Features: June 28th, 2013

The use of of personal devices such as smartphones and tablets while on holiday has led to the appearance of another new word – ‘workation’. Using personal devices in this way has many advantages, but there is a downside. Alan Laing looks at the security and network protection risks that now confront organizations.

Nowadays, it’s very rare indeed that people going on holiday don’t find themselves checking in to work on a daily basis. A few years ago, they might have been using a laptop to have a quick look at email in the morning and evening. With the advent of smartphones, it also became much easier for them to call back to the office (or to be called from work).

The arrival of the Blackberry and the explosive growth in sales of smartphones fuelled by Apple’s iPhone and Samsung’s Galaxy essentially provided people with a combination of phone and computer. Now, everyone is able to read and reply to emails, make phone or video calls and check the Internet on their own devices.

The ability of employees to use their own personal devices, particularly smartphones and tablets, to access the network, is known as Bring Your Own Device (BYOD), a growing phenomenon with many organisations seeking to incorporate employee-owned devices into their networks.

A culture is emerging here, people are armed with technology and feel happy to use it to stay in contact with work on a daily basis. At the same time, employers are fully aware that their employees are now contactable whenever and wherever they are when they’re on holiday (as well as when they’re working).

The trend is becoming so pronounced that it has even coined its own term: workation (working on vacation). While the idea of working on vacation doesn’t sound like fun, it does provide much more flexibility to employees and employers with their holidays. At Christmas, for example, offices were able to close down (rather than force staff to sit at their desks and play Angry Birds) as employees opted to take workations.

Managers are also becoming more lenient with holiday request conflicts because a workation can provide cover. It can help families manage school holidays and enable business owners, management teams and workaholics to get away from the office, even if they don’t fully switch off. No wonder then that, over the summer, millions of people in the UK will fly off to sunnier shores, many of them on a workation.

The risks of workation

But while workations can make life easier for everyone, there are issues that need to be considered by employers to make life easier for the business. How do they ensure that the mainly personal devices employees are using to access the network don’t cause security problems? And how do they provide up to date access and sync changes when they happen without inadvertently letting personal data onto the network?

If they allow employees to connect to corporate email, for example, employers become responsible for management of the information and content that enters the network from employee devices and for what leaves the network to those devices. This brings legal implications. For instance, what happens if a male employee has personal pictures of his partner on holiday, taken and stored on his phone and the image gets synced and backed up on the network? An organisation needs to minimise the impact on its reputation and on other employees, so this is the kind of area where it needs to exercise some control. But applying a corporate strategy to a non-corporate owned device is very difficult to do. Will employees be amenable to employers stopping them from using their own phone’s camera, for example?

In terms of providing access, what happens if someone on holiday in a completely different time zone needs to respond to an urgent query that requires a file to be emailed to them from the office? Can it really wait 24 hrs? How do they get to the document if there’s nobody available to send it to them?

And when it comes to the devices themselves, there are also issues associated with employees accessing the network with a plethora of devices that have varying security levels and features. Some older Android devices, for example, run operating systems that are not very secure. The best way to address this concern is to conduct regular security audits to check devices connecting to the network and to ensure the employees using them are treating confidential data reasonably.

Building in security

There’s a lot more to BYOD and workations than allowing an employee to use a device, be it an iPad, Galaxy or other smartphone or tablet, to access the network remotely. If organisations allow personal devices onto the network, they need to ensure they do not compromise the security and integrity of their networks. To protect their networks, they need to look at areas such as auto-configuration, data containerisation and secure tunneling to protect data and give IT teams the policy and security controls they need.

By the same token, they need to make sure employees on workation can work well and efficiently with their tablet or smartphone if required. The best way to achieve this is to integrate their devices more tightly with the existing infrastructure and provide the same level of secure and managed access to files and content on enterprise files servers, SharePoint and NAS storage, that users would experience with a laptop or desktop.

Some vendors are already providing secure mobile app and device management products for organisations implementing a BYOD policy or seeking to increase the mobility of their workforce. Others are offering secure mobile file management (MFM) products to help them provide users with access to enterprise files and content. Some have moved a step further by integrating mobile app and mobile device management (MDM) with MFM, allowing organisations the prospect of strengthening and standardising mobile app security and compliance and the ability to configure apps from a central location.

MDM and MFM are particularly important solutions for organisations wishing to allow BYOD and workations. Employees enroll any personal device that accesses the network into a corporate MDM system, which is combined with a secure MFM system to automatically ensure secure access to corporate email and files. This manages the restrictions and policies that need to be applied, such as the requirement of an unlock code to access the device, secure and role-based access or blocking of a certain device from entering the network at all.

MDM will also help lessen the damage caused if a device is lost or stolen because it can erase sensitive data remotely. In addition, it gives an organisation the ability to define a list of approved apps for business use and control file access strictly but efficiently.

To get the best out of MDM, it should be integrated into a central network management tool to allow for continuity across the administration of the network and ensure a level of monitoring that meets any compliance regulations. It also lets the administrator know the exact details of a device accessing a file at any given time.

Solutions need to be easy to use, otherwise employees will opt for readily available unsafe consumer-grade alternatives. With the right solutions, organisations can manage file access securely while synchronisation and file sharing can be managed by the IT department. The ideal solution would include enterprise-grade security, guarantee all updates to files are sent back to the organisation’s servers and ensure they are part of its backup and archiving routines.

Protecting the network

With a dispersed workforce accessing the organisation from anywhere and everywhere (where are you going on your holiday this year?), the network becomes more and more complex to protect, so administrators need to ensure a quick recovery of IT resources is possible with very little impact on the business operations in the event of failures and problems. Every organisation should plan for the worst with a comprehensive business continuity plan.

A unified backup and recovery platform that can protect data on any device anywhere in the organisation needs to be in place to support it. Inevitably, employees will lose or break their personal device at some point or another. The chances of this happening are even higher when they’re on holiday. A plan should be in place for reporting incidents so IT can wipe sensitive data from the device and deny it access to the network.

By putting the above measures in place, employers can have some assurance that employees taking workations will be able to contribute to the organisation as and when required without introducing risk to the network.

Alan Laing is  VP at  EMEA, Acronis.