It sounds great, doesn’t it? No more spending money on phones, desktops or laptops. Let your people use their own tech at work, make their own choices and provide their own support. Probably the biggest change is in the security and information assurance landscape. The internal networks go from being a trusted environment to a semi-trusted environment: not quite the untamed frontier of the internet, but not a completely controlled and audited space. IT people will need to start thinking about true end-to-end security and protection for data and applications, and also some wider aspects of the BYOD proposition. Ergonomics – the employer still retains responsibility for injuries at work. Just because the user owns the device doesn’t mean that requirements like the UK’s Health and Safety (Display Screen Equipment) Regulations and their equivalents in other jurisdictions can be ignored.
- Access Control – there should still be a code of connection and authorization process for connecting devices to the corporate network
- Support – the wider selection of devices will mean that applications need to be selected, developed and tested against a much wider range of browser/OS/system combinations, and that helpdesk people will need to be familiar with a wider range of potential client devices
- Data management – have you considered what data people might (intentionally or unknowingly) cache or store on their BYOD equipment? What happens when that equipment is returned to a store/vendor for repair, or disposed of? What controls do you have in place over corporate data on external devices?
- Audit – do you know what types of devices are connecting to your systems, and who’s using them?
- Updates to application security – it’s quite possible that a lot of applications in your organization assume that any device accessing them is owned and controlled by the organization. Do you have a discovery and mitigation plan in place to identify such applications and put the appropriate controls in place?
- Viruses, Malware, Spyware, Trojans – do you mandate AV software on BYOD equipment? Is there an approved list of AV software in place? Does your network monitor, control and authorize access and operations on a device-by-device basis?
- Licensing – what risks are you exposed to if unlicensed software is used for your business purposes? What controls are in place to verify that software used on behalf of your organization is correctly licensed?
- Training – have you adjusted your training and induction processes to reflect the change in technology landscape?
- User Interfaces – have you thought about how the BYOD technology will change how you specify and deploy onscreen user interfaces, and access to other devices such as corporate printers or multi-function print/scan devices?