As any old-school CIO or IT manager will tell you, it was much easier to secure the enterprise 20 years ago. Sure, there were plenty of bad actors, but employees didn’t bring an increasing array of devices to work—ones that opened the enterprise up to increased breaches. Not only are employees bringing their own devices to work, they’re bringing their own software to work.

As much as I advocate working from anywhere, it’s folly to dismiss the legitimate security concerns of letting employees work unencumbered. Think about the following polarized scenarios:

• Organization A: Employees enjoy complete freedom and flexibility to do whatever they want wherever they want. Security is not an afterthought; it’s not even a consideration.
• Organization B: Employees must seek formal IT approval for everything. Everything is locked down by default, encumbering basic productivity, never mind organizational agility.

Which is better?

Of course, neither is ideal. Even the most secured enterprise faces internal and external risks. It’s critical to put safeguards in place, but make no mistake: employees still need to be able to get work done without involving IT at every step along the way. (I once consulted at a consumer-goods company that made employees do just that. You couldn’t go to the bathroom without your computer locking up.)

A Happy Medium

With that in mind, here are some tips to for organizations strike the right balance. First, BYOD is here. Don’t try to fight it. A 70,000-student university is neither a small law firm nor an Alicia Keys’ concert.

Next, don’t skimp on employee training and communication. My new employer ASU sure isn’t. The university knows full well the security risks posed by negligent employees. Before I could collect my first paycheck, I had to complete several employee orientation courses designed to reduce the chance that I cause a security issue. And that’s not all. Employee education shouldn’t end when new employees join an organization. As such, ASU maintains a site dedicated to security threats and best practices.

Employee education shouldn’t end upon joining an organization.

On the technical side, consider the words of Tom Smith, VP of Business Development of CloudEntr. Smith notes that companies can restrict remote access to sensitive data by device-specific identifiers such as the MAC address. What’s more, consider adopting encryption and dynamic data-level authentication, a process known by the clunky name of deperimeterization.

Simon Says

One need not be a security expert to understand the increasing number and severity of bad guys out there. Organizations more than ever need to be aware of—and respond to—remarkably sophisticated attacks. At the same time, though, organizations don’t want security to become bottlenecks.