With BYOD comes responsibility — and many firms aren't delivering

Apple deployments are accelerating across the global enterprise, so it’s surprising that many organizations don’t properly recognize that change. Even when companies put Macs, iPhones, and iPads in the hands of their employees, they are failing to manage these deployments. It’s quite shocking.

That’s the biggest take-away from the latest Jamf research, which warns that almost half of enterprises across Europe still don’t have a formal Bring-Your-Own-Device (BYOD) policy in place. That’s bad, as it means companies have no control over how employees connect and use corporate resources, creating a nice, soft attack surface for criminals and competitors alike.

There were additional findings that should be considered by any enterprise allowing employee devices to access corporate resources, particularly as most businesses are quickly embracing hybrid tech infrastructure.

They reveal increased security challenges, fading budgets and a large amount of duplication and inefficiency in the existing systems for device management.

Jamf surveyed more than 100 organizations attending events it held across Europe to get to these conclusions. Almost half (43%) of those surveyed felt that they face more compliance-based security concerns this year versus last year, even as 53% of enterprises seek to cut security/IT costs.

One way they may be able to cut costs might be to do a better job of harmonizing existing contracts. It looks like two-thirds (67%) of enterprises use up to five separate vendors for management and security across all device types. Not only that, but there seems to be some weird divide between organizational departments, with 57% of them having separate teams to handle device management and security.

In the context of today’s hybrid workplace and multiple devices and operating systems, it’s hard to see why some business users impose that difference — it’s a hangover from a less integrated era of IT.

As an aside, I spoke with outgoing Jamf CEO Dean Hager recently, who explained how device management has evolved. “The reason you’re buying all this stuff is to make sure that you have trusted access. And none of the patchwork of solutions that existed at that time could do this alone,” he said.

BYOD schemes can save company cash, but the real benefit is seen in the productivity, loyalty, and commitment benefits unlocked when employees gain this kind of autonomy. Still, in today’s security environment there are risks that must be managed rather than ignored.

It isn’t really enough to rely on the legendary security benefits of Apple’s platforms – Apple recognizes this, which is why it works so closely with security researchers to identify flaws in those systems.

It’s also why it developed a mechanism for rapid security response to threats. There is no such thing as 100% secure, which means enterprises that fail to consider security and device management leave themselves — and their partners — vulnerable to attack.

In a statement, Michael Covington, Jamf’s vice president for portfolio strategy, said:

“While it is easy to get swept up in the positives surrounding ‘anywhere work’ programs that empower employees to work remotely on their own schedule, from any location and from any device, organizations need to examine the associated risks and decide how to manage them.

“It’s important to have a clearly documented BYOD policy in place to take advantage of these benefits, but the good news is that the technologies are now available to effectively manage risk in these environments.”

No surprise Jamf makes such technologies, but the company warns business leaders that it isn’t just enough to just begin using them;  the approach must be planned.

Management must learn and share the benefits of these systems, make it crystal clear how data will be handled, and put protection in place to ensure personal data remains personal. Communication is critical here.

It’s also critical in securing the inevitable weak point of any form of security protection — the users themselves. With that in mind, companies should invest in training staff in security awareness and encourage them to update devices as and when those updates appear.

Companies should also set standards — and devices that don’t meet those standards, in terms of security protection, should not gain access to corporate systems. This is all common sense stuff, really. We know the security environment is extremely challenging — even police forces are regularly hacked.

In that context, it makes total sense to think about how to manage the devices connected to your systems and to put in place the software, security, and user education it takes to protect your business environments. The cost of device management is relatively negligible compared to the consequences of a successful ransomware attack, after all.

With this in mind, it’s surprising so many European — and, by inference, global — businesses seem so poorly protected.

Please follow me on Mastodon, or join me in the AppleHolic’s bar & grill and Apple Discussions groups on MeWe.

http://www.computerworld.com/category/security/index.rss