Bring Your Own Device (BYOD) has become one of the most influential trends that has or will touch each and every legal IT department. The term has come to define a megatrend occurring in IT that requires sweeping changes to the way devices are used in the workplace. Cisco research shows that one third of workers will be mobile by 2013 and 35% of smartphones will be used for business by 2014.
According to Chris Styles, Senior IT Manager at Manchester-based law firm Pannone “Bring your own device, is an excellent example of the shift in thinking of a modern day IT department. Gone are the days of imposing systems and rules on the workforce because IT knows best. The Millennial Generation Y group are the bright sparks we need to attract and retain and they are the ones who demand access to everything, anywhere and on the device or devices of their choosing. Technology is only just keeping up with their demands.”
Of the estimated 14 million Millennial telecommuters, 69% of them report that they use whatever device, software, or site they want, regardless of corporate policies (Cisco research 2011). In the last year, the persistence of end-users* demanding to leverage their tablet computers and smartphones to extend their productivity, even if they had to purchase the devices themselves, has led many IT departments to adopt less restrictive policies, allowing employees basic connectivity or, increasingly, full access to the IT network and corporate applications. How then do legal firms deal with the two main challenges of BYOD: security of data and support?
Supporting BYOD for employees
Traditionally, IT pre-determined a list of approved workplace devices, typically a standardised desktop, laptop, and even a small, standardised set of mobile phones and smartphones. With BYOD, IT must approach the problem differently. Devices are evolving so rapidly that it is impractical to pre-approve each and every device brand and form-factor. It is also somewhat impractical to expect IT organisations to have the same level of support for every device. Most organisations have to establish what types of devices they will permit to access the network, perhaps excluding a category or brand due to unacceptable security readiness or other factors. Styles says one way of attempting to stay on top of the ever increasing influx of new devices is to identify vendor champions both within the IT department and the firm as a whole, breeding a small group of intense product specific support knowledge.
An increase in device choice does not mean sacrificing security. IT must establish the minimum security baseline that any device should meet to be used on the corporate network, including WiFi security and VPN access. In addition, due to the plethora of devices, it is critical to be able to identify each device connecting to the network and authenticate both the device and end user. Businesses typically have a wide range of policies they need to implement. Adoption of BYOD must provide a way to enforce policies, which can be more challenging on consumer devices like tablets and smartphones.
Another complication results from the mixing of personal and work tasks on the same device. Access to the internet, peer-to-peer file sharing, and application use may be subject to different policies when a user is on their personal time and network and when they are accessing the corporate network during work hours.
According to Styles there are two methods of delivery of content which need to be considered. Virtualisation at first seems to offer everything needed, access to all systems and all information running in a secure data center where the information never leaves. But with virtualisation comes the cost and requirement for always on connectivity, acceptable maybe for a full desktop but not so cost effective for accessing details of a calendar appointment whilst on the go, for example. It’s important to assess and classify what data is delivered, how, and to what device.
Styles believes a hybrid approach is the best model to support BYOD. “The hybrid approach seems to be the best fit to support a BYOD strategy. Mobile Device Management (MDM) allows for some security procedures to be put in place, like encryption and selective remote wipe. Employees need to agree to treat and respect the data held on the device according to agreed security models. For basic email and calendar sync, deliver this to the remote device, anything requiring a live connection to the backend systems a full virtualised desktop seems to fit the bill, maintaining that complete security boundary and running the processing in the cloud.”
Finally, Chris Styles comments that “Technology, connectivity, virtualization and the cloud is playing catch up to consumer expectations,” says Styles. “The continuous advent of new devices and the security and support challenges that these pose, mean that IT departments need to be more agile and responsive.”