Is your enterprise one of the many that are “subject to the whims of fickle consumer-business users” when it comes to adopting new technology?

That’s how Clorox CIO and vice president Ralph Loura framed the current state of enterprise tech and the Bring Your Own Device (BYOD) trend when he appeared earlier this month among a panel of other CIOs at the Westin St. Francis Hotel in San Francisco.

He couched his message by saying that even though enterprises may try to be user-centric, employees constantly make new technology demands—and change them often—making it difficult for enterprises to fulfill their every request, even if it would make life easier for users. With employees demanding network access for many different types of devices, operating systems and applications, a CIO’s job has never been harder. But do employees always know what’s best for network security?

According to Loura, “User-led is not the same as user-centric … User-centric is about looking at and understanding the need, not the ask.” A user-led approach gives power to employees and requires the enterprise to adopt most or all user suggestions – a clear risk.

And risk is not something Loura, like many CIOs, has ever been comfortable with. During a panel hosted by Okta Inc. back in April, he said that he is careful about innovation spend. He stays risk averse, yet searches for those investments that will yield the highest return.

In the case of enterprise tech, he said that when users ask him to support a new enterprise technology, i.e. hardware or application, he doesn’t automatically accept their request. Instead, he adds that suggestion to a pool of other related ones, weighs the user benefits with the risks, i.e. security, and then reconciles those factors before adopting the best all-around solution.

His message resonates in the discussion of BYOD versus the slightly more stringent CYOD (Choose Your Own Device) strategy, in which employees only have a limited number of approved devices to choose from. Loura would likely support CYOD because it puts a little more power back into the hands of the IT department. However, despite the benefits for IT control, CYOD’s growth is far surpassed by BYOD’s, and enterprises must adapt the way they create network security policies accordingly.

With security ranking as a top priority for IT departments this year, there’s been a real desire among network professionals to assert more control over networks, even as employees are given more technology decision-making power through BYOD policies. One important tool enterprise IT administrators can use to increase the security of their networks is a centrally managed VPN solution, which gives enterprises greater visibility into remote communications and provides them the option to revoke network access to endpoints that are not compliant with enterprise policies.

In a user-centric culture like the one Loura describes, CIOs would adopt VPNs that support whatever devices and operating systems employees choose, and still give IT departments control, through central management capabilities.

A centrally managed remote access solution also increases productivity by automating VPN client rollout and updates, and reduces IT help desk calls because this no longer has to be done manually. It also lowers documentation and training costs because user hands-on interaction is significantly reduced. These benefits provide a strong case for CIOs in search of that elusive high return on investment Loura mentions.

Finally, automation and ease-of-use free IT staff to focus on higher value activities. At the same time, it provides a higher level of security and more freedom for employees, while still maintaining IT control. Managing BYOD doesn’t need to be the headache it once was, with a user-centric approach and a centrally managed VPN.

The discussion on BYOD centers on whether employees working more efficiently on their personal devices is worth whatever network security vulnerabilities are sown when enterprises allow numerous devices and operating systems to access their networks.

As a compromise between employees and employers that brings everyone onto the same page, a BYOD policy helps. But, it doesn’t completely reconcile the interests of both employees and employers, as work efficiency and enhanced network security are far too often seen as mutually exclusive concepts.

That’s why new technologies that could help employers to secure mobile devices are so appealing. So, what are these technologies, and do they really provide any greater benefit than existing BYOD policies and approaches?

A ‘Kill Switch’ Could Give New Life to BYOD

A new bill working its way through the California legislature would require mobile device manufacturers to equip their products with a “kill switch” that would allow users to remotely disable phones should they get lost or stolen. The thinking is that if potential thieves knew there was a chance a stolen phone could be rendered useless by a kill switch, they would have less incentive to steal one.

If that bill, SB 962, becomes law and begins a national trend, could it also make BYOD more appealing to enterprises? No, according to FierceCIO contributor Jeff Rubin. The problem with kill switches, as a supplement, or even a full-fledged alternative, to BYOD policies, is that they don’t really place any power back in the hands of the enterprise. The device is still the employee’s, as is the decision to disable it. Legally, the employer cannot compel the employee to pull the plug.

Separate Containers, Less Risk?

Alternatively, an enterprise could issue a mobile device that has two distinct operating containers. In that circumstance, one environment within the device would solely contain apps and information used for work purposes, while the other would be for the employee’s personal use. In this scenario, IT departments would gain some degree of oversight and control over employee devices, and, as NetworkWorld points out, they’d be able to “enforce security such as authentication, encryption, data leakage, cut-and-paste restrictions and selective content wiping.”

But, just like kill switches, containerization has been maligned as a catch-all BYOD solution by the tech media. Last summer, CITEworld’s Ryan Faas wrote that the “dual persona” approach of containerization actually erases whatever advantage a user would gain from using their personal device at work. As Faas points out, containerization is simply a more extreme version of the pre-BYOD practice of giving employees “a locked-down and IT-controlled BlackBerry with just the apps on it that IT deemed necessary, and [letting] them carry their personal phone with them as well.” As an example, an employee with a dual-container device still couldn’t use, for work purposes, an app that hadn’t been approved by the IT department, even if he or she thinks doing so would make them more productive. Because the user is sacrificing control, they’ll either be less productive (since they can’t determine their own workflows or choose their own apps) or they’ll just work around IT restrictions (creating network security vulnerabilities).

As NCP engineering’s Joerg Hirschmann said in a ZDNet article, “IOS and Android have started down a useful path by adding access controls… but these are far from a comprehensive in-depth security framework. The server operating systems, applications, databases, and networks must all be considered as well.”

This, Hirschmann believes, “leads to the requirement for careful planning, monitoring, and sophisticated firewalls and even to the use of virtual private networks. “

Defense In Depth: An End-to-End Alternative

A deeper critique of new mobile device security technologies like kill switches and containerization reveals that both approaches only partially address the security concerns associated with BYOD, and their benefits come with significant drawbacks.

A defense in depth strategy, on the other hand, helps to insulate organizations from attack through otherwise vulnerable endpoints, without robbing employees of the control and flexibility BYOD provides them. Through built-in redundancy, a defense in depth approach helps to prevent, and possibly even stop, attacks before they become destabilizing. Sophisticated firewalls and centrally managed VPN services, for example, create a secure, encrypted connection through which employees can access a corporate network. In conjunction with other mobile device security technologies and a BYOD policy that clearly lays out expectations to employees, defense in depth increases the resilience of network security.

The Department of Homeland Security (DHS) issued a warning last week that the computer network of a public utility company had been compromised by a “sophisticated threat actor,” likely through a brute force password attack.

Although the utility company repelled the attack, and there is no evidence that operations were affected, the DHS’ Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) released news of the incident in its January-April 2014 report to highlight “the need to evaluate security controls employed at the perimeter and ensure that potential intrusion vectors (ex: remote access) are configured with appropriate security controls, monitoring, and detection capabilities.”

This attack illustrates why the infiltration of government infrastructure is such a serious national security concern. Just a few months ago, the Federal Energy Regulatory Commission reported that a coordinated attack on even just nine of the country’s 55,000 electrical-transmission substations could cause a “coast-to-coast blackout.”

Given these stakes, government agencies have a responsibility to provide the highest level of security to all endpoints, from legacy ICS terminals to employees’ personal mobile devices, especially in an era where Advanced Persistent Threats (APTs) are becoming commonplace. Every endpoint must now be secured, because hackers are constantly searching for new vectors they can exploit. At the same time, the government has to secure more endpoints than ever, as employees are increasingly connecting to government networks remotely due to the growing Bring Your Own Device (BYOD) and telecommuting trends. These converging sea changes require the government to rethink its network security approach.

In August 2012, the Digital Services Advisory Group and Federal Chief Information Officers Council laid the groundwork for this new approach, by issuing network security guidance and sample BYOD policy templates for federal agencies. But this hasn’t necessarily translated to broad BYOD adoption in the public sector. The U.S. Department of Defense, for example, has been chilly toward BYOD for some time.

What Government Organizations Can Learn from Enterprises

 Even though government agencies are reluctant to support BYOD because of the accompanying information security challenges, government workers are pushing for it. Government BYOD is inevitable – IDC predicts that although currently “personal devices make up just 5 percent of the government market, that figure will grow at double-digit rates for the next three years.”

Large enterprises, having already embraced BYOD and dealt with many of its security challenges are further along than the government is at present and provide a great example of how the right technologies can work together. Faced with a need to secure myriad endpoint devices and operating systems, they have started to embrace a defense in depth approach that uses independent network and security methods to fortify critical systems and help prevent breaches.

As part of such a framework, enterprises are implementing centrally managed remote access VPN solutions, which enable network administrators to monitor the remote access infrastructure and communications with the corporate network. Forward-looking government agencies are starting to embrace centrally managed VPNs, and it is an ideal time for other agencies to follow their lead.

With a centrally managed VPN, government network administrators are able to verify that all endpoints accessing the network remotely are compliant with the government office’s policies before being granted permission to connect. And after a breach is spotted, they can limit its impact by revoking network access to affected devices. This helps to limit network exposure to the “potential intrusion vectors” mentioned in the ICS-CERT report.

Government agencies face a broad range of network security threats, but by protecting all their endpoints with the right technologies, instituting a common sense BYOD policy and doing all they can to protect citizens’ information, they’re better equipped to mitigate these attacks and protect their citizens.

In the not-so-distant past, when enterprises lacked ubiquitous high-speed Internet connections and the means to provide employees with remote access, organizations were far more likely to enforce strict working hours than they are today. After all, work wouldn’t get done if employees weren’t present.

Mobile technology has since enabled the growing trend of remote work, allowing employees to work from anywhere at any time. As a result, many employers have become more flexible in their expectations of employees and in their definition of “the workday.”

But, where they shouldn’t be more flexible, and where many are actually falling behind, is in the governing of how employees use personal mobile devices for work purposes and their remote access to the corporate network.

Are Employees Bringing Their Own Security Problems, Too?

Bring-your-own-device (BYOD) is now more of the norm than a new, disruptive trend. According to a new study by Gartner, more than half of the 995 employees it surveyed said they use their personal devices for work purposes for more than an hour each day. For companies, every second that sensitive information is leaving the corporate network, it could be exposed.

In a perfect world, employees would never experience security problems with their personal mobile devices while using them for work purposes, and 100 percent of those few who did would report incidents to the appropriate personnel at their company.

The reality is vastly different.

Gartner found that about one-quarter of users have had a security issue with their personal mobile device at work, and only 27 percent of these victims have reported the incident.

These numbers suggest that organizations still have a long way to go to manage BYOD, and that new approaches and technologies are required to protect business data accessed via employees’ mobile devices.

Central Management to the Rescue

Enterprises are increasingly seeking to implement remote access solutions with central management capabilities to manage VPN configurations, certificates, and network and firewall policies, and prevent sensitive data from being exposed whether unknowingly by employees, or by hackers with malicious intent. With myriad operating systems and devices to support in a BYOD environment, IT administrators are searching for cost-effective solutions for securing remote access to the corporate network while enabling workers to be productive.

With a centrally managed VPN that works on all types of devices an employee might have, IT administrators can ensure that all endpoints connecting to the corporate network are policy compliant and automatically roll out VPN software updates to all employees. Also, if a breach occurs, immediate steps can be taken to revoke access to the network down to the device level. IT staff, then, gain a powerful tool that helps to fill the gap left by unreliable employee self-reporting and keep the corporate network secure.

Enterprises are constantly fighting to stay one step ahead of hackers, from upgrading endpoints using the now vulnerable Windows XP to Windows 8 or implementing more secure remote access technologies in light of the Target breach. Then came Heartbleed, which necessitated another immediate response for countless enterprises.

Creating and executing a network security plan can feel like fighting the Hydra, famous from Greek mythology – as soon as one threat is neutralized, another two spring up in its place. The best strategy for enterprises trying to stay ahead of the next threat is to take a preventative approach by implementing technologies that can quickly adjust to threats and ensure that employees comply with network security best practices.

Given the ubiquity of threats that can affect networks, it would seem as though one of a company’s best defenses would be its own employees. After all, they care about their company and genuinely do not want to expose sensitive information. However, in many cases, employees are just as likely to unknowingly help tear down the castle gates as they are to protect them.

Transforming Employees from Vulnerability to Asset

Because of the increasing Bring Your Own Device (BYOD) trend, employee endpoints are now a major threat to network security. Think about all the vulnerabilities your employees could create. They could log on to the corporate network on an insecure mobile hotspot at a café, or they could misplace their device, which could then fall into the wrong hands.

The Ponemon Institute found in its recent “Cost of Data Breach” study that this sort of exposure is all too common. Thirty percent of all data breaches were traced back to human error, which trailed only malicious or criminal attacks (42 percent) as the most common cause of breaches. And, if a lost or stolen device is involved, the per capita cost of a data breach increases by $16. Ponemon found that a lost or stolen device – a very common human error – increased the per capita cost of a data breach more than any other factor.

Even though employees could thrust your company’s network security into peril, if they are properly educated about potential threats, they may actually be the best defense to guard against malicious software entering the corporate network. In fact, in the UK, only 60 percent of retailers and financial institutions say their systems are sufficiently hardened to prevent the kind of data loss seen in recent, prominent breaches.

A Comprehensive Approach

Adoption of a comprehensive, defense in depth security framework, including a VPN and other security components, such as a firewall, intrusion prevention system (IPS), anti-malware, etc., along with a robust employee education program will protect an organization against a broad range of threats. By adopting such a framework, all network and security components can work together to become more than the sum of their parts.

VPNs in particular are a crucial component to ensure the corporate network stays secure. Not only are they a proven, secure way for enterprises to enable secure communications with the corporate network by encrypting all data transmissions, those with central management capabilities give network administrators a single point of administration to ensure every employee and endpoint is always in compliance with network security policies.

A VPN effectively transforms a public, geographically dispersed network into a private and controlled one, thus reducing the risk of would-be cyber criminals from infiltrating an enterprise’s defenses and stopping a breach in its tracks. When used with a defense-in-depth strategy, a VPN just might prevent your enterprise from becoming breaking news.