I have talked to many organisations over the last few years about how they have approached consumerization. For those that have made it work the best there seems to be some common themes. So here you have the Rob’s guide to some basics that may help you:
- Assuming that staff can remember their “terms and conditions of employment” and relate it to the device in front of them. Always create a separate agreement that does not reference anything else and explain what’s expected of the employee. There is a big difference in signing a contract saying you will protect company data and associating that to backing up your Iphone onto your home computer where the rest of the family can read company files.
- Trying to stop the unstoppable. There are some things like USB sticks that it’s possible to stop with technology but it’s very hard. If you’re not going to use software to ensure that only company USB sticks are used then allow them. Far better to get the users on side, have a relevant policy and then mitigate the risks then to pretend that because it in a document that your staff should have read you have nothing to worry about.
- Mitigating risks though policy. It’s great to have legal backing but it won’t get your data back. Sure you may be able to enforce in a court that an employee has to bring in their personal device for you to look at, or that you can make anyone that’s stolen a device give it back, but the damage has been done. View legal enforcement as a backup not the primary in risk mitigation.
- Trying to apply company owned attitude to consumerized devices. Look at Consumerization as a way to wipe the slate clean and start again. You may want to start off with tighter VPN controls e.g. only allow HTTP access to your network. Antivirus is a great example; the requirement is to stop virus and malware from taking data. Antivirus is one solution, not the requirement. In reality it may be that you need to install AV software but don’t forget that there are many ways of reducing virus risks. The same is true of other technologies, I can think of a smart phone which has really good controls and protects the data without encryption better than other devices which do have encryption. In this case the requirement is protecting the data, not dose the device use encryption.
- Not accepting diverse technologies and having a strategy for them. The whole point of consumerization is that the consumer chooses the device. This is inconvenient for any IT department. A scaling solution where more secure device get access to more resources is a far better idea than a minimum set of requirements that the device has to meet to get access to everything. A side effect of doing this means that you need to know what devices are connecting and that also adds a layer of management.
There are many more of course but that’s plenty of excitement for today. Hay now when we speak of consumerization we may think of an employee owning the hardware, we may even think about them owning the software but what about them owning the service? What do I mean by that? Well in the next blog we will investigate!