element when setting policies. The gen Yers are adults and have been for some time and expect to be treated as such. They are desperate to make their mark in this world. Before any policies are designed and enforced, it is therefore important to consider getting the employees involved in the process to gain their buy-in. Unlike the gen Xers who are independent and self-sufficient and used to enforcement of policies, the gen Yers like to be involved in solving the world’s problems. In making them feel like they are a part of the solution rather than cause of all the issues, organizations have a better chance of gaining their commitment to safer BYOD practices and ensure compliance sustainability.
Support social media
Social media facilitates knowledge sharing and expansion of networks. Most gen Yers, and even gen Xers now for that matter, rely on industry updates via Twitter and LinkedIn news feeds. Social media is a great vehicle to promote a company’s brand name as pure word of mouth that is always perceived much more favorably by the public, than cash for comment. Hence, do not immediately assume that use of Facebook or other social media applications means that employees are wasting their time. Instead, it is much better to review and examine the nature of the applications traversing the network before making any draconian moves that could grind productivity to a halt.
Keep it simple and keep it real
No one likes to read long laborious documents. IT should focus on policy to “keep BYOD simple.” The policy should be clear with a list of acceptable devices and operating systems that can be supported. Tech-savvy employees can then utilize what they like, knowing that they are responsible for the management and well-being of their device if IT does not support it. Once in place, communicate these policies regularly to employees as short, sharp and interesting messages so they are aware of the real risks of a breach.
Tailor your AUP
Developing an acceptable use policy (AUP) that is meticulously customized to a particular organization is important. Off-the-shelf solutions will only cause long-term compliance issues and complications. Once in place, ensure that the policies are applied to a segmented network. Sensitive data should always reside on a different network than that which is open to guests, contractors or other non-employees. With a segmented network, IT can apply one set of policies for employees and another set for guests.
Create a secure ecosystem
BYOD policies are not going to work in isolation. Creating a secure ecosystem will ensure that all entry points in an organization are secure and the risk of breaches is mitigated. Some recommendations to create this ecosystem are:
– Use scalable security solutions that allow an organization to easily develop and amend policies and layers of security to suit the changing workforce demographics is critical.
– Most security breaches are due to poor configuration of firewalls that are too complicated. Solutions that allow quick and easy segmentation of networks make the job less taxing for IT administrators.
– With the VPN capabilities of a security solution, administrators can enforce acceptable use policies for mobile, remote and road warriors who need to access corporate data anytime, anywhere. These controls even protect users in the most hostile environments, such as hotels and public Wi-Fi hotspots.
– Security solutions with application control and web surfing controls also makes it easy for IT to setup and administer policies around acceptable and unacceptable web surfing activities. Since such services reside at the gateway, they are agnostic to the type of device that an employee brings in. Therefore, safe web surfing practices can always be enforced.
BYOD is only going to become more prevalent with the changing workforce and the ‘new normal’ of the accepted work patterns. With it, come new sets of challenges and opportunities for businesses as well as their IT departments. This means that a BYOD strategy that is flexible, agile, cross generational and ‘human’ is critical for success and data security. As part of a strong BYOD strategy, having well-designed policies and end user agreements in place will be key as long as an organization has the employee buy-in and understands its generational divide.
Scott Robertson is Vice President – Asia Pacific, WatchGuard Technologies.