Sure, you can put all personal mobile devices on lockdown once employees walk through your doors, and some places (like defense contractors and the like) have to for security reasons. But many mainstream enterprises allow employees to bring their own devices and use them for work.
While there are risks associated with this, increased productivity and happier employees can offset risks as long as there is a solid BYOD policy in place, supplemented by smart security measures.
Perhaps the biggest problem with BYOD is that end-users often take the attitude that they’ll use an app unless and until they’re told not to by IT. Forgiveness is easier to ask for than permission, and all that. So how do you encourage responsible use of all the wonderful tech available without turning a blind eye to so-called “rogue IT” or “shadow IT?” Getting to where you can say yes to new applications while ensuring your BYOD policy is adhered to requires work, but you can do it.
“Yes! Finished the invoicing on the Turner Project and didn’t have to put a dollar in the swear jar!”
The Problem of Rogue IT – And Should You Even Call It That?
There are over a million apps in the Apps Store, and over 1.2 million Android apps available. Granted, this includes a fair number of apps for things like ensuring your ice cream is the ideal temperature and getting text messages from ghosts, but there are plenty of apps that are useful for business processes. What’s the harm if people want to use them?
Well, end-users could be exposing your organization to security threats, with your CIO totally oblivious to that fact. Whether done out of ignorance of risk, or flat disregard for it, end-users are using these unapproved apps, and the CIO needs to understand why they’re doing it. Maybe your organization isn’t keeping up with what’s out there, and end-users feel like they have to use unapproved tech if they want to streamline work processes.
Understanding why rogue or shadow IT is going on might start with understanding how that terminology immediately puts end-users on the defensive by suggesting deliberate deception. Clarify that you understand end-users want to simplify work processes, but if they act outside the bounds of policy, they could ruin it for everyone by getting outside devices banned. The first step to coming to an understanding on “rogue,” “shadow,” or “creatively sourced” apps is finding out how much of it is going on.
“Whatcha doing? Cool phone you got there.”
Find Out What People Are Using
If you’re going to cope with a possible proliferation of unapproved apps, you need to find out what people are using and why. You can ask them, of course, but if you worry that people will be less-than-forthcoming, you can use monitoring software to discover all the apps your end-users are using. One survey of cloud-readiness found that enterprises have 461 active cloud apps, on average – around 10 times more than the average IT manager expects.
Base Your Policy on Legitimate Risks
Obvious worries include privacy leaks, security vulnerabilities, and management freak-outs, but you have to be more specific than that when crafting your BYOD policy. The cloud was also going to be the undoing of security, but that didn’t exactly stop everyone from using it for at least some business processes. Know what you’re worried about being leaked, and exactly what kinds of security vulnerabilities concern you. This can guide you on what to look at in apps to see if they’re appropriate or not.
Educate, Don’t Yell
Once you know what end-users are doing and what the specific risks are, communicate this with end-users. Let them know what the risks are, and what could happen in a worst case scenario. Don’t make them afraid to ask IT whether a particular app would be acceptable, and don’t make app requirements seem so onerous that end-users are tempted to keep using apps without telling you. Educate users about what app characteristics pose risks, and why they can’t just download them and go on their merry way.
Take Reasonable Security Steps
Even secure cloud services pose risks if the networks used to access them aren’t secure. You can get network service virtualization tools for securing connections from your distributed workforce. Mobile device management (MDM) and mobile application management (MAM) are other ways enterprises secure personal device use in business. Some organizations create their own enterprise app store (EAS) to give end-users a variety of pre-approved apps to use on their personal devices. When IT is seen as the great integrator that brings in new technology to the overall business policy, they’re seen as end-users’ partners and enablers, rather than buzzkills who don’t care about productivity and efficiency.
Samanage is a leading provider of IT service desk and IT asset management software, allowing your IT team to account for every device that uses your network. Furthermore, it includes cloud risk and compliance software with a risk detection engine that scans asset inventory and looks for problematic patterns. When problems are detected, the service desk is notified to take action. With great IT tools and a sound security and BYOD policy, you can prevent rogue IT and detect it early, before it can cause big problems.