As part of a series of articles on this blog we started last month on the impact of BYOD (Bring Your Own Device) policy is having on workplace learning and development, I spoke recently with Paul Hill, Senior Consultant for SystemExperts, an important network security consulting firm.
Paul Hill has worked with SystemExperts as a principal project consultant for more than twelve years assisting on a wide range of challenging projects across a variety of industries including higher education, legal, and financial services. Previously, he was a member of the IT Department of the Massachusetts Institute of Technology, and is recognized as one of the industry’s foremost experts in Microsoft technology. Paul was responsible for the evolution of MIT’s identity services. He led the project to design, deploy, maintain, and support MIT’s Shibboleth infrastructure and MIT’s central authorization management system, known as Roles. The support included consulting with business teams on campus, working with multiple teams to improve and enhance MIT’s LDAP system, and to improve and streamline the provisioning of new hires and new students.
Paul was kind of enough to let me know his thoughts on the increasing adoption of BYOD policy in businesses of varying sizes and fields, and the impact that is having on employee training. Would love to hear your thoughts in the comments section.
“In my experience employee training has been one of the business drivers that introduces tablets into some organizations. Employees have indicated an interest in using tablets to review training materials and many training managers have responded well to the feedback. Typically an initial pilot program will use company owned and managed devices, temporarily loaned to employees for the purposes of training. It is not unusual for the training managers to find that the response is overwhelmingly positive and user demand quickly outstrips the capacity provided by the initially purchased company owned devices. That often leads to a discussion about BYOD. One could say for many organizations, training is the application that gets the camel’s nose into the tent when it comes to BYOD.
For many industries, the material contained in training material may be extremely sensitive. Consider the training material addressing security and IT risk management for a company in the financial services sector. The material may reveal the current threats that are of the most interest at the present time. It may reveal how the company responds, specific email addresses, roles, responsibilities, and phone numbers. All of this might be useful information for an attacker launching a spear phising attack. For other industry segments, training materials may reveal valuable intellectual property.
In such situations, the organization should determine what level of protections are necessary what will be the implementation strategy.
Some organization may decide to avoid BYOD device management, and instead concentrate on managing access to corporate content. This may work by avoiding storage of the training material on the device. However, with this approach employees might need WiFi access during the review of training materials.
The other strategy gaining the most attention in the circles of regulated industries is the use of granular device management, and containerization. By using containerization, data can be stored on the device, but the employees will be prevented from transferring the content to other parties or services. This scenario is highly desirable if there is need for the employees to be able to review the training material while offline.
In order to make an informed decision about BYOD decision makers need to understand the nature of the information and how it relates to corporate data classification and data handling policies. They also need to make decisions about usage patterns. Then they can work through the issues of specific device management strategies and review the options available.”