As many IT departments struggle to keep up with yearly technology changes, company employees increasingly want to use their own devices to access corporate data.
It’s part of a growing trend dubbed Bring Your Own Device (BYOD), which encompasses similar Bring Your Own Technology (BYOT), Bring Your Own Phone (BYOP) and Bring Your Own PC (BYOPC) initiatives. All of them have evolved to empower workforces through the so-called ‘consumerisation of IT’.
As part of this consumerisation, BYOD encourages company employees to work on the device they choose – accessing corporate email on their iPhone 5 or using a Google Nexus 7 to view text documents. The goal for SMBs? Increased productivity and reduced costs.
But BYOD also has a darker side. If not fully understood and regulated, it can threaten IT security and put a company’s sensitive business systems at risk.
Why BYOD matters
The driving force behind BYOD is a new IT self-sufficiency among company employees who already own and use personal laptops, tablets and smartphones.
These mobile devices are often newer and more advanced than the equipment deployed by many IT departments. It’s hardly surprising that the rapid adoption of lightweight Ultrabooks, iPads and large-screened phones are changing the way that people want to work.
IT departments are playing catch up and could easily refuse to embrace the BYOD idea. Surely it’s simpler to provide approved hardware and software applications so you can retain full control over them?
But Richard Absalom, an analyst at Ovum, believes that BYOD will happen whether a company plans for it or not. He says: "Trying to stand in the path of consumerised mobility is likely to be a damaging and futile exercise." The best thing that an SMB or enterprise can do is be aware of the benefits and understand the risks.
BYOD benefits and advantages
There are some key advantages to operating a BYOD strategy, including increased employee satisfaction (they can work more flexibly), cost savings (reduced hardware spend, software licensing and device maintenance) plus productivity gains (employees are happier, more comfortable and often work faster with their own technology).
As Mark Coates, EMEA VP at Good Technology, points out: "By enabling employees to securely and easily access corporate data on their own device, productivity levels will naturally increase. In terms of cost savings, there are huge benefits, since SMBs will not have to manage and fund a second device for employees."
Shaun Smith, technology practice director at Xceed Group, agrees. "At Xceed Group, allowing the use of consumer devices has helped improve both productivity and staff motivation," he says. But he also strikes a note of caution. "For a company to decide if a BYOD strategy would work for them they need to ensure due diligence is conducted – simply evaluating the benefits versus risks."
BYOD risks and disadvantages
While BYOD sounds attractive, businesses need to consider the full implications of allowing corporate data to be accessed on personal devices that they could have little or no control over. What data can employees have access to? What security measures are in place if an employee’s device is lost, stolen or compromised?
This is where convenience clashes with security. "Security and the loss of devices with limited password protection is naturally a key concern," adds Smith. "Increased consumerisation in the workplace can bring with it an increased risk from threats such as hackers and viruses."
There might also be cost implications. Even though IT hardware spend can potentially be reduced with a BYOD approach, it may cost more for a company to integrate and support a diverse range of employee devices. As Coates points out: "Android devices can be complex to manage as there are just so many different flavours – a huge variety of devices and a number of different versions of the operating system."
By far the biggest risk is not having any sort of BYOD policy in place. "Businesses need to recognise the importance of taking action," says Smith. "After all, by ignoring the problem they may unwittingly expose themselves to attack and, as a result, legislative or reputational threats."
Planning a BYOD policy
The advent of BYOD is forcing IT departments and IT managers to develop and implement policies that govern the management of unsupported devices. Network security is paramount. Beyond passcode-protecting employee devices, these policies might involve encrypting sensitive data, preventing local storage of corporate documents and/or limiting corporate access to non-sensitive areas.
"The first step for IT managers is to truly understand the problem they are trying to solve," suggests Coates. "And find the solution that matches. In addition to addressing immediate needs, the right solution will be scalable and manageable, and can grow with an organisation as its mobility strategy evolves and changes."
Coates outlines three stages for implementing a BYOD policy, starting with secure device management. "This is the basic functionality of managing devices, both those employee-bought or company-supplied. Let employees work on mobile devices and make sure nothing catastrophic happens. This leads to great improvements in productivity and loyalty.
"However, it’s at stages two and three where true mobile productivity and insight comes in, as the focus shifts to mobile applications and data. First by tracking and deploying mobile applications and then establishing mobile collaboration through secure app-to-app workflows, where mobility can be a true catalyst for change."
Implementing a BYOD policy
There are already several key players providing BYOD solutions, ranging from complete sandboxed access through to more lightweight (but user-friendly) solutions, which are policy-driven. The key issue is to guard against data loss or leakage.
Smith has some practical advice for anyone trying to develop a BYOD policy: "Where any device accesses or stores corporate data, a full risk assessment should be carried out against a variety of threats, and appropriate mitigations put in place. This could include anti-malware, encryption, passcodes, remote wipe, preventing jailbreaking, and sandboxing.
"Invest in a solution such as Good for Enterprise that offers BES (Blackberry Enterprise System)-like functionality to Apple and Android devices, partition all corporate applications and data on devices to restrict the ability to ‘cut and copy’, enforce eight digit alpha-numeric passwords with a special character and install VMware or Citrix virtual clients on tablets."
An effective BYOD solution will enable you to secure the data, not just the device. With this approach, IT departments need not worry about compromising security in the name of usability.
"All in all, [BYOD] is about being innovative and helping your employees to work better," says Coates. "Employees want to use the devices that they are comfortable with in the workplace. They want to have the same experience at work that they have at home. People are used to using applications now, rather than browser-based solutions. By giving employees what they want, companies will ultimately benefit."