ExecTech
BYOD is evolving for
a cyber-conscious age
Bring-your-own-device policies were envisioned as a way to save money during a time of budget cuts, but policies are pivoting as government gets increasingly security conscious
BY DEREK WALTER
Mobile devices have been a staple of the federal workplace for years, going back to the days when everyone relied on BlackBerries to bang out email when away from the office.
The smartphone world looks quite different today. Although a few diehards still refuse to surrender their BlackBerries, iPhone and Android devices dominate the landscape. And increasingly, employees would rather use their own devices at work rather than carry a personal and a work phone.
The bring-your-own-device practice has gained ground at the federal level, but it brings a mix of issues with which CIOs and other IT leaders must grapple. Experts caution that agencies have serious security matters to consider before throwing open the doors to mobile access to key assets.
Kimberly Hancher, former CIO at the Equal Employ- ment Opportunity Commission, helped craft the White House BYOD policy in 2012. That document outlines a broad set of guidelines that agencies can use to estab- lish the proper parameters for mobile access. Yet four years later, she said, there aren’t enough clear policies at federal agencies.
“I don’t think most agencies are really undertaking the effort and due diligence to address BYOD policy,” she said. “They’re just sort of letting people do whatever they can get away with, and very few agencies have actually put formal policies in place.”
She points out that there are consequences to that approach. “If the agency doesn’t undertake due diligence to create the rules of behavior for bringing a device, then people will simply do it and put agency data at risk by doing so,” Hancher said. “It’s really important to state the policy [and] put the security measures in place if you’re going to allow some BYOD. And if you’re not going to allow it, you should make that decision and say [that] until further notice, it’s not allowed.”
Hancher, now a principal at Deep Water Point con- sulting firm, said agencies must decide whether a BYOD program makes sense for them and then determine which devices to support and what types of security to use.
The fundamentals
Many agencies have a BYOD environment and don’t even know it. According to research by mobile security com- pany Lookout, nearly half of federal employees access work email from a personal device. Furthermore, nearly one-quarter send work-related documents to their personal email accounts, and 17 percent store work documents in their personal cloud storage service.
With teleworking making such activities common, the National Institute of Standards and Technology issued a report in March that outlines some best practices for tele- working and BYOD security. Among the recommendations: • Use mobile device management software, which allows agencies to containerize particular data and wipe it, when necessary, without affecting the user’s personal content. • Require employees to stick to approved application stores and tell them not to root or jailbreak their devices to avoid threats from nonsecure networks or apps.
More broadly, NIST concluded that agencies must cre- ate clear-cut policies describing what’s allowed and what’s off-limits when it comes to email, documents and other government data.
The hurdles
The biggest driver of BYOD policy is security, said Tom Suder, president and founder of Mobilegov. Suder, who regularly advises agencies on mobile device strategy, said security and the corresponding legal issues are leading the discussions.
“The biggest issue to this day is legal,” he said. “What
26 July 15, 2016 FCW.COM