Technology -> Security
By: Nigel Stanley, Practice Leader - IT Security, Bloor Research
Published: 14th December 2012
Copyright Bloor Research © 2012
I was recently asked a number of questions concerning bring-your-own-device (BYOD) security implications. Here are my responses...
1. According to research the majority of organisations now permit employee-owned devices in some way. Should all employers be adopting a BYOD scheme?
I actually disagree with the research results in the question. Maybe the majority of organisations *surveyed* may be permitting employee owned devices but I don't know who did the survey or the sample size. In my experience the majority of organisations are still battling with what to do in response to BYOD and consumerisation, let alone have gone through the process of permitting the use of employee owned devices.
Worse than that, many organisations have users accessing their systems such as email using employee owned consumer devices without the formal approval of the business or the support of an associated acceptable use policy. This is a huge risk that businesses need to get a grip with before it is too late. I certainly don't agree that all employers should be adopting BYOD schemes. It very much depends on the nature of their business, the likely return on investment of putting in such a scheme and the associated risks of data loss, data breaches and reputational damage for starters.
2. BYOD is important to the enterprise but is BYOD a business enabler or disabler and are personal devices a necessity for productivity?
Well BYOD may or may not be important to an enterprise, depending on the enterprise's business objectives. I agree that personal devices can be very useful productivity tools, but ownership of those devices will very much depend on what work the user is trying to do. I would hate to think that workers needing to access top secret government data could do so using whatever latest smartphone catches their eye - that would be madness. On the other hand a well secured, controlled, hardened and managed device may have a part to play in such environments. But it would need to be issued by the organisation and not brought into work by an employee willy nilly.
3. BYOD poses significant risk but do the cost savings outweigh the risks?
It depends, as each organisation will present their own business case. In many cases BYOD may actually increase costs, so there are not automatic cost savings. After all the cost of buying a device may be a relatively small proportion of its ongoing management costs. The risk "costs" are more about the value of the data - losing the latest product plans to a competitor will be far more costly than replacing the smartphone.
4. Implementing BYOD in the workplace will not be straightforward. What is the biggest challenge associated with BYOD?
User education and getting the workforce on board understanding the implications of using their own device to access company data. Once you explain that you may need to remotely wipe the device and accept no responsibility for erasing their own personal data some will start to question the wisdom of using their device at work.
5. Without effective security in place, company data could be compromised. How best can companies secure their information?
...by implementing decent policies and procedures, supported by user education and a decent mobile device management solution.
Posted: 17th December 2012 | By Chris Robinson :
All the research seems to conclude that lots of companies let people connect their devices to the network, but recent more balanced research by Azzurri shows that these are almost always for a tiny minority of employees. The research is also great in that it shows that BYOD is not aligned to the needs and prorities of even these companies. A model called "Choose Your Own Device" is not very popular at the moment but is the best fit because it offers the benefits of BYOD but without the business loosing control.
Posted: 18th December 2012 | By Gary Griffiths :
I agree with your forst 4 points, but wanted to offer an alternative view to #5 :-)
MDM has little to no role to play in securing mobile data, when it comes to BYOD. MDM does not offer device or data security. It merely helps you leverage device level controls, some of which can help secure data. However, the relevancy for BYOD is not there. Why? Every device level control is not appropriate to be enforced on personally owned devices. No one should dictate that a user must have a 12 digit complex passcode on their device, even if they just want to take a photo or play a game.
There is a better approach in my mind. It has 3 elements.
1. Secure your data at rest and in transit through technologies like encryption/VPN
2. prevent corporate data being 'leaked' to non secured apps or cloud services (using containerisation or virtualisation)
3. enforce strong access to business data (via multi factor authentication)
each of these can be achieved at an application level, without the need for imposing restrictions and controls at a device level that only significantly hurt user experience.
My 2 cents :-)
Posted: 19th December 2012 | By Tony Young :
I'm the CIO for Informatica and we've looked at BYOD/BYOPC extensively. We've surveyed many other companies to understand their policies and plans. From my perspective, there's only one right answer -- do what's best for your company. And, doing what's best really depends on the company culture, the industry you are in, regulatory requirements, geographies you operate in, etc. Many of us grapple with this issue as we try to balance the needs of the employee with the needs of the company and try to optimize the solution. None-the-less, there is no "silver bullet."
The messages above were all contributed by IT-Director.com readers. Whilst we take care to remove any posts deemed inappropriate, we can take no responsibility for these comments. If you would like a comment removed please contact our editorial team.
All fields must be completed to submit a comment. Email addresses are passed through to the author so they can contact you directly if needed.
Published by: IT Analysis Communications Ltd.
T: +44 (0)190 888 0760 | F: +44 (0)190 888 0761