BYOD Policy Bites Vacationing CEO
Mimecast CEO Peter Bauer recently found himself at the intersection of consumerization and IT management, falling victim to personal data loss as the result of the internal management policy he himself helped establish.
While on a family vacation in South Africa, Bauer's 5-year-old daughter tried to use his smartphone. After she entered the incorrect PIN code five times, the corporate-installed remote wipe capability kicked in and Bauer lost all of the photos he had taken through the first half of the trip.
The frustration among end users whose personal information can be lost at the hands of their employers' policy is one of the main challenges Bauer says Mimecast has seen as it continues to move forward with its young bring-your-own-device (BYOD) management policy. However, that frustration is both natural and necessary if IT is going to strike a compromise with employees, Bauer says.
"Some pretty key corporate information moves from the secure inner sanctum of your building onto a BYOD device, and if you don't have a way of protecting that stuff, then you're kidding yourself about having information security in place," Bauer says.
Mimecast's management team considered a partial wipe on employees' personal devices, which would delete sensitive corporate email and documents but leave others, such as vacation photos, on the device. However, even photos could present a risk, as Bauer says he and his employees have been taking advantage of their smartphone cameras to capture information scribbled on whiteboards in meetings so it can be referenced later on. With the increasingly innovative uses for smartphones, Bauer considered this tighter policy the only secure way to enable productivity while mitigating risk.
At the recent DevConnections Conference in Las Vegas, Mimecast surveyed 500 IT professionals and administrators on BYOD, finding that while half consider access to personal devices a "productivity necessity," another 21% said it has been a risk to their business. For another 26%, the perceived risk was enough to deny their employees the right to BYOD.
However, employees are likely to use whatever device suits them for work tasks regardless of their employers' policies, Bauer says. That suggests both that consumerization is occurring in more organizations than the survey showed, Bauer says, and that those without a management policy are leaving themselves susceptible to information security risks.
As an email management vendor with its own mobile offerings, Bauer says Mimecast has a unique situation. Employees naturally use a broad range of devices to test for compatibility with their apps, as well as completing their own tasks. In order to support this environment while reducing risk, Mimecast's BYOD policy includes a comprehensive list of approved devices employees can use for work purposes, including iOS, Android, BlackBerry and Windows Phone. As a protective measure, when employees want to use a personal device for work, they have to register it with the IT team so the remote wipe capability can be synced.
"As companies are having to expose their IT services broadly on the internet so that all these devices that users are trying to access from can actually get to the IT applications, portals, email services or run business applications, the access control is enforced on a per-device basis," Bauer says. "So you can bring your own but it doesn't mean that you can just go and use somebody else's device or pick one up without actually going through a registration process with a company."
Bauer says Mimecast's BYOD policy is not written in stone, and is "going to be a work in progress." As new mobile management tools come to market, and mobile app developers continue to cater to the increasingly mobile worker, management policies in general will need to bend accordingly.
It comes as no surprise, then, that 74% of DevConnections attendees responding to Mimecast's survey said the biggest challenge in the age of BYOD is managing information security. When it comes to enterprise mobility, the most effective approach will be to keep mobile devices on a short leash until further trust can be justified, Bauer says.
"We need to start with an approach like this and then see how it works, and then modify it once we've seen more," Bauer says. "Generally, it's about having tighter controls initially and then loosening them up a little bit when we understand more of the implications."
Colin Neagle covers emerging technologies, privacy and enterprise mobility for Network World. Follow him on Twitter https://twitter.com/#!/ntwrkwrldneagle and keep up with the Microsoft https://twitter.com/#!/microsoftsubnet , Cisco https://twitter.com/#!/ciscosubnet and Open Source community blogs. Colin's email address is email@example.com.
Read more about anti-malware in Network World's Anti-malware section.