BYOD: Organizations Question Risk vs Benefit

Over the past few posts we’ve been covering the concept of the BYOD trend. We started with a foundation describing the origins and evolution of BYOD, followed by a closer examination of the pros and cons of BYOD from the employee perspective. This post will focus on BYOD from the point of view of the company or IT organization.

In case you’re just joining us, let’s quickly recap what BYOD is. BYOD is an acronym for “bring your own device”. It’s a trend in business technology that allows individuals to use their own personal PCs, smartphones, tablets, or other technologies in a work environment.

The Benefits of BYOD

In the last post in this series we established that 40% of the people we surveyed consider it very important to be able to use personal devices at work, and 67% reported they are already doing so–whether sanctioned by their employer or not. There are some caveats as well, but in general it seems that a majority of users are in favor of BYOD.

When push comes to shove, though, business is business. In order for organizations to embrace and implement BYOD, there has to be a compelling business case to support it and the rewards must outweigh the risks.

One of the most common factors cited in support of BYOD is cost savings. The theory is that organizations can save money by investing less in hardware and software, and offloading that responsibility to users. We also can’t ignore the cost savings related to device maintenance.  Employee familiarity with their personal device leads to lower numbers of support calls, plus employees (rather than the IT staff) will ensure the product is up-to-date.

According to our recent Trust in Technology survey, 53% of organizations officially condone BYOD practices. Some (20%) provide some form of subsidy to employees who use their own PCs or laptops, but we can assume the subsidy is less than the organizations traditionally spend to acquire the same hardware. A third of companies (33%) allow BYOD, but do not subsidize it at all, so the savings are more significant.

clip_image001

Figure 1. Organizations’ policies on employees using their own personal computers or laptops for work purposes

Another benefit for organizations that embrace BYOD is that individual users tend to upgrade to the latest hardware, and migrate to the newest software platforms much quicker than companies. The business gets to take advantage of cutting edge technology without the pain and expense of a massive hardware refresh or software upgrade.

Managing BYOD

Businesses have a variety of issues to consider, though, when it comes to adopting BYOD as an IT practice. The users may be concerned about the privacy of their personal data on their BYOD equipment, but many companies fall under industry and regulatory mandates that require a certain level of monitoring and protection for company data.

While more than a quarter of the survey responses (26%) indicate that employee mobile devices are not permitted to access company resources at all, the rest of the data is all over the place. Interestingly, according to the survey the percentage of organizations that allow for employees to use their own mobile devices, but require that those devices be managed by IT (22%) is almost matched by the percentage of organizations who are actually issued company-owned mobile devices, but expected to manage them on their own (21%). There’s clearly still some confusion at this early stage about what should be acceptable, and how BYOD should be managed.

clip_image002

Figure 2. Organization’s mobile device policy for work email and applications

Protecting data on a device that isn’t owned by the company is tricky. If the device isn’t even managed by the company, it may be virtually impossible. More than half of those surveyed suggested it’s either important or very important to be able to keep personal and business profiles separate, and segregate data on mobile devices.

clip_image003

Figure 3. How important is it to separate your personal and work profiles on your mobile device?

In order to implement BYOD effectively, organizations should have a clearly defined policy that outlines acceptable use, and proscribes uses or activities that are strictly forbidden. Without an established policy, BYOD is chaotic and confusing for both the company and the employees.

Support

While there are potential cost savings for companies that embrace BYOD, there are also some hidden costs to consider. First, IT personnel have to be familiar with a broad range of devices in order to get them connected to company resources, or be able to provide any support at all.

Another factor to consider is that some businesses rely on apps that are only available on specific mobile platforms, or are already invested in mobile device management (MDM) systems that are only capable of monitoring and managing certain mobile operating systems. The BYOD policy needs to spell out up front what those platforms are so users know which devices are compatible with business needs.

Security

Arguably the biggest concern for companies when it comes to accepting the use of personal PCs and mobile devices in a work environment is security. The 2011 ISACA IT Risk/Reward Barometer found that over 58% of U.S. security professionals view mobile devices owned by employees as posing the greatest risk their organization faces. This is particularly true of businesses that operate in healthcare, finance, or other fields that fall under compliance requirements such as HIPAA, SOX, GLBA, or PCI-DSS. Every organization has a duty to protect sensitive company and customer data, but those governed by industry or regulatory mandates face fines, or even possible jail time, for failing to do so.

Avanade—a business technology services firm—released a report earlier this year stating that more than half the companies surveyed have experienced a data breach of some sort related to the use of consumer technologies in the workplace. Our own survey data suggests that about eight in ten respondents are somewhat or very concerned about losing intellectual property, or compromising employee or customer data as a result of BYOD.

clip_image004

Figure 4. Given your organization’s policies on cloud, social and devices, how concerned are you?

Organizations that implement BYOD need to include minimum security requirements within the written policy as well. Mobile devices should be secured with a PIN or passcode of some sort, and data stored on the devices should be encrypted.

To take it a step farther, IT admins may also want tools in place that enable the company to remotely lock a lost or stolen device. In extreme cases, the company could remotely wipe all data from the mobile device, but that gets tricky because the employer may not have the right to erase the employee’s personal data.

Parting Ways

What do you do when an employee leaves the company? The equipment supplied by the employee for BYOD belongs to the individual and will leave with them, but the organization needs to ensure it has all relevant data that belongs to the company, and that the departing user isn’t still in possession of proprietary or sensitive company data.

Conclusion

There are some solid reasons for organizations to at least consider adopting BYOD. Compliance mandates, and security issues are two large hurdles businesses should be aware, though, when weighing the pros and cons of BYOD.  Many organizations have decided the benefits are worth the risks, while some organizations either haven’t embraced the concept or have decided the risks outweigh the rewards.

Here are some of the significant findings we talked about in this post:

  • 53% of organizations officially condone BYOD in some way, but less than half of them provide any financial subsidy for users who supply their own equipment.
  • 22% of organizations allow personal devices to be used, but require that they be managed by the company IT personnel.
  • Cost savings resulting from employees using their own PCs and mobile devices may be offset by increased IT support and security costs.
  • A majority of companies are somewhat or very concerned about the risk of data breaches or intellectual property leaks.

 

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »