BYOD – Bring Your Own Device

Where employees once enquired about private medical cover and company cars, now they may ask to work on their own iPhone or Android. It’s a perk of the job that can boost productivity, but implement your BYOD policy incorrectly (or even pretend it’s not happening) and it could cost you dear, say our experts

Post based on my interview* with Richard Dunnett of Director Magazine

Waking early one morning Cesare Garlati, vice president of mobile security at Trend Micro, reached for his iPad to check his email. It wouldn’t turn on; the tablet was dead. Garlati later discovered his young son had tried one too many times to guess his password to play Angry Birds. Faced with an unauthorised access attempt the corporate security policy flung into action preventing sensitive data from reaching the wrong hands and deactivating Garlati’s personal iPad in the process.

From an enterprise point of view the IT security systems held up and kept important information safe. The device too could be brought back to life and the corporate data restored. But as for Garlati’s personal photographs, videos and music collection – they were gone.

It’s Garlati’s job to raise awareness of Trend Micro’s security solutions but he offers the anecdote as proof of the security levels an organisation and its employees must be prepared to agree upon when implementing a Bring Your Own Device (BYOD) policy.

The appetite among employees to use their personal devices for work is growing. Of 100 business leaders surveyed at the Unified Communications Expo in London earlier this year 64 per cent said their employees wanted to use their own personal devices.

Driving this hunger is consumerisation – in other words the trend of new information technology being launched into and adopted by the consumer market before spreading to business. The iPhone, iPad, Galaxy Tab, Windows Phone and Android are all prime examples, and they risk making corporate-procured PCs and mobile phones look ancient.

There’s no point trying to stop this drive towards BYOD, says Garlati. “Consumerisation is unstoppable and BYOD brings real business value but a lack of a strategic approach can create security
risks, financial exposure and a management nightmare for IT departments.”

Adrian Simpson, UK chief technology officer of software corporation SAP, believes employees want to match the personal device that suits their lifestyle to their work environment. BYOD allows employees to work at different times than they might normally, he says.

“They will work longer hours because they are able to interact with the systems that they need to at odd times of the day, and action workflow there and then rather waiting until the following day when they are in the office.”

So how did we get to this stage? Three things are driving BYOD, says Garlati: the low cost of mobile devices, the simplicity of use and the availability of content. “There is no need to send your staff on training courses to operate smartphones.”

Generation Y – those born after 1982 and perceived to be technology literate – has certainly made an impact. Garlati argues that young people coming into the workplace expect simplicity. They associate themselves with a certain device and feel embarrassed using ones that don’t suit their lifestyle.

“Young people don’t want to work for a company with a traditional IT department that says no to everything,” says Garlati. “Being told to use a company-procured device is like being forced to wear corporate underwear. [Their argument is] the corporate doesn’t tell me what underwear I put on and they don’t tell me which device I use either.”

Ian Foddering, chief technology officer and technical director for Cisco UK and Ireland, points to his own company’s research which shows that offering a choice of device was an important consideration to potential employees.

“We found globally that 40 per cent of college students and 45 per cent of employees would accept a lower-paying job with a choice of device, than a higher- paying job with less flexibility,” he says.

That is not to say older executives are ignoring the trend either. “The demand for BYOD is just as likely to be coming from your own executives and your own CEO returning from a trade fair in Hong Kong with a shiny new, super-cool gadget they want to use,” says Garlati.

THE CHANGING ROLE OF IT
The employee demand for BYOD means IT departments are having to create a user- focused network. Huge demands are being placed on IT managers allowing access for a multitude of devices while maintaining a high level of security, performance and control, says Foddering. “The BYOD model will inevitably demand new support and operational structuring requiring businesses to plan and budget accordingly.”

No longer the provider of technological services, says Garlati, IT will become a broker between your internal user base and external organisations offering the same services to your company that IT used to provide but at a much lower cost and a much higher scalability.

“They are no longer driving this innovation, they are coping with it. This innovation is not happening in the realm of corporate IT, the companies behind this explosion are not IBM, HP or Oracle, they’re Google, Apple, HTC, Samsung, Amazon – and these are consumer brands,” he argues.

Instead of being the gatekeeper IT should enable the internal demand. “The generation of CIOs who say no to everything in the name of corporate security are getting fired or retiring. They are like dinosaurs heading to extinction,” he adds. “When I meet corporate clients I pay attention to where the CIO sits in the conference room. If the CIO sits on the same side as the business owner they don’t ask how do I stop it, they ask how can you help me make it happen.”

Sitting on the other side of the table, Garlati says, and pretending BYOD isn’t happening only drives the practice underground. And it could be executives driving it. A Cisco survey of 1,500 IT managers and executives in the US, Canada, UK, France, Germany and Spain showed that while 48 per cent of respondents said their company would never authorise employees to bring their own devices,
57 per cent agreed some employees use personal devices without consent.

That could mean the choice of knowing BYOD is happening within your company while pretending it isn’t, and giving the green light to a BYOD policy but putting strict security protocols in place. After all, says Garlati, corporates need to understand that consumer technology is not as secure and manageable as enterprise might expect.

“BlackBerry is a corporate platform for mobile. It ranks very high in terms of security. [Apple’s mobile operating system] iOS, Android and Windows Phone rank further down,” he says, referencing Trend Micro’s research into the enterprise readiness of consumer mobile platforms.

He recommends IT departments map technologies and user profiles, keeping an up-to-date list of innovations happening in the consumer space, such as Android, tablets and file-sharing service Dropbox.

“You have to go out to your end users, look at the consumer space and figure out what is happening there. What’s hot, what’s new, what will hit your network in the next few months.”

Garlati suggests defining user groups [of employees] based on roles, responsibilities and locations, and assigning each a security posture. “IT must do away with the single standard – procuring only the Windows laptop or BlackBerry mobile, for example – and adopt a flexible standard,” he says. “Figure out the possible options for each category of user wanting to bring their own device. You’re not saying no, but you’re not saying yes to everything.

“A corporate may recommend, procure, pay for and provide desk support for BlackBerry but set limitations for using personal devices – reading email but not opening attachments, for example.”

The trend witnessed by Simpson is of organisations wanting to assess what can be performed by devices. “It might be about you only allowing access to certain systems, information and apps you’ve put on to those devices rather than exposing everything from an organisation,” he says.

Another approach is to lock down the choices of personal devices allowed under the BYOD policy. “The danger is having to make sure you are up with the trends in the marketplace and what people are expecting to use rather than what’s convenient for your IT organisation.”

TIGHTEN SECURITY
The biggest headache for organisations looking to adopt BYOD is the loss or theft of sensitive information and the security issues created by personal devices, according to a Trend Micro survey.

Companies must think about the security impact of pushing data on to devices, says Simpson, and ask themselves what would happen if it got into the wrong hands or compromised. Regulatory issues posed by the Sarbanes-Oxley Act and Basel II accord need considering.

“A simple step would be to add another level of authentication to apps that contain secure information so the end user has both a passcode to open their device and another to open the application,” he says.

“You can also put encryption on to the data so the data being transferred across is encrypted and held on the device in an encrypted way. Equally if a device is lost or stolen, have you got the ability to lock down that device or kill the information that is on there so the device is safe from prying eyes?”

That extreme level of security, where a company has the ability to lock down and wipe a device owned by the employee means the organisation must clearly communicate their BYOD policy in an
acceptable user policy, says Garlati. “We now have a situation where IT owns the data but the employee owns the device. This has never happened before because the device has always been a corporate asset. The acceptable user policy has always been treated as corporate use from a corporate device of corporate data. Now a company is trespassing on someone else’s property the moment they get into your device.”

This agreed policy between employees and organisations, explains Simpson, needs to make employees aware what standards are expected and what can happen. “That may be about enforcement of password settings, reporting what happens with compliance on the device or understanding what happens about locking and wiping the device,” he says. “It also could be about how much of the device does the organisation have control over? If you’ve got a 16gb device you don’t want the organisation taking 15gb of that and only leaving you 1gb for a game.”

SAP, which is testing a BYOD programme for smartphones and tablets among employees in a number of countries, has policies in place around the company accessing private data on the device and what users can and can’t do with the devices. “We’ve drawn the line at the data stored on the device, so that would include photos, but it wouldn’t mean going through their apps to other applications such as Facebook and Twitter,” says Simpson.

The line which enterprise and employee can and can’t cross on personal devices must be made absolutely clear in the policy documents – even when those stretch to
24 pages and simply require an agreement box to be ticked.

“The company needs to be able to show a court that they did everything possible to make the policy understood to the employee,” says Garlati. “You cannot change user behaviour unless you help them understand what is in it for them.”

MAIL AND MORE
The vast majority of BYOD usage is spent accessing email, calendars and contacts lists, and it is here where companies are most likely to see productivity gains, argue our experts. “Without a doubt the biggest app for mobile devices is email. If you are going to have a mobile device you need to have the ability to connect to my [the business’s] email and calendar system,” explains Simpson. “It brings good productivity benefits because it means you are more connected to what is going on within the organisation or with your customers or suppliers.”

Garlati says there is no question that employees checking their email during the evening commute, at homes or at weekends are working more, and counters the argument that corporates already achieve that with company-issued devices. “Corporate IT deployment of mobile devices is never horizontal, which means that it doesn’t actually affect 100 per cent of the employee base because of the cost,” he says. “By relying on consumerisation this increasing productivity is much broader and extends to all.”

Employees, he adds, are more likely to use a mobile device if they own it. “Imagine you’re at home updating your Facebook page on your iPad and receive an alert that a new corporate email has arrived, you are likely to read it. If the same happens from your [work] BlackBerry you may turn it off.”

Going beyond email access to other corporate applications is dependant on the vision of the organisation adopting the BYOD approach, says Simpson. “Apps that you want to provision out on to devices can vary from linking into a workflow system to people inputting their expenses, travel receipts or timesheets – anything that requires input from the employee that you don’t want to limit them to being on their laptop or in their office. Those kind of things are quick wins.”

WHAT ABOUT THE COSTS?
From an organisation point of view, says Simpson, a big driver of BYOD is cost reduction. “If you can reduce the amount of assets you are managing yourself because you are not purchasing and managing the devices and the phones, then that can be seen as a cost-saving. The disadvantage is that mobile infrastructure is going to become more complex because to a certain extent you have less control over the organisation.”

When things start to go wrong and employees can’t send emails or open attachments do they turn to their phone operator or corporate helpdesk? “There is evidence that the calls or tickets to helpdesks generated by devices and technology not owned by the enterprise are three or four times more expensive than the equivalent tickets generated for known technology,” says Garlati.

“If the mobile device is provided by the enterprise, there is training and documentation associated with that, and plenty of tools that can remotely allow the helpdesk to remotely access the device and change the configurations.”

Companies looking to adopt BYOD need to balance the cost of setting up and securing a platform against the costs they incur from purchasing and maintaining the devices already, says Simpson. “The choice is how much do organisations want to control themselves versus how much they are willing to pass on to the employees. It may give them the flexibility but always comes down to cost and the security risks.

“BYOD requires some thought from organisations but that shouldn’t necessarily be a scary thing to consider because the end goal could be happy employees, secure information and a lower cost base overall.”

Companies will have to swallow the cost of extending this user experience even if they don’t have an appetite for the change, says Garlati. “From a corporate perspective BYOD is like paying taxes, it’s a cost of doing business.”

Ultimately, it’s up to individual businesses to work out if the risk of embracing BYOD and the cost of managing this new user network result in higher employee satisfaction, productivity and wealth creation.

* Original Article: http://www.director.co.uk/magazine/2012/05_May/BYOD_65_09.html

** More on Consumerization, BYOD and Mobile Security at http://consumerization.trendmicro.com/