It has been a dozen years since Apple released its first iPhone, and today the iPhone and Google’s Android devices dominate the smartphone market. While the private sector has widely embraced a “bring your own devices” (BYOD) policy that allows employees to use one device for both work and personal related calls, texts and emails, this policy has seen slower adoption in the government and contractor world.
One of the biggest concerns is that sensitive – even if not classified – information could be taken in and out of the office. One of the benefits is that allowing employees to use their own devices can be very cost effective. The State of Delaware opted for a voluntary BYOD program in recent years and saw a 45% decrease in device expenses and overall savings of 15% in wireless costs. The Equal Employment Opportunity Commission (EEOC) also saw its mobile device costs reduced by 20% to 30% after it opted to allow a BYOD option for its employees.
While BYOD may place more company or government information outside the four walls of your facility, the same could be said of any remote employee. This is true for the Alcohol and Tobacco Tax and Trade Bureau (TTB), which has more than 80% of its workforce in the field. Even if those individuals were issued a work-only device it would still be brought out of day-to-day IT control.
smartphone Security Concerns
Despite the cost savings, security remains a concern. Unless IT can regularly monitor and inspect a device, it could create a situation where a device could be compromised via malware.
“Security is an issue, more so for Android than Apple, but it’s a problem for both ecosystems,” warned Steve Blum, founder and principal analyst at Tellus Venture Associates.
“It’s not a particular problem if access is limited to outward-facing portals. For example, if an organization allows employees to access email at home using their own devices, then allowing them to do the same at work isn’t significantly different,” Blum told ClearanceJobs.
“Most companies/government agencies will require additional software for a work device,” noted Jim McGregor, principal analyst at TIRIAS Research.
“This provides additional security and the ability to wipe or disable the phone if it is lost or stolen,” McGregor told ClearanceJobs.
“Privacy is a bit of a grey area because most employers have the right to access any information on a device used for company/government purposes,” added McGregor. “So, if a consumer really wants privacy from their employer, they should have a separate device. However, employees, especially government employees, should not be conducting business on their personal devices that are not secured by their employer.”
Multi-Layered Security
BYOD may require more than a simple password for user access.
“The company would – should, anyway – have sufficient safeguards in place,” said Blum. “Security has to be multi-layered.”
Hardware restrictions are just one layer, and may not be the most effective, particularly when remote access is allowed.
“Even if it isn’t allowed, the same kind of safeguards can be built into apps and networks that can only be accessed internally,” explained Blum. “But it has to be done, and sometimes that isn’t possible, because of high security level requirements or IT staff ineptitude or internal bureaucracy.”
With BYOD users may also be limited on what “personal” information or apps can be loaded as well.
“Even with a secure platform, loading the wrong application can create a security hole,” said McGregor. “There is nothing out-of-the-box that I would call secure enough for government applications.”
The Rationale For Work-Only Devices
In some cases employees may not have an option to use a personal device at work – or even if they are offered the option, it might mean a device not entirely of their choosing.
“There are a variety of security solutions designed specifically for government employees in sensitive positions and for contract workers,” said Charles King, principal analyst at Pund-IT.
“For example, Blackberry’s reputation for best-in-class security has enabled it to successfully transition from handsets to security services, and the company remains the platform of choice for Federal government employees,” King told ClearanceJobs.
“Specific solutions for contract workers, including thin/zero client devices that limit their access to specific areas/tasks are available from numerous vendors,” added King. “But on the downside, organizations and individuals have to be willing to get with the program.”
There have been attempts to create a true “one-size-fits-all” device that can fill the need for work and personal use.
“The notion of separate work/personal phones and hybrid devices has been around since the broad adoption of BYOD about a decade ago, but has never really taken root outside of businesses where separating work/personal data and activities is a matter of course or determined by company policy or regulations,” said King.
It isn’t just security that is an issue, either. Even when BYOD policies are provided, some employees are concerned about their privacy being in jeopardy.
“The challenge has always been to convince employees to enroll their personal device into the company’s Mobile Device Management system, as they are fearful of what their IT department will be able to see and do with their device,” said Mike Louis, CIO of T-Rex Solutions, LLC.
“The many warning prompts from both Android and iOS devices often deter employees from completing enrollment,” Louis told ClearanceJobs. “With managed applications, the user experience is improved and the IT team can still enforce data access policies.”
In many cases not having to carry two devices is enough for many employees to get on board with a BYOD policy when it is offered.
“Most folks willingly blend work/personal apps and data on single devices, mainly for convenience’ sake,” added King. “It certainly can create privacy issues and even have legal ramifications if a phone contains illicit data or evidence of misdeeds.”
byod Ground Rules
To make a BYOD policy work can require some “ground rules” that clearly explain the practices of the user as well as the IT department. This can also include how to keep the device safe from threats – such as ensuring it is used only on secure Wi-Fi networks and not open ones at airports and cafes. VPNs (Virtual Private Networks) should also be considered to mitigate security risks.
“The key to a successful BYOD implementation is policy-based conditional access and security-aware managed applications – regardless of the OS,” explained T-Rex’s Louis.
“We must treat unmanaged devices as if they’ve already been compromised — both Android and iOS have great controls for protecting corporate data on non-corporate devices, however, managed applications are also essential for a comprehensive deployment,” Louis noted.
“As mobile communications capabilities and social media usage continue to advance globally, BYOD still has limitations stemming from data security concerns and regulatory compliance requirements,” added Brendan Walsh SVP of partner relations at The 1901 Group.
“Today, we support a variety of scenarios including: government-owned /government-controlled, and contractor-owned/government controlled devices,” Walsh told ClearanceJobs. “However, advances in cloud services, such as Amazon WorkSpaces, offer continued proof of how fast IT changes and services evolve.”
Even in these cases some companies may still see more risks than benefits.
“I’ve sat in many meetings where security was used as an excuse to protect a bureaucratic fief or cover for antiquated systems and skills,” noted Blum. “There are times when companies have to restrict or ban BYOD because of genuine security concerns, but not nearly as often as some would have you think.”