Earlier on this year, we published an article on how East African companies are inculcating the mobile phone in their business operations. Workplace mobility has become a reality that CIOs have embraced. The availability of low end smartphones, laptops, tablets, iPhones and other computer hardware has led to a proliferation of these devices in the workplace, bringing in the next new challenge facing CIOs.

Global research companies have looked into the area of mobility management, each with interesting findings. One such survey sponsored by Cisco focusing on the threats posed by the growing use of personal devices on corporate networks exposed a disconnect between what workers are doing and what IT leaders believe is happening – IT leaders have no accurate figures of how many personal devices are operating in corporate networks, until there is a breach or loss of information due to an unsupported network device.

The blame does not solely lie on the IT leaders, many employees are not aware that they are using personal devices in the work place yet 95 percent of workers bring their own self purchased devices to the work place. Senior management and staff now put pressure on CIOs to open the corporate network to consumer devices for office processes. These processes include enabling staff to receive email, access their desktops and documents while on the move.

The process of using these devices for office work has largely been considered as consumerisation of IT. With enterprises continuous reliance on web based applications, cloud computing and the proliferation of mobility devices, this trend is not about to go away any time soon.

Threats versus benefits of supporting consumer technology

Consumerization has been credited for increasing productivity, lowering operational costs, enabling flexibility as well as appealing to enterprise mobility. Enterprises will benefit from the collaboration and increased productivity while users benefit from convergence of applications, knowledge and interaction methods.

On the other hand, giving employees unfettered access to valuable company data on whatever device they happen to prefer is a risky proposition. McAfee lists the security concerns areas as theft or accidental loss of the devices – meaning that data they contain is more vulnerable. McAfee also states that access to company data on an employee’s laptop, mobile phone, or other personal device can create compliance issues by making it difficult or impossible to verify that data is secure at all times. Finally, because consumer devices are not adequately protected against malware, enabling access through these unsecured devices can open a gaping hole in the company’s otherwise secure firewall.

These risks have led many CIOs to ban employee devices in the organisations and locking down company data.

How agile should a business be?

The agility of a business all depends on the corporate goals. Farmers Choice, a manufacturing company that produces, processes and distributes meat products employing over 1000 people, and works with numerous independent distribution outlets in Kenya and outside. To streamline their operations, the company employed Microsoft Business Dynamic, linked with a meat processing module and a mobile invoicing module. Using Safaricom link, daily sales are monitored with an integrated system that runs on Samsung PDAs.

Flora Kinuthia, IT Manager at Farmers Choice says that the market has been pushing for mobility particularly to ease communication between the firm and its customers. Senior Managers at the firm are given Blackberries and Nokia Smartphones, not for personal use, but to ease communication for business use. “Because of the nature of our business, emails need to be responded to immediately,” says Flora.

Since the introduction of mobile phones for senior managers, Flora says that the IT team is now faced with constant challenge of maintenance and troubleshooting of these appliances. “Sometimes over the weekend we have to attend to someone’s phone that has one problem or another,” says Flora. To curb this, Flora constantly trains the managers on simple troubleshooting and maintenance skills including keeping Bluetooth off when not in use to prevent unauthorized access into the phone, and also making sure the phone has an updated antivirus at all times.

Another challenge is security, major concern being the theft of these devices. “We have lost a number of PDAs that are used by our sales staff. Many of them either forget their phones at their clients’ facility, they drop them as they transport products to the clients, or their phones get snatched,” Flora says. The devices are centrally managed so they are automatically disabled once reported lost to protect company data.

Virus attacks to the phones and computers were a common problem initially. However, Flora implemented an IT policy that has put checks and measures to limit virus attacks. The policy spells out that personal device in the workplace are prohibited. It is a rule that data transfers from the phones to the computers will only be done through synchronization, cable connections are prohibited. It also spells out who is liable to receive a company phone and laptop, and who is not. Flora also installed firewalls that protect the networks from virus attacks.
Practices to combat risks of consumerisation

Coming up with a solid plan of integrating consumer devices in enterprises is not an easy process. Many CIOs will choose to say no to allow personal devices in the office. However, the amount of mobile apps available to end users, and the simplicity of operating integrating these devices to business systems continues to empower end users, making them less reliant on the IT department. Chances of them using their own devices, from simple USB sticks to mobile phone synchronization and much more are high, the CIO might never come to know about it until there is a compromise in the system.
Some companies have creatively integrated personal devices to the business, creating a win win situation. One such company is Intel California. In 2010, Intel was faced with a situation whereby young techno savvy lot are coming into employment having grown up with different gargets. These people did not understand why they couldn’t use their faster and better gargets that they are used to, to increase their productivity in the office. On average, Intel employees use about four different devices and multiple third party operations such as Facebook, Twitter, LinkedIn, Skype and other social networking sites for business and personal activities.
The company then decided to get views from their staff on what gadgets they will prefer to use, and for what purpose. After collecting views and concerns from staff, Intel implemented a new IT policy that allowed the use of specified devices to perform specified processes in the office.

Soon after this decision was passed, technical challenges started arising. The IT team had to go back to the drawing board and define new security policies that would allow clients to use personal devices inside Intel.

One of the critical part of any security policy is to have a solid end user license agreement. Intel came up with an end user license agreement that spelt out the rights and responsibilities of everyone involved in the consumerization process.  This agreement clearly spelt out logistical issues that were of concern. For example, what happens when an employee leaves the company? Do you give your employer the right to review and remove data from any personal device that was used for office work?

Intel passed a rule that any user who wants to use their personal device to receive office mail or link in any way with the system must sign the end user license agreement. The department manager for the employee must also sign the license agreement, allowing that particular staff to use that device for the stated purpose. In addition, Intel put in a tiered policy capability whereby only devices that attained certain security standards can receive email attachments; any other phone could only receive the email without any attached documents. Intel also ensured that no device can get into the system, but data can be pushed into the device.

To Intel, consumerisation is productivity, efficiency and flexibility. When Intel embraced consumerisation of IT at the beginning of 2010, 3000 employees signed up immediately. Towards the end of 2010, 20000 employees had signed up to the policy. This was a success story.

How do you handle personal appliances in the workplace

With the growing the growing integration of the mobile phone for business operation and the increase in mobile workers worldwide, the trend of consumerisation is here is stay. The security environment for company data today is complex because data is no longer contained in the walls of a business, but ends up in the users’ personal devices.
What enterprises need most is control of valuable data. Therefore, a company can install a centralised policy that is auditable and scalable. “Putting simple access control to data is one way of maintaining control over information,” says Flora Kinuthia.

McAfee, recommends certain steps for preparing for consumerisation. First is to deploy host and network anti-malware to reduce infections and protect company systems, a firewall and network intrusion prevention system (IPS) to control traffic to and from key assets. Next is to enforce remote encryption and wiping of information and applications for company owned smartphones and other mobile devices. This will protect data in case of theft.

McAfee recommends the use of network access control (NAC) to ensure employee-owned devices have proper security tools installed and are otherwise compliant with IT standards prior to accessing the network. NAC can control guest devices and other unmanaged endpoints and ensure they have limited ability to access resources or infect your network.
An alternative is to use virtualized desktops (VDI). With VDI, McAfee states that employees can access company applications and data on personal devices, but the application infrastructure and data remain on corporate servers behind the firewall.
CIOs can also implement encryption for information at rest and in motion. If a remote device falls into the wrong hands or a transmission is intercepted, encrypted information is unusable. Note that while this strategy is practical for company-owned laptops and employee-owned smartphones, it’s difficult to enforce data encryption on employee-owned PCs and Macs.
McAfee proposes a relatively new development called “PC on a stick,” in which thumb drives (USB drives) or memory cards store a customized interface or launch pad, user-selected applications, and data. Users can carry this computer-on-a-stick to any public or shared machine, plug it in, and begin working with familiar tools and personalized settings. When the drive or card is removed, there is no trace of the user’s work left on the PC.
Another alternative suggested is to deploy integrated endpoint security with a centralized management console to ease the effort required by security administrators and enable them to easily manage all endpoints in the system. An integrated, centralized strategy is more efficient, more effective, and ultimately less expensive than deploying a series of point solutions.
McAfee is confident that if CIOs follow these recommendations and deploy a comprehensive endpoint security solution, it not only becomes possible to support the consumerization of IT with adequate and effective security, but that doing so yields some nice benefits for the company. The greater mobility of the workforce and the ability of employees to work from home can also lighten other expenses, such as office costs.