What does a more than 130-year-old South Carolina public university have in common with tech giants like IBM and Intel? A formal bring-your-own-device (BYOD) policy to establish minimum security requirements for its employees when tapping their personal devices for work-related tasks.
In September 2024, Clemson University rolled out a new BYOD policy in a bid to provide its employees and student workers with a set of standardized rules that can be followed when using their personal devices to access university IT resources.
Impetus. Brian Voss, VP and CIO at the university known for its tiger mascot, told IT Brew that Clemson is in the 20th percentile of universities that are targeted by cyberattacks.
“It means we have to be in the top 20% of our efforts to try and secure the place because we are under constant assault,” said Voss, who has worked at the university since 2021.
In the past three years, the university has witnessed an uptick in attempts from malicious actors to breach its environment, Voss said. While it had taken proactive steps to combat these efforts, including upgrading its networks and implementing firewalls, Voss said the university ultimately realized that personal devices still served as a vector for attacks directed at the university.
“You bring these events together and you bring into the climate an increasingly dangerous cyber threat environment…and suddenly, every device is a portal or a crack in your institution’s attempt to secure itself,” Voss said.
Voss told IT Brew that BYOD is not a new concept for higher education institutions. However, he said Clemson saw a lot of opportunity in not being an early adopter of the policy because of the lessons it was able to learn from its peers.
“By us not being in that breaking-the-wave front on this, we now were able to answer a lot more of those questions that our community was going to have,” he said.
Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
The transition. Clemson’s BYOD policy focuses mainly around the use of personal laptops and mobile devices to access various IT-related resources. Devices must meet Clemson’s minimum security requirements, which include a strong password and up-to-date operating system, to authenticate to Clemson’s system through Duo Security or the school’s network.
One of the main focuses since implementing the policy has been shaping the culture of the university to understand its significance.
“If you just hear about it and read the basics, it sounds rather draconian and again, universities are not used to draconian responses,” Voss said.
To do so, Voss and Clemson’s CISO John Hoyt have been assembling a communication plan to get faculty members and student employees up to speed. Conversations with university members have allowed them to create an educational resource for frequently asked questions. Hoyt said his team has also been having conversations with different departments to discuss the new policy.
Campus life. Voss told IT Brew that rolling out BYOD in a university setting is slightly different than implementing it at an enterprise because he and Hoyt do not have the same “autocratic controls” that one working in the private sector may have.
“In the private sector, you just pass the policy [or] pass the law, and then it’s enforced as a matter of continued employment…whereas here, you’ve had a history of a much more open environment,” Voss said.
The benefits, however, remain the same. Thom Langford, CTO for the EMEA region at Rapid7, told IT Brew that BYOD policies allow organizations and institutions to save on costs associated with supplying devices, while also providing users with a level of flexibility.
“You’re still able to be a contributing member of that organization,” Langford said. “You don’t have to be in an office sat in front of a desktop computer to answer the basics.”