BYOD is evolving for a cyber-conscious age

Bring-your-own device policies were envisioned as a way to save money during a time of budget cuts, but policies are pivoting as government gets increasingly security conscious.

Shutterstock image: mobile data concept.

Mobile devices have been a staple of the federal workplace for years, going back to the days when everyone relied on BlackBerries to bang out email when away from the office.

The smartphone world looks quite different today. Although a few diehards still refuse to surrender their BlackBerries, iPhone and Android devices dominate the landscape. And increasingly, employees would rather use their own devices at work rather than carry a personal and a work phone.

The bring-your-own-device practice has gained ground at the federal level, but it brings a mix of issues with which CIOs and other IT leaders must grapple. Experts caution that agencies have serious security matters to consider before throwing open the doors to mobile access to key assets.

Kimberly Hancher, former CIO at the Equal Employment Opportunity Commission, helped craft the White House BYOD policy in 2012. That document outlines a broad set of guidelines that agencies can use to establish the proper parameters for mobile access. Yet four years later, she said, there aren't enough clear policies at federal agencies.

"I don't think most agencies are really undertaking the effort and due diligence to address BYOD policy," she said. "They're just sort of letting people do whatever they can get away with, and very few agencies have actually put formal policies in place."

She points out that there are consequences to that approach. "If the agency doesn't undertake due diligence to create the rules of behavior for bringing a device, then people will simply do it and put agency data at risk by doing so," Hancher said. "It's really important to state the policy [and] put the security measures in place if you're going to allow some BYOD. And if you're not going to allow it, you should make that decision and say [that] until further notice, it's not allowed."

Hancher, now a principal at Deep Water Point consulting firm, said agencies must decide whether a BYOD program makes sense for them and then determine which devices to support and what types of security to use.

The fundamentals

Many agencies have a BYOD environment and don't even know it. According to research by mobile security company Lookout, nearly half of federal employees access work email from a personal device. Furthermore, nearly one-quarter send work-related documents to their personal email accounts, and 17 percent store work documents in their personal cloud storage service.

With teleworking making such activities common, the National Institute of Standards and Technology issued a report in March that outlines some best practices for teleworking and BYOD security. Among the recommendations:

  • Use mobile device management software, which allows agencies to containerize particular data and wipe it, when necessary, without affecting the user's personal content.
  • Require employees to stick to approved application stores and tell them not to root or jailbreak their devices to avoid threats from nonsecure networks or apps.
  • More broadly, NIST concluded that agencies must create clear-cut policies describing what's allowed and what's off-limits when it comes to email, documents and other government data.

The hurdles

The biggest driver of BYOD policy is security, said Tom Suder, president and founder of Mobilegov. Suder, who regularly advises agencies on mobile device strategy, said security and the corresponding legal issues are leading the discussions.

"The biggest issue to this day is legal," he said. "What happens if there is data spillage on a personal device and by policy I have to destroy the device? Who pays for it? Do I get to keep my phone number? What rights do I give up if I agree to a government BYOD policy?"

Such issues must be spelled out in a policy, he added. If they're not, employees might be reluctant to allow critical information to be stored on their devices.

He said containerization solutions such as Samsung Knox and Good Secure EMM Suites can segment the government data from the rest of the phone. Another option is Hypori, a startup that uses virtualized app technology to access sensitive information without actually storing it on the device.

Some agencies are issuing guidelines that set boundaries and tell employees what they are allowed to do with sensitive information and how to access work email on their personal devices. NASA, for example, is managing several projects that will facilitate the use of personal devices for varying levels of network and system access, according to an agency spokesman. Although those projects have not reached the user testing or trial stage, employees are allowed to use personal mobile devices to connect to the agency's email system via Microsoft's Exchange ActiveSync, where a set of security requirements are applied.

"NASA's mobility vision...states that NASA personnel 'will be able to securely and seamlessly access and share any authorized information, anyplace, anytime, using any device,'" Enterprise Applications Service Executive John Sprague wrote in a newsletter published by NASA's Office of the CIO in late 2013. "The aim of NASA's mobility vision is to provide services while protecting sensitive data."

He added that participation in the BYOD program is voluntary, and NASA will not compensate employees for the costs associated with using their personal devices for work. Furthermore, participating employees must use lockout code protection and keep their devices up-to-date with the latest security patches.

Although a key appeal of BYOD for agencies are the savings that come with not buying devices, the endeavor is hardly cost-free.

"It saves money if you replace a company phone, but it's not a cost of zero," Suder said. "You still have the licensing fees from mobile device management, the company doing the containerization and any costs that come from additional security measures."

The challenge for IT leaders is determining whether or not to embrace BYOD and, if so, how to craft a policy. BYOD doesn't make sense for every agency. But the fact that so many employees are creating their own shadow networks means that all levels of government should have some type of policy that explicitly states the expectations.

Hancher, who helps federal agencies craft BYOD policies, has a three-part test that should serve as the foundation for any BYOD initiative:

  • Does your agency deal with classified data?
  • Do you have sensitive personally identifiable information? This is usually less secure than classified information but can include important details such as Social Security numbers.
  • Does your agency, as part of its mission, handle information critical to the infrastructure of the country? This could include data about the energy grid, water sources or other information that terrorist organizations would deem valuable.

A "yes" answer to any one of those questions can complicate the task of crafting a workable approach, Hancher said.

Next steps

Some agencies might determine that BYOD is not appropriate, but that doesn't mean IT leaders should consider the matter closed. Instead, it means the agency should formulate a policy that states why BYOD isn't appropriate and details the expectations for how employees treat government data.

"I would want to be clear with my employees that we do not allow BYOD, we do provision for people in these kinds of jobs, and that's it. Or we do allow BYOD and here are the rules," Hancher said. "It's critical to be clear with employees what you do and don't allow under certain circumstances. I don't think most agencies have done the proper due diligence and made employees aware of what the policy is."

And although the focus of much of the debate has been smartphones, it's worth noting that the discussion extends to tablets and laptops as well. In general, Suder said, agencies that want their employees to have a tablet or other mobile tool, such as the Surface Pro 4, are providing those devices. He cited the departments of Defense and Agriculture as examples.

"On the tablet side, Microsoft is doing well because the Surface Pro 4 is really the next generation of your laptop as you can also use it as tablet," he said. "I see a lot of those, but of course, a lot of folks are still using the iPad for its ideal form factor."

Whatever the device, managers and employees must know what the expectations are, even if BYOD isn't allowed. There is too much critical information at stake to ignore the issue.

NEXT STORY: Tech hasn't fixed FOIA yet

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.