BYOD Keys to Success for State & Local Government
State and local government IT departments are pressured on a number of fronts to meet greater demand as the digital transformation continues to boom at all levels of government. These pressures include the need to incorporate the latest smartphones and tablets to create and access information, accommodating a growing range of mobile devices employed by government workers, peer agencies and the constituents they serve.
The push for BYOD
With the growing prevalence of mobile devices (smartphones and tablets complementing or supplanting laptop computers), many state and local governments are acknowledging the value of a bring your own device (BYOD) policy.
From a generational perspective, baby boomers are entering their retirement years, opening state and local leadership roles for Generation X and millennials. Workers from these generations tend to embrace new technologies, often employing the latest devices for their personal and professional use.
4 guidelines for successful BYOD rollouts
Meeting demand for mobility, early adopters of BYOD programs have found solid ground by following these four guidelines:
- Establish a security mindset that acknowledges the challenges inherent to mobile devices while realistically and effectively mitigating as many risks as possible. For example, some state and local governments might choose to limit the initial range of devices to one manufacturer or operating system. This way, they can expand worker options in a controlled setting — supporting every platform and device would be an impossible task for any IT department.
- Clearly define BYOD policies and obtain strategic buy-ins from officials who champion the changing culture. Well defined and consistently communicated rules and expectations ensure workers and their managers engage BYOD programs with security and technology limitations in mind.
- Automate device enablement and security whenever possible. Obtain resources specific to mobile device and application management and security. This includes tools and systems that grant IT leaders visibility into the expanding IT ecosystem and control over endpoint security to protect technology housing government information.
- Implement data loss protection methods. While the devices themselves have some value, they pale in comparison to the sensitive data they grant access to. Focus on tracking and setting up security measures to guard data as it moves from the network core to the edge and back. Ensure that almost no data is stored on the mobile device itself.
While these tactics have proven valuable as municipalities embrace BYOD programs, each state and local government organization needs to define the limits of what they can securely support. Since about 70% of connected IoT devices lack fundamental security safeguards, cybercriminals are gaining additional intrusion vectors. Finding trusted advisors to align technology trends and security capabilities to specific agency missions is critical to successfully planning and deploying a bring your own device policy.
Managing device risk for government IT solutions
While it is widely recognized that the most important asset of any organization is its people, it is also true that those same employees and staff are commonly attacked entry points. The federal government spends about $1.2 billion annually on about 1.5 million mobile devices and associated services. As mobile device adoption also increases in the public sector, platform management and policies become every bit as important as firewalls and secure networks.
High-profile data breaches are increasingly common, costing an average of $4 million in damages, putting IT infrastructure under intense (often political) scrutiny. With the number of break-ins and the damage they cause on the rise, IT departments are forced to perform a high-risk balancing act: driving more data, accessibility and capability while mitigating their agencies' or constituents' vulnerability.
A survey of IT security specialists in the United States in 2016 uncovered that 56% of respondents believed BYOD device practices were at the heart of endpoint security breaches.
Inevitably, BYOD and mobile networking will expose state and local governments to new security breaches. IT managers delivering new mobile devices must plan to mitigate increasing risks of data theft, fraud, insider threats and privacy breaches. Unfortunately, such security plans negatively impact agility and increase maintenance burdens and IT costs, adding another layer to the existing challenges of IT services.
With mobile devices, security concerns expand beyond pure data management to device management. IT leaders must ask, "How do we secure mobile devices so that if someone leaves their device at a restaurant or friend's house or coffee shop, that device's information and network access is not compromised?"
As the number of foreign-owned device manufacturers increases, supply chain security also becomes a hot topic. Agencies are wise to vet technology vendors, asking: “How do you secure your supply chain?” Agencies need to ensure the security of network devices from the manufacture through installation and deployment. They must also combat instances where something embedded into the hardware or firmware of the device may present a security compromise. Therefore, device discovery needs to include a supply chain element that defines and tracks the logistical path of hardware, software and applications along their entire lifecycle.
Here again, an understanding of the missions served by state and local government IT teams requires a holistic and comprehensive security mentality that spans far beyond the firewalls of the network. Device risk management must peer back to the hardware vendors of such devices, as well as forward to their deployment for a mobile workforce and constituency.
This article originally appeared on September 1, 2016, and has been revised to bring our readers the most up-to-date technology information.