Despite all its promises of increased productivity and morale, BYOD programs carry inherent risks. The challenge for IT and business leaders are to come up with a program that satisfies employee desires for flexibility with corporate needs for security. A well-crafted governance program is the answer.
A BYOD governance program outlines the rules and responsibilities around data access, device use, and employee behavior. It should inform employees what they are allowed -- and expected -- to do with their personal devices. It details the authority that IT has to restrict access to certain employees or devices remotely, to manage devices connected to the network, and to wipe devices in the event of emergency. It should also address such issues as privacy, compliance, and acceptable use.
Governance programs should also be created around where an organization sees itself heading. For example, at the NCH Health System in Naples, Fla., a formal BYOD program is a logical extension of going totally electronic, according to CIO Helen Thompson.
"As of July 15, 2013, all of our processes will be electronic," Thompson told me. "It is part of our journey to the digital hospital. There will be no more paper."
To help prepare for NCH's all-digital transition, Thompson has spent considerable time reaching out to her local peers to learn what they are doing with BYOD and best-practices.
"They are all trying to get a BYOD program implemented," Thompson learned.
So NCH came up with a two-part BYOD strategy. First, all devices would be allowed, for the optimal convenience of hospital physicians. Secondly, the program would be heavily publicized, driven by the competitive local marketplace where BYOD is becoming an expected offering. As Thompson noted, of the 650 physicians affiliated with the two hospitals managed by NCH, only 100 are employees.
Thompson also stresses that while anyone on staff can take advantage of the BYOD policy, it is really intended for physicians.
Helping to make physicians happier on the job is not an idle pursuit in healthcare today. As a recent national study confirmed, America's physicians are not a happy lot. The majority say they are overworked, under-appreciated, don't feel that healthcare reform is working, and many would not choose the career if they had to do it over again. The BYOD program therefore has far-reaching implications: helping to boost job satisfaction among the hundreds of affiliated physicians.
Hospitals find BYOD makes doctors happier at work.
How secure is too secure?
The first step is to decide how restrictive the organization needs to be. That raises such questions as:
- Is a top-down approach the best way to guarantee security?
- Will a lock-down approach allow for workforce flexibility?
- What is an acceptable level of risk to ensure employee access and convenience?
- Is a command-and-control style suitable for business in the future?
Where an organization places its security emphasis will depend, in part, on how it answers these questions. It is also important that the organization knows its users, and has a single view of them. For example, a single employee may use many personal devices to access corporate data, access that data through several different channels, and use a number of IDs to enter the network.
Just because an organization allows BYOD doesn't mean everyone will jump at the opportunity. The Utah state government has had a formal BYOD program in place since 2009, according to chief technologist David Fletcher. Still, he estimates less than 10 percent of state employees take advantage of it. The greatest percentage is among workers on Capitol Hill.
Utah has not had a breach of its network so far, Fletcher says. That is due in no small part to constant training and education on what the BYOD policy allows, and best behavior to safeguard the network. Employees receive annual training on changes to the policy, and how new devices on the market should be used.
"I've seen some very complicated programs, but it's not a super complicated issue," Fletcher told me. "Keep them simple."
Communication is key
The next step is to create a communication and awareness campaign. Employees need a clear understanding of the organization's data risks and how they play a role in increasing or reducing those risks. An informed employee will show more responsibility and take fewer risks with valuable or sensitive corporate data.
By understanding the organization's data protection needs and employee habits, a governance program can be created that serves both. The program should include policies on accessibility and enrollment, enforcement, employee data and service plans, fees, and charges incurred by the employee on mobile devices, stipend programs, employee consent, and acceptance of the BYOD agreement, training, compliance, and privacy.
Governance programs should also cover technology issues such as mobile device management, cloud computing security, network access control, desktop virtualization, passcodes, PIN mandates, file permissions, specific devices allowed or banned, and specific applications and technologies allowed and banned.
Experts recommend that when developing a governance program, start small and consider a pilot group. School districts take this approach when rolling out 1:1 programs or BYOD initiatives -- beginning with a single classroom or grade level, and fine tuning the program each year as other classes or grades are brought into the program.
As with any initiative, you should evaluate the program on a regular basis. Your employees will change, their devices will change, and the needs of those devices will change.
If your organization has done a good job of assessing its data risks and employee needs, a successful BYOD program is very doable. The benefits can include a more productive, more flexible, and happier staff. For the organization, IT will be able to concentrate on more pressing concerns, and spend less on hardware investments.
But again, all of this is dependent on the organization focusing on the most important piece to any BYOD puzzle. Begin the entire process by looking at how to best protect your data, and work everything backward from there.
— David Weldon is an experienced editor, writer, and research analyst, with over 30 years of experience in the communications and research fields.