Blunder Number 2: Take on all comers
It's a great concept for a UFC special, but why do you want your network exposed to every device known to humankind?
"Companies shouldn't recommend what type of phone employees get, but some Android phones are better than others," says Dan Shey, an analyst at ABI Research Inc.
Blunder Number 3: Give employees access to everything
Do all your employees really need access to all applications? Really? It's one thing to open up access to email, another to give access to ERP, says Shey, an analyst at ABI Research. Email "tends to be a closed system--you can connect to it and not connect to corporate systems and databases," he says. As Crook notes, once consumer devices enter the enterprise, consumer applications and corporate applications can commingle. What if employees want to dump things into Dropbox?
Using geo-sensing policies, where devices only have access to applications and data when in a certain zip code or GPS coordinate, can be helpful in some circumstances.
Blunder Number 4: Fail to train employees
"That's a big no-no," says Crook. Employees need to have some guidance on what they should and shouldn't do with their devices on the corporate network. That's obviously true for companies that have compliance requirements, like healthcare and financial firms. But any company can have employees overstep their bounds. Give them education and training, and then ask them to sign a document about complying with your company's policies. Without those things, "you're setting yourself up for lawsuits." Especially if you commit sin number five&.
Blunder Number 5: Assume people won't lose a device when it's their own.
They do, and they will. What kind of attachments might be on email? What if there's a password file on the device? Or authentication for the network?
Blunder Number 6: Expect you can just wipe your hands of things.
There are lots of tools that let you wipe systems remotely, ranging from features in Microsoft Exchange to mobile device management software.
Remote wiping is a powerful tool, but when you zap all their personal data, even employees who leave on good terms could end up suing you.
Mobile device management software is useful, but should you really just wipe the box? Or can you revoke access to specific applications?
Blunder Number 7: Assume the worst and just ban BYOD.
BYOD is manageable. CISOs can mitigate risks. They just need to have a plan and a process that meets the needs of their company.
Finally, learn from those who've gone before you. One of the first companies to allow BYOD is IBM. It started back in 2000 with the Blackberry, and after trials made BYOD a corporate initiative in 2004. It has more than 130,000 employees using their own devices, primarily smart phones and tablets.
Sign up for CIO Asia eNewsletters.