Tackling Device Management in Government Agencies
The implementation of BYOD (Bring Your Own Device) policies has become the preferred norm by employees and employers alike when it comes to mobile devices in the private sector. The BYOD trend has expanded from employees providing their own smartphones to include other mobile devices such as tablets and laptops. Statistics have shown that the use of personal mobile devices in the work place increases employee satisfaction and productivity. So how does the idea of BYOD sit with the public sector and how are agencies managing the need for new policies?
The Benefits of BYOD
In a study conducted by Forrester, 60 percent of government employees agreed that BYOD would help them be more flexible and 57 percent said that being able to use a personal device for work boosted productivity. Of those surveyed that already use their own devices for work, 52 percent reported increased job satisfaction as a result. Additionally, 44 percent of these workers said that BYOD positively impacts their decision when it comes to job choice. These figures overwhelmingly portray employees' inclination towards BYOD, and these figures are only expected to increase over time.
Another obvious benefit to BYOD in government agencies is the cutting of costs to the organization, and consequently to the taxpayer. Studies show that the majority of employees are willing to pay for their own devices when they have the freedom to choose. In this case, not only do organizations save on the cost of tens, hundreds, or even thousands of mobile devices, they also save the taxpayer money over the years by reducing or eliminating the costs associated with life cycle asset management, such as updates, repairs and maintenance.
The Dangers of Ignoring Personal Devices
Failing to implement BYOD is riskier for some agencies more than others. For example, defense and intelligence agencies, although they don't have BYOD policies, already have high levels of security and strict mobile use control. It will take much longer before these organizations implement any type of BYOD policy, but security measures to protect sensitive information are in place.
On the other hand, there are agencies that have less stringent security policies but still deal with sensitive information such as the personal identity data of citizens and/or government officials. In these offices, not implementing a BYOD policy may impose a risk because some employees are using their own devices regardless, and they aren't always using secure connections or secure applications. Fifty-seven percent of respondents from the Forrester survey said that their organizations provided limited or no support for personal devices. By not implementing policies and support for BYOD, workers will continue find work-arounds in order to use their own devices, which will put government organizations at further risk.
Just six percent of government employees surveyed reported that the use of a personal device at work is completely prohibited. This means the majority of government organizations are allowing BYOD without really putting security policies into place and enforcing them. This also means that in some cases devices are being bought with taxpayer money and supplied to employees who really don't need them, as they are using their own devices anyway.
Guidelines for Implementing BYOD Programs in Your Agency
There are several factors that go into making a good BYOD policy. Even with the most secure technology available, it is important to incorporate mobile device / BYOD policies into the agency's mandatory IT Security Awareness training. All employees should be aware of how their actions or inactions can affect the security posture of the organization and even, in some cases, the impact it can have on the country as a whole. Some foreign governments have gotten a leg up on BYOD, and have recommendations for moving forward. According to Peter Major, Senior Manager of IT Security for ACT (Australia's equivalent of Congress), the following factors help make a good BYOD policy:
- Consistent and quality user experience
- Evaluation of security issues
- Collaboration capabilities
- Ease of management
- Alignment of BYOD program to government business objectives
In Major's interview with ZDnet, he also says that getting senior-level buy-in is critical. Allowing them to test a BYOD program first is a great idea. They will see how convenient and efficient it is, and then it's much easier moving forward with the support of senior officials behind the program. Another thing to consider is the type of BYOD policy that is best for your agency. According to the U.S. CIO Council's BYOD Programs Toolkit for Federal Agencies, there are 3 ways to implement your agency's BYOD policy:
- Virtualization — provide remote access to computing resources so that no data or corporate application processing is stored or conducted on a private device.
- Walled garden — contain data or corporate application processing within a secure application on the device to segregate from personal data.
- Limited separation — allow comingled agency and personal data and application processing on device with policies enacted to ensure minimum security controls are satisfied.
The CIO also discusses several other factors to consider when designing a BYOD policy such as: roles and responsibilities (user, agency, technical support), incentives for agencies and individuals, security issues and more. Continue reading the CIO's recommendations as well as case studies from government agencies that have implemented BYOD policies here.
Addressing Mobile Security Concerns
Charon Technologies helps address security concerns for government agencies by developing solutions to complex problems that satisfy current and future technical needs. Charon Technologies' mobile security solutions are developed with government agencies in mind to handle the even the most sensitive communications. When defining the security guidelines for your BYOD policy, an important consideration to take into account is the communications path between the end-user device and agency's enterprise infrastructure. While much can be done to employ technical and administrative policies for each device, without a private, secure, trusted network channel for exchanging data, information is at risk to be compromised. Many vendors offer solutions that are software-base Virtual Private Networks (VPNs). These solutions are highly susceptible to software vulnerabilities that could have major impacts to an agency's overall security.
CommLock Connect provides a private, secure, and trusted network channel for data exchange between a client device and the CommLock Server that shields your private cloud / network. A client device can be any device supporting standard wired (Ethernet or USB) or wireless connectivity, such as a desktop, laptop, IP phone, and M2M devices.
Once connected through the CommLock Server, the client device has access to any services within your private cloud / network that are set up (e.g., email, instant messaging, VoIP telephony, document sharing, remote desktop, data storage, industrial remote device control/monitoring). CommLock Connect is cryptographically bound to the CommLock Server providing the secure and trusted network connectivity to the private cloud / network architecture.
CommLock Connect Provides World-Class Security Technology
- Self-contained hardware-based VPN network security
- Secure Key/Certificate Management
- Isolates and protects the host device from malicious network activity
- Simple and flexible interface to host device (i.e. USB, Ethernet, Serial, Wireless)
- Plug and Play (no cryptographic knowledge required)
- Secures any IP-based network
- Small form factor