BYOD: The Risks and Rewards

As the mobile revolution continues to take shape, insurers and many others are faced with new challenges related to the plethora of devices and platforms available to consumers.

By Ara Trembly

Specifically, carriers, brokers and agents must decide whether or not to allow employees to bring their own devices to work, and whether or not such devices should be allowed to interface with the corporate network.

Since our industry views just about everything in terms of risk and reward, the question becomes: How do we evaluate the impact of many different devices within our walls and inside our systems under a BYOD (bring your own device) policy?

Avoid a Legal Black Hole (04/12/13)
Technological Obsolescence (05/01/13)
Part 3: Big Data Masters (04/12/13)
Defending Your Networks (04/12/13)
Excess and Surplus At the Ready (04/12/13)

Allowing employees to enter the building with their own portable computing devices seems harmless enough, unless those employees decide to do company business on those devices, regardless of whether or not they access the network.

While it is unlikely that unconnected devices will offer unauthorized access to the network, company business done via these devices may still contain confidential information that could easily be stolen. Let's not forget that security on wireless devices is notoriously poor, and it doesn't seem to be getting any better.

Prohibiting personal portable device access to the network may make sense, especially if the organization is not of a mind to purchase and distribute its own wireless devices. Thus, one solution is simply to ban the use of such devices within the corporate walls, but given their ubiquitous nature, it seems unlikely that such a ban would be effective.

Some organizations, however, believe they will gain efficiencies (and save on hardware costs) if they simply allow employees to use their own devices for business purposes. That brings us to our second decision -- to allow (or not) access to the network on the personal devices of employees.

It is no surprise that employees might want to be able to transact company business on their own iPads or smartphones. Security becomes a far bigger challenge, however, when information technology must find a way to integrate any and all devices within the network. IT departments at most insurance organizations are already overburdened by short staffing (remember the recession; it's still here) and a pressing need to devote time and resources to growing the bottom line in a very competitive insurance marketplace.

If employees are allowed to use their own network-connected wireless devices, that presents a serious security issue that IT departments will be forced to address. Does information technology have the resources to make such access possible while still maintaining a reasonable level of security?

The answer will be different for every insurance organization, and the real question is: How do we protect our precious networks, systems and data from what will literally be hundreds, if not thousands, of points of vulnerability?

Of course, the information technology department could take that on as a project, especially if the organization is small, but in larger places, the work could be daunting, and it might be never-ending as new devices and form factors continue to be marketed and bought by our dear employees.

This problem seems to have spawned an entirely new industry that is dedicated to helping enterprises safely integrate personal devices with their networks.

The real problem: How do we pay for this?

ARA TREMBLY is founder of Ara Trembly, The Tech Consultant. He writes about insurance and technology, and can be reached at riskletters@lrp.com.

October 11, 2012

Newsletter Sign-up