3 Ways Intel Gets Employees to Trust (and Adhere to) Their BYOD Security ProgramNovember 21, 2013 by Taylor Short
While bring your own device (BYOD) policies can increase productivity and cut costs, they can also expose your company to risk if employees access sensitive corporate information on an unsecured device. Use of security features can reduce this risk, but don’t often leave employees feeling more comfortable about the safety of their personal data. In fact, 70 percent of employees don’t completely trust their employer will keep their information private, and are thus less willing to give them access to their device.
Intel is one company that designed a program that successfully addresses this challenge. Even with about 30,000 employee mobile devices logged into their system daily, this program keeps Intel’s important data secure, and does so in a way that fosters employee trust and adherence to security policies.
I recently interviewed Intel’s IT Senior Principal Engineer, Alan Ross, to learn what recommendations he has for other organizations looking to replicate the company’s best practices. Here are his top three suggestions.
Clarify What Information Can and Can’t Be Seen
Employee distrust in BYOD security programs often stems from a misunderstanding of what employers can and can’t access on their device. In fact, a recent study on the trust gap between employees and management regarding BYOD programs showed that people often overestimate employer visibility of their personal data.
“You need to communicate clearly and regularly with employees about what you can see and why you need to be able to see it,” says Clarissa Horowitz, senior communications director with MobileIron, a company that makes mobile device management solutions for IT departments. “Doing that, you’ll be able to build that trust level.”
Intel knows that its employees still get confused about what can and can’t be monitored on their mobile devices. This is because security monitoring can vary drastically depending on where the employee is using the device, their position within the company and how the device is configured.
To mitigate this confusion, Intel maintains a detailed list of frequently-asked questions about BYOD coverage in the company intranet. The company also trains IT service desk personnel to answer questions about BYOD monitoring. Employees can contact personnel via a 24/7 phone support line, which typically helps users within minutes.
Let Employees Control the Device Implementation Process
Another reason employees often distrust BYOD policies is a lack of control in the implementation process. If they want to use their personal device for work, there’s often only one choice as far as the level of security monitoring and what services or applications they can select.
Instead of this all-or-nothing approach, Intel allows employees to choose from several security level options. Higher levels of access to corporate information require greater security measures, while lower levels require less monitoring, so employees can decide just how much access they want based on what they’re comfortable with.
These options, called “trust tiers,” offer five levels of access: public, slightly confidential, basic, intermediate and managed equivalent (shown below).
Intel’s Trust Tiers (from Intel’s BYOD whitepaper)
Ross says the trust tiers came from a sort of “aha moment” regarding the company’s security programs. “We aren’t just doing it for security, we’re allowing people to make their own choices,” he explains.
Intel also allows employees to control how their device is set up. Using a simple online portal, they can register their device from any location, at any time. This portal can also be used to choose the services and applications they want to access, which can later be adjusted if needed.
Once the employee’s manager approves the chosen access level (which is also based on factors such as region, position and job responsibilities), the services are automatically delivered to the device through a web application gateway. The employee then receives an email with instructions on how to configure these new services.
This process puts employees in control of the implementation process from start to finish. They quickly become aware of what their specific device can and cannot do, and with the help of IT support, feel more comfortable using it for work.
Create Separate Spaces for Personal and Company Data
Another way Intel helps reassure employees that their personal information will stay private and gains their trust is by creating separate spaces on BYOD devices for personal and work data. This allows employees to literally see what corporate can and cannot access, and prevents information spillover.
This is achieved in one of two ways: by using a partition, which creates an isolated space on a device’s hard drive that is only used for certain data, or by creating a data container. Similar to a data container, a partition is usually encrypted and can be remotely deleted. These containers can be used to separate corporate emails, applications, content and other data, and appear as application icons on the screen of the device. Employees access them by clicking the icon and logging in with a secure username and password.
Data containers are created through a management console and are automatically generated during the device implementation process. Users then download software to access these new spaces and are given instructions for setting up and using them. Due to the variety of devices and operating systems, Intel uses several different programs to create these containers.
Trust: The Key to a Successful BYOD Policy
Despite all of the safeguards and technical security features in place, Intel’s entire BYOD policy would collapse without employee trust. Today, the company transmits more than 2.5 million emails via personal mobile phones each year, making employee trust more important than ever. Ross attributes the success of the program to the training and security measures in place, as well as the cooperation of employees.
“To us, trust is something we reinforce through training,” Ross says. “We think that security is something that needs to start with the employee.”
Thumbnail image created by Michael Coghlan.