I just glimpsed at a post on NetworkWorld called Email in security hot seat with rise of cloud, BYOD. In it I saw this piece of text:
IBM famously issued a new set of BYOD policies that, among other things, forbid employees to use a competitor’s cloud service (no more Dropbox, no more Carbonite, iCloud, etc.), to forward corporate email to private accounts, to transmit unencrypted data, or to use Apple’s personal assistant, Siri.
I’ve talked about BYOD now and then for quite a while. I’ve not made up my mind on it yet. BYOD has a lot of complexities in terms of technical support, security, compliance, and so on. Once you put the user in control of choosing a device (a €300 laptop not build for heavy usage versus a proper business machine with support) and managing that device, you lose control.
But here’s my thought’s on the above IBM rule. You’ve put the user in charge. Users have no interest in rules. Put all you want in the acceptable usage rights document. The first people to contravene those rules will be the executives who wanted them put in place. With BOYD you have ceded control and accepted the premise that the user knows best how they should work. If that user thinks that DropBox is the best way to get data off of their iPad and onto their PC then that’s what they’ll use (what other choice have they?). If they want to back up their work then Carbonite is nice an cheap. If they want to use an iPhone 4s then they’re not going to not use Siri (“This is your reminder to call the vet”), the most marketed feature of the phone.
Rules like this are the lawyers’ answer but don’t deal with the realities of human nature. The reason IT did lock down PCs was to protect the business’s information property. With BYOD, you hope that they don’t send stuff all over, that they do install the app that allows remove lockdown and secure wipe, and that they act responsibly. But hey, these are the same people that will handover their corporate passwords for a free pen in the street outside their office.