BYOD SCOPE: A Study of Corporate Policies in Pakistan
1. BYOD SCOPE: A Study of Corporate Policies in
Pakistan
Dr. Zahid Anwar, Shuja Ahmad, Haris Javaid, Muhammad Arslan Ejaz
Abstract--- BYOD model is used to enhance
productivity by recommending employees to be
connected to organization’s network 24/7. There
are several major issues related to securing the
information which must be in consideration by IT
department of the company. They must assure
extreme level of data protection, operability, and
efficient manageability. BYOD can give efficient,
easily accessible, satisfied and instantaneous
results; but without the right policies,
organizations can have unwanted risks. Data
security breaches have been an issue for years, but
still risks are increasing day by day with the
growth in mobility and variety of devices.
Currently there are many organizations in the
world (a few in Pakistan) that are using BYOD.
As these devices are increasingly being used in the
organizations and as companies provide smart
devices to which user can easily add any desired
application, conflicts arise. Who owns the
application on separately owned devices? Is there
any restriction mechanism? And if user leaves the
company what will happen to the device? We
describe all the prominent policy features and
data breeches that have occurred against those
features.
I. INTRODUCTION
Bring your own device (BYOD) can be
defined as the rules and policies by which the
employees are allowed to use their personal devices
in their offices for example smart phones, tablets etc.
They can use these devices to get access to the
information and applications of organization that are
accessible for them. The terminology is also useful in
the education sector applied on students. Some
people have confidence that with the usage of
BYOD, employees working in the companies are
supposed to be more productive due to the fact that t
grows the employee self-confidence and ease in
accessibility by using their own smart devices and
thinks that the company is flexible. It creates a
challenge for the management of organization; it has
a lot of involvement beyond the IT sector. Although
many may not know about it, some employers are
able to track all the activities of their employees i.e.
locations during working hours, applications they
have installed, view or delete their personal data. The
Adaptive Mobile [1] study showed a survey
conducted by Harris Interactive [2], there were two
kinds of audience targeted in the survey, Users and
IT Decision Makers from 1,000 IT decision makers
and 1,000 employees, 83% of staff would stop using
their own device, or use with deep concern, if they
knew their employer could see what they were doing
all the time.
There are some important questions like
“Who will be the owner of the data?” or “Does the
company have the ability to remove some or all of
the data on a device in case of security concern?”
Mobile devices, specifically smartphones are present
everywhere. Due to this, businesses are now starting
to evolve "Bring Your Own Device" policies to allow
their employees to use their smart devices and stay
connected to the organization. However, there are
some notable attacks and obstacle to get maximum
device resources; it is difficult to trust these devices
with access to critical information relating to a
particular owner. If an organization is going to
encourage a BYOD policy, it needs to have a lot of
security discipline, and needs to have staff to manage
the environment 24/7. So it needs to design a set of
rules (related polices) so it can ensure security within
implementation of this model. But most of the time
companies have no policy due to which they suffer
from breach of sensitive information.
Our analysis showed that if companies have
bad policies and having no deep concentrations on
BYOD they must face data breach within no time as
technology is evolving day by day, and new
technologies, new opportunities are emerging very
fast in IT world. We analyzed some breaches
2. occurred in these specific organizations and it
showed the weakness, fault and problems within the
policies of the model. If we make a comprehensive
policy that covers the solution of maximum problems
that may occur in the company, we can protect our
crucial and sensitive data while having full usage of
BYOD. In the next sections we will suggest and
explain what points and rules must be there in the
policy to get maximum avoidance from data
breaches. Our concern is to find all the possible
answers the key questions related to the present
model. We specifically focus on the key components
i.e. familiarity, awareness of employees engaging,
application and information types access, formal
company policy, mobile device management,
employees data security, importance of security,
benefits, recovery responsibility and all the risks
related to the model. Further in section 2 we will
describe the work done by other authors.
II. RELATED WORK
Antonio Scarfo described in his paper [3]
about a security experience BYOD (Bring Your Own
Device) as; it is a different habit shows an
opportunity and a challenge as well for the
organizations. The challenge leads to some critical
risks. The smart device that is in use for both working
and personal activities cause some new security
issues IT companies would have to face. The security
models summarized by the author have two
approaches: hands-on devices and hands-off devices.
The hand-off approach is effective if there is a
concept of virtualization where the daily basis
operations are done by the employees’ themselves, as
virtualization style. On the other hand the hands-on
approach (e.g. MDM) is based on perfect control of
these smart devices allowing the organization to
control, monitor, and manage data, software installed,
applications settings, network usage, together with
the utilization of the devices and the behavior of the
end users.
In the perspective of BYOD the end users are
convenient with the first approach because of
easiness; however, in the coming time it might be
possible that this approach would integrate some key
features related to MDM to get some more benefits in
security point of view of company. There must be
some relation between policies, roles and the legal
agreement between companies and employees that
should be counted as an important issue. Finally, the
most important thing is: if an enterprise wants to
accept BYOD, its acceptance style should be simple,
easy and friendly, the necessary rules, elements
should be enforced just in presence of hard situations
and let them leave free to choose their devices by
considering the right kind of tasks, roles, and
operating knowledge. IT delivery model can be used
to provide these sorts of things.
Ruth Lennon briefly described in his paper
[4] that IT managers from all over the world must
have to change their attitude towards today’s workers
and learners. The more advance point of view to
upgrade to bring your own device with high
resources on the cloud seems assured. However there
is a requirement for BYOD users to re-evaluate their
attitude toward their own devices’ security and the
resources they used, due to increase in mobility trend
and flexibility in IT. Author mentions a
determination of business user’s attitudes towards
using BYOD for business. He also describes the
results of a survey of on business users attitudes
towards resources stored on the cloud. In the end
there are some suggestions made regarding the help
that should be given to the users’ for prevention of
security risks in BYOD and the Cloud. The brief
analysis above indicates the general lack of
knowledge of system users as to the risks
surrounding the user of personal devices such as
laptops. Due to lack of security in applications used
in BYOD the users’ general trends have small
amount of information. According to this it is
absolutely necessary that there must be education and
awareness programs conducted for the users of
BYOD & Cloud system so they can mitigate the
security risks of such systems.
Another BYOD related paper [5] showed the
trends in analysis and technology of development of
information systems strictly indicate the frames
known as cloud computing. In the cloud there are
certain advantages and as well as challenges related
to the Information systems. System security is very
important so it requires more care and more attention.
There are some general Problems, meaning they are
anyway equal to the main business function for
which that particular IS being developed. Since
3. decades the real treatment of activities known as
eLearning requires additional reflection in education.
It should be handled as system with all its
functionalities and additional specificities.
Independence of location and time of realization
provides an additional possibility. This means there is
a possibility of integrating the personal user’s
equipment in eLearning. If we talk about BYOD in
practical information science, it supposes that smart
devices are helpful for the final users to approach
their business resources. This paper examines the
readiness of student and teachers to adopt such
teaching modes.
Fast development of information science in
all its fields has been accompanied by frequent
modifications of paradigm used in information
systems development. Specificities of connections
between business and information systems are
necessary consequence of these modifications,
especially due to influences of mutual changes in a
mode of business’ organization. BYOD frame isn’t
dependent of business itself in the same measure that
business can be independent in any segment or form
of place and time of realization. Since eLearning is
proclaimed as location and time independent, BYOD
organization offers additional possibilities. Primarily
this could significantly make educational process
cheaper which is the strongest recommendation for
such organization. Further researches could pay
attentions to specific forms of business such as
eLearning or Cloud Computing. This research hasn’t
insisted on specific sort of business or suggested any
specificities of business. This supposed to emphasize
the generic possibilities of BYOD paradigm.
Khoula Alharthy published a paper [6] in
IEEE that briefly discussed about the security of
(BYOD) as the way to protect organization’s network
against Variety of threats which come through mobile
devices and access channels. The author explains the
implementation of security solution in higher
education institution in Oman. This security solution
helps to protect the network data from unauthorized
access, as well as, controlling unmanaged devices
which are smartphones and mobile devices. Research
will follow these steps starting with literature review,
data collection, analysis; design the network structure
with suggested solution and implementation for
BYOD security solutions. As well as, monitoring the
network performance with the implanted solutions to
keep track if traffic flow with high availability and
security. This research paper will help to facilitate the
work to the network users through allowing BYOD
as well as increase the network availability, ability
and security through 802.1x, CA and RADius.
The research presents a set of principles that
any organization should follow before implementing
the BYOD framework. As a consequence of these
principles one is provided with availability, usability,
mobility and security. A summary of all findings that
has been listed through the research steps indicates
that the BYOD framework should be applied in
phases which are not the typical case as in other
systems in which the IT team will configure and then
train the users about using. Upgrading the network
infrastructure and adding mobile VLAN with using
802.1x as encryption algorithms and support RADius
and CA for authentication was only the first step of
implementing BYOD in the organization and few
more steps are required to achieve secure BYOD.
Such as, upgrade the storage capacity to handle data
three times more than the capacity that it currently
can. Monitor the wireless performance and wireless
bandwidth. All mobile devices such as smartphones
and tablets are now able to access through wireless
connection.
III. RESULTS
As the result of our survey in some organizations, we
found some interesting things about the model
implemented in those organizations. Then we
compared our results with companies in the
developed countries.
4. Employee’s awareness;
Fig.1 % of employees using BYOD
Fig.2 Aware of all employees’ access
Mostly organizations said they were aware of the
connectivity of the employees’ devices in the
network. 39% were not aware by the connectivity.
In comparison to developed world, in Pakistan
mostly employers are aware of accessing data but
there are very less BYOD implemented
infrastructures.
Fig.3 Without employers’ knowledge
Device and Application;
It is observed that smartphones are more preferably
used smart device by the users and the most used and
accessed application is email.
Among Smartphones--83%
Among Tablets—66%
Other—14%
Fig.4 typically accessed application
In comparison to developed world, mostly
applications in organizations in Pakistan have very
specific policy that does not include is emails related,
i.e. outlook etc...
Presence of formal BYOD policy;
Fig.5 Have a Policy
Fig.6 when the company put their policy
5. In comparison to developed world, mostly
organizations in Pakistan have very specific policy
that does not includes all the components of security
e.g. simple policy may include restrictions on
attachments and pictures are not allowed.
Who bear the Costs?
Fig.7 Employers’ point of view
In comparison to developed world, in Pakistan cost is
to be paid by some device owners and in some cases
organizations provide the device to the employees on
company’s cost.
Policy consists of;
Fig.8 when an employee leaves the company
Fig.9 Policy covers
Fig.10 Having MDM
In comparison to developed world, some
organizations have a policy, if some user is going to
leave the job, they delete the account from that
device and auto format all the device, others have a
solution to specify what type of application can be
accessed. E.g. Specs in Huawei.
Company--24%
Wireless Providers--9%
The employee--67%
Fig.11
Responsibilty
The
Company
The
Wireless
Provider
The
employee
0
2
4
6
8
Restrictions
6. Fig.25 Responsibility of keeping employees’ device
secure
Companies with larger infrastructure are more likely
to say the risks are more significant than benefits
when it comes to BYOD. But the companies of
different sizes are able to recognize the benefits.
Fig.12 Companies by the size engaging in the
BYOD
Smaller companies are slightly less likely to have
employees who engage in BYOD.
Very few users have experienced cyber-attacks or
had their device stolen or lost, but of those who did
they are much more concerned about their personal
information than their company’s information.
IV. EVALUATION
Section 2 and 4 discussed the features of BYOD.
We can see that there is a number of concerns we
may have to make things right. If an organization
wants to get the best results after deploying this
model they must have to insure that their policy is
secure so they could get more productivity not losses.
We observed some breaches in the multinational
organizations that is occurred by the lacking of
required concentrations in making the security policy,
but in Pakistan as there is no such deployment at that
level, the breaches are less or if they are present
there, the mostly users don’t even know what has lost
and what is the importance of that information.
To make sure that there is no data breach
occurring in the organization they must have to
concentrate on the following points; Routine Assess
Capability i.e. carefully evaluate the daily basis
network access and monitor according to the policy,
Use a mobile device management solution i.e.
monitor and control application installed, configure
and monitor devices with the use of asset tracking
and reporting, Deploy high defense security i.e.
Mobile Device Management with geo-fencing and
use of virtualization can be helpful in separating the
personal and business data.
We have surveyed three companies. Two were
telecom companies and one was an internet service
provider. All three were having BYOD policies
although employees were not aware of this term
“BYOD” but they were aware of connecting devices
to workplace internet. ISP firm was having more
professional IT and IS people. Employees were
allowed to access emails on their devices. Official
0
20
40
60
80
Less than 500
500 or more
0% 50% 100%
Less than
500
500 or
more
Risk
strongly
greater
Risk
somewhat
greater
Benefits
somewhat
greater
0 50 100
Personal
Company's
Very
Somewhat
Not very
Not at all
7. data was not allowed to be fetched on mobile device.
In one Telecom Company there were almost
same policies as mention before. But they were also
using an application called SPECS that keeps logs of
user activities. Whenever user sends request for
particular site or data it passes through this
application window and in the same way data was
downloaded through this application. Secondly
employees were not allowed to take snaps of official
data through smart devices. This activity was being
monitored by CCTVs. The same company also gave
laptops to its users with already installed
applications. Ports of these devices were also blocked
so that users may not use flash drives. When we
asked about data breaches we came to know that
there were few incidents of breaches. One employee
tried to send official data to his personal email
account using office account but this activity was
logged and notification was sent to the employee. In
another case an employee bypassed the official
network by accessing internet using GSM. He
download virus on his laptop and that caused alarm in
network. In response to this activity an email was
sent from higher authority to all employees that they
should not click on virus link.
Second Telecom Company also implemented
BYOD but officials were very reluctant to share any
information about the policies or security breaches.
One thing that they were ready to share was that they
were also allowed to access only emails on mobile
device. That company was using Microsoft security
tools on laptops but officials did not disclose the
name of that tool. On their end there were valid
reasons as this is a confidential matter so maybe they
were not ready to share any information with us.
Are you aware of your Business goals?
Identify your goals
Analyze existing policies
Understand end user cases accordingly
Determine support capabilities
Determine your needs and phases
Define segregation of personal and
organization data
Define minimum device requirements
Define stipend and payments
Define stipend and payments
Yes No
Do you still feel BYOD will make sense to you?
8. V. CONCLUSION
Some say; “BYOD is the wave of the future so
companies need to get on board” others say; “BYOD
is a fad that will soon fade”. Companies emphasize
“data protection”, “security of device”, and
“employee compliance” as their chief concerns.
Users recognize BYOD may be wave of the future
and organizations feel the benefits should be heavier
than risks. The major problem that multinational
organizations are facing is with the BYOD policy of
the organization. But in our country it is awareness of
the technology that must be assured to make full use
of BYOD. In Pakistan there is a huge need of giving
knowledge to employees as well as organizations.
Our survey showed that there is very less know how
to the employees and little bit more knowledge to the
employers.
VI. REFERENCES
[1] http://www.adaptivemobile.com/about-us
[2] http://www.harrisinteractive.com/AboutUs.aspx
[3] F. Palmieri, and A. Castiglione, "Automatic
security assessment for next generation wireless
mobile networks". In: Mobile Information
Systems 7(3), IOS Press, pp. 217-239. 2011.
doi:10.3233/MIS-2011- 0119
[4] G. Lennon. R , “Changing User Attitudes to
Security in BYOD” Computing Department,
Letterkenny Institute of Technology Letterkenny,
Publication Year: 2012
[5] Scarfo, A. Broadband, Wireless Computing,
Communication and Applications (BWCCA),
2012 Seventh International Conference on
Digital Object
Identifier: 10.1109/BWCCA.2012.79 Publication
Year: 2012 , Page(s): 446 – 451
[6] Khoula AlHarthy, “Network Security Control
Solutions in BYOD” Department of Computing,
Middle East College, Muscat/Oman, 2013 IEEE
International Conference on Control System,
Computing and Engineering, 29 Nov. - 1 Dec.
2013, Penang, Malaysia
[7] [7] http://www.chartgo.com/index.jsp
VII. Appendix A
Survey consists of following questions.
a. BYOD Policy exists or not
b. Type of accessible data
c. Employees’ Awareness
d. Most using device
e. Mostly used application
f. Security of Device
g. Personal or company’s data concerned
h. Site restrictions
i. Handling of BYOD IT or IS
j. Responsibility of cost
k. Effect of using BYOD
VIII. Appendix B
We conducted the survey by going to regional offices
and communicating with the IT officials of three
companies of Pakistan. But we are not allowed to
disclose the names, because they use some sensitive
tools for their data security.