I was recently asked a number of questions concerning bring-your-own-device (BYOD) security implications. Here are my responses...
1. According to research the majority of organisations now permit employee-owned devices in some way. Should all employers be adopting a BYOD scheme?
I actually disagree with the research results in the question. Maybe the majority of organisations *surveyed* may be permitting employee owned devices but I don't know who did the survey or the sample size. In my experience the majority of organisations are still battling with what to do in response to BYOD and consumerisation, let alone have gone through the process of permitting the use of employee owned devices.
Worse than that, many organisations have users accessing their systems such as email using employee owned consumer devices without the formal approval of the business or the support of an associated acceptable use policy. This is a huge risk that businesses need to get a grip with before it is too late. I certainly don't agree that all employers should be adopting BYOD schemes. It very much depends on the nature of their business, the likely return on investment of putting in such a scheme and the associated risks of data loss, data breaches and reputational damage for starters.
2. BYOD is important to the enterprise but is BYOD a business enabler or disabler and are personal devices a necessity for productivity?
Well BYOD may or may not be important to an enterprise, depending on the enterprise's business objectives. I agree that personal devices can be very useful productivity tools, but ownership of those devices will very much depend on what work the user is trying to do. I would hate to think that workers needing to access top secret government data could do so using whatever latest smartphone catches their eye - that would be madness. On the other hand a well secured, controlled, hardened and managed device may have a part to play in such environments. But it would need to be issued by the organisation and not brought into work by an employee willy nilly.
3. BYOD poses significant risk but do the cost savings outweigh the risks?
It depends, as each organisation will present their own business case. In many cases BYOD may actually increase costs, so there are not automatic cost savings. After all the cost of buying a device may be a relatively small proportion of its ongoing management costs. The risk "costs" are more about the value of the data - losing the latest product plans to a competitor will be far more costly than replacing the smartphone.
4. Implementing BYOD in the workplace will not be straightforward. What is the biggest challenge associated with BYOD?
User education and getting the workforce on board understanding the implications of using their own device to access company data. Once you explain that you may need to remotely wipe the device and accept no responsibility for erasing their own personal data some will start to question the wisdom of using their device at work.
5. Without effective security in place, company data could be compromised. How best can companies secure their information?
...by implementing decent policies and procedures, supported by user education and a decent mobile device management solution.