Bring your own device and applications, or BYODA, is now more than just a trend – it is the norm in many organizations and becoming so in most of the rest.
Dropbox is used in 58 percent of organizations and many other, employee-deployed, file-sync/storage, telephony and other applications have found significant penetration in the workplace.
Corporate spending on BYOD programs is increasing, more than doubling in both mid-sized (100-999 employees) and large organizations.
There are two primary things that are driving the BYODA market forward. First, many employees want the newest or coolest devices available, and they are generally more willing than IT to spend significant amounts to acquire them. IT tends to be constrained by things like return-on-investment considerations to a greater extent than employees, and so IT decision makers are generally more reluctant to spend corporate funds on the latest and greatest devices without a sound business case.
Second, employees want to be more efficient and have access to all of their files from any device or location. The availability of tools like Dropbox, Google (News - Alert) Drive, Microsoft SkyDrive and Skype – among many others – gives employees these capabilities at a relatively low cost. While these tools may not permit corporate policies focused on secure data storage, encryption, archiving, content screening, etc. to be followed, many employees are willing to sacrifice adherence to corporate policies in exchange for the convenience these tools provide.
It is important to note that very few employees use their own devices or applications with any sort of malicious intent – in fact, most embrace BYODA because they want to be more efficient and effective in their work. Moreover, corporate decision makers should understand that there are enormous benefits (and enormous return-on-investment for organizations) to be gained from the use of personally owned devices and various employee-managed applications when used for work purposes. These benefits include greater employee satisfaction, a potential decrease in corporate costs when providing mobile access, the potential for employees to be more productive, and the ability to implement telework programs more effectively and more quickly.
THE RISKS OF BYODA
There are number of significant risks from unmanaged BYODA, however.
Content that is created and stored on personally owned tablets, stored in a cloud-based file synchronization tool not approved by IT, or sent via personal webmail systems is less accessible to the organization at large. This makes it more difficult for IT and others within the organization to know the content it has available for e-discovery or regulatory audits; makes it more difficult to access this data when required; and makes content retention less complete, increasing overall corporate risk.
Because personally owned devices and personally managed cloud applications often use non-corporate networks for communication and storage, BYODA can create security-related risks through bypassing of corporate defenses focused on malware detection and remediation.
Organizations experience a reduced level of governance that comes from IT’s loss of control over personally owned devices, corporate data that is sent from and stored on these devices, the loss of control over access to corporate applications, and the potential loss of intellectual property that can result from the physical loss of a device that cannot be wiped. For example, our research found that 90 to 93 percent of company-owned smartphones can be remotely wiped (based on organization size), but only 68 to 79 percent of personally owned smartphones can be remotely wiped.
We recommend that decision makers consider the following approaches to managing BYODA in their organizations.
While some may opt for restrictive – perhaps draconian – policies that limit or prevent employees from using personally owned smartphones or tablets, or that prohibit the use of cloud-based applications or mobile apps of any kind, we recommend the opposite approach: namely, embrace BYODA and the overall trend toward the consumerization of IT, realizing that the trend is not going away and that it can provide numerous benefits.
It is vital that organizations implement BYODA policies about acceptable use of personally owned devices and self-deployed applications. This might include creating a list of approved devices, operating systems and operating system versions, cloud-based applications, mobile apps, etc. These policies should be as detailed and thorough as necessary, and should be included in an organization’s overall set of acceptable use policies that are focused on use of all corporate computing resources and access to them.
Educate users about best practices related to the use of personal devices and self-deployed applications. This should include how to properly access and manage corporate data and other resources, which applications represent a risk to corporate security and which are safe to use, the types of communications that are appropriate over various types of cloud-based applications and mobile apps, where it is not appropriate to access sensitive corporate applications or databases (public Wi-Fi or certain countries, for example) if appropriate encryption or VPN capabilities are not in place, etc.
Deploy the appropriate technologies that will enable sound management of personally deployed devices and applications. These might include mobile device management systems, mobile device malware detection and remediation systems, enterprise-grade substitutes for employee-deployed applications, content inspection systems, archiving tools, encryption, etc.
The BYODA trend is here to stay, and so decision makers need to understand the new reality of employees accessing corporate data and other resources with their own devices and via cloud-based applications and mobile apps that they have deployed themselves. Consequently, decision makers must develop policies, implement technologies, and (where appropriate) deploy enterprise-grade replacements for employee-deployed applications.
Michael D. Osterman is president of Osterman Research Inc. (www.ostermanresearch.com).
Edited by Stefania Viscusi