Imagine an organization where employees are given several consecutive months of vacation every year. It sounds like a dream, but in the era of BYOD, it could also be an IT exec's worst nightmare.
Erik Greenwood, CTO of the Anaheim Union High School District (AUHSD), which consists of 21 California schools and 33,000 users with network access, says the end of summer vacation used to mean the beginning of malware season.
Faculty members would spend summer break leisurely browsing the web, freely clicking on links, opening email attachments, and only rarely updating their software, Greenwood says. As employees and their devices came back to school, they often brought viruses with them.
[ALSO: Avoiding BYOD blunders]
One virus strain forced a complete re-install and upgrade of the district's email suite. In another case, the district's IT department had to "isolate and bring down subnets to try and triangulate the virus," Greenwood says.
Each case meant his department had to work an extra "couple hundred hours, easy," he says. "There's an opportunity there that was lost where we could have been working on other projects," Greenwood says.
Greenwood turned to network access control. "We had a particular strain where our anti-virus was having real challenges addressing the outbreak," Greenwood says. "And we got to the place where we saw network access control as a necessary piece of infrastructure, not only for the staff piece, but we were looking for it with the incoming students bringing their own device."
And security wasn't Greenwood's only concern. He recalls multiple cases in which rogue devices brought down the district's network. One school flat out ran out of IP addresses to assign its devices. In another case, a rogue device on the network began acting as a DHCP server, competing with the district's actual DHCP server and distributing IP addresses of its own.
The district deployed a network access control solution from Bradford Networks and customized it to address its unique situation. The school district's network now sees traffic from more than 12,000 of its own devices, from PCs to printers, and needs to accommodate a fluctuating number and variety of devices brought from outside.
Greenwood says the initiative began at the application layer, and later evolved to include communications apps. The project involved setting policies and restrictions on who can access the network with what devices, what types of content users are allowed to view, and so on. In an ever-changing mobile market with new applications and content delivery formats, Greenwood says he prefers to begin with tighter regulations and expand them to accommodate user needs as they arise.
"As we continue to grow, we have all of these systems that are competing for bandwidth," Greenwood says. "And that's kind of been the thread, trying to grow our network, and that continues to be the challenge."
Lost and found
Greenwood is hardly the only witness to the problems that can arise as a result of BYOD. Endre Walls, CTO of nonprofit Resources for Human Development (RHD), says employees who lost their personal smartphones, which they had secretly synched with their corporate accounts, posed a major data loss risk.
"Lost devices were a security issue for us, because if the user has our email prior to the implementation of our MDM and our policy, we were out in the wind," Walls says. "That was always a huge issue for us. A lot of times, the user needed to be able to put two and two together to know, 'OK, I lost the device, and this is a potential problem for the organization.'"
But few employees who had lost their personal smartphones ever thought to inform the IT department about it, even if that device had been synched with corporate apps. And the chances that these employees had taken it upon themselves to implement authentication on their personal devices were slim, "because there was no policy there [that] was anything saying 'you have to have a PIN on your phone,'" Walls says.
"Before the software and related policies were put in place, you could be talking about days before we even know anything happened," Walls says.
RHD now has the ability to wipe its corporate data and apps from an employee's personal device, and even offers a complete data wipe if an employee requests it. Just as importantly, the IT department makes all employees aware that any device that has been synched with corporate apps - no matter who it belongs to - needs to be secured if it's been lost.
However, employees don't even need to lose their device to accidentally leak sensitive corporate data. Ojas Rege, vice president of strategy at MDM vendor MobileIron, says many consumer devices are optimized for opening, viewing and saving documents in the cloud. This poses a risk that consumers may never consider.
"The No. 1 source of data loss on the iPad was email attachments," Rege says. "So, traditionally, when you're using email [in iOS] and you click on an email and there's an attachment and you click on that, it gives you this menu to open [the document] in all of the readers that you have on the device. So if you click on Dropbox, your corporate data is gone. Every email attachment is one click from the cloud on that device."
[POLICY: A sampling of BYOD user policies]
Naturally, these problems are enough to send any IT administrator rushing to deploy any mobile device management, network access control or mobile data protection software on the market. But deploying the software involves building a strategy, and that can be risky as well.
Legal concerns should be a top priority for any company considering launching a new BYOD program, says Ann Marie Cullen, MobileIron's customer advisory services manager. Cullen works directly with MobileIron customers while they plan and launch their mobile initiatives.
"One of the biggest mistakes that we see customers commonly make is not involving the right stakeholders up front when developing their programs," Cullen says. "So they have to go outside of IT and involve legal, HR, and finance and compliance in developing their programs."
In one case, Cullen saw an IT department put in the time and work developing a strategy just to have the legal department shut it down just before it was deployed.
"It puts too much liability on the company, and so they had to basically go back to the drawing board again and do it with legal involved," she says.
As frustrating as that may be, that IT department is lucky the legal team intervened. A 2012 USA Today report found that the number of lawsuits alleging wage-and-hour violations grew 32% from 2008 to 2012. Employees who had sudden access to work information and apps on their personal smartphones were pressured to work additional hours while at home, and filed suit because they were never compensated. One case, involving pharmaceutical sales representatives, reached the Supreme Court last year.
Privacy becomes an issue as well. Any GPS monitoring apps, particularly when used to track an employee, can be dangerous from a legal standpoint. And even businesses that respect their employees' privacy need to make that clear, Rege says.
"The users do get worried about 'well, is IT going to see my photos, is IT going to read my SMS messages,'" Rege says. "Some of these things aren't even technically possible. But it's not a technical question; it's a question of the relationship between the two."
Another, more technologically justified concern is the extent of the employer's remote data wipe capabilities. A common solution to the threat of lost devices is to employ a remote wipe tool that allows the organization to delete all data off a device an employee has misplaced. That worked fine in the days of the corporate-owned BlackBerry, but it has caused some real-world problems for those using their personal phones.
While on a family vacation last year, Mimecast CEO Peter Bauer's 5-year-old daughter got ahold of his iPhone, which he had been using to both check in at work and take photos on the trip. After his daughter accidentally entered the wrong PIN number five times consecutively, the MDM program Bauer himself had approved automatically wiped all data on the device, photos and all.
Although many IT departments prefer a partial wipe, which provides the ability to delete only corporate data, Bauer says the company decided on a full wipe because employees often took photos to save information written on whiteboards or projected on-screen during presentations. In that case, a partial wipe was likely to leave sensitive information on a lost device.
Bauer's case is a unique one, but it speaks to the importance of communication when crafting a BYOD initiative. Every business is different, and will need to address mobility in its own way. Especially when dealing with employees' personal property, communication and feedback are essential to a successful rollout. When addressing BYOD, the IT department can't be afraid to adjust its role in the organization, Rege says.
"Suddenly saying 'I'm going to give users more freedom, I'm going to focus on education and communication,' it doesn't come naturally for all IT departments," he says. "I know that we have seen some IT departments struggle because they just don't know where to draw the line and where not to draw the line. They just grew up in a world where that line was kind of clear."
Indeed, Walls says the BYOD initiative was an opportunity for his IT department to work across the organization in a way he never has before. A mutual relationship with IT, which may not have existed in the pre-BYOD world, is imperative to keeping other parts of an organization from suffering the unintended consequences of the mobile workforce.
"That's why awareness, user training, communication is so important. I can't stress that enough," Walls says. "This is the first opportunity professionally that I've had to implement that kind of strategy, and I think it's way more effective than anything else that I've tried in any other environment."
Read more about anti-malware in Network World's Anti-malware section.