BYOD! No, that’s not a misprint. BYOD stands for “bring your own device,” a policy that is catching on in Corporate America. By allowing employees to use their own mobile devices — smartphones, tablets, laptops — in the workplace, companies hope to reap big savings in equipment and training costs, and big gains in productivity.
More than 80% of employed adults already use their personal devices for work, says a recent Harris Interactive poll for security firm ESET. And according to a 2011 Forrester Research survey of IT decision makers commissioned by security firm IronKey, 79% believe the “increasing diversity of our end-user devices” will have a significant to moderate impact on IT-services spending. Sixty percent say they have already seen savings in that area. Those savings can be significant, says IronKey CFO Mark Schulte, since, “according to Forrester, 23% of an enterprise’s hardware spend is on end-point devices.”
“CFOs love [BYOD],” says PricewaterhouseCoopers principal David Edelheit. “In the past, the company paid for the device and paid for usage, which was a high and unpredictable cost. Now, with BYOD, they can say, ‘I’ll allocate $100 for you to buy the device. You want to buy a $500 device? Go ahead. We have discounts with these four vendors. It’s your choice. And I’ll pay $50 a month for business usage.’”
One corporate advocate of BYOD is Pandora, a rapidly growing Internet service that enables people to create personalized radio stations streamed over the web. The company allows its employees to use their devices for work and pays them for their data usage, making no distinction between personal and work use.
While the policy obviously lowers Pandora’s capital spending, CFO Steve Cakebread says those savings are “insignificant” compared with the productivity gains he sees by letting employees use technology they know and like, not to mention the money saved in training costs.
“Technology is changing so fast that controlling the hardware and software environment” is not worth the trouble, argues Cakebread. With BYOD, notes Jim Buckley, finance chief of mobile-device management firm MobileIron, “companies no longer have to deal with the device life cycle. Smartphones and tablets generally change every 18 months. That’s a lot of new technology the enterprise no longer has to keep up with.”
Data in the Wild
But the enterprise does have to keep up with what’s on those devices. The employee may own the smartphone, but not the corporate data on it. Indeed, the data’s mere existence on employee-owned devices may present an auditing risk.
“The definition of what’s sensitive data is expanding,” says Todd Thiemann, senior director for product marketing at Vormetric, an enterprise encryption, key management, and data security firm. “It used to be compliance data,” such as payment-card and health-insurance information, “but today it could be an e-mail list,” he says.
And as the number of devices bearing sensitive data “in the wild” increases, so do the security risks, says Thiemann. Although there hasn’t yet been a significant data breach involving mobile devices, “it’s just a matter of time,” he predicts. That conclusion was given weight by a recent IDG survey in which three-quarters of the respondents said their companies allowed them access to corporate data on their personal devices while less than half said their companies had a “well-defined” corporate access policy.
But trying to stop people from bringing their own devices to work is futile, says IronKey’s Schulte. Fernando Alvarez, mobile solutions practice leader for technology consulting firm Capgemini, points out that exceptions have a way of growing up around policies, rendering them ineffective. “You see a lot of people with laptops and secure IDs and passwords,” he says, “and then some top executive wants to read a corporate report on the iPad his wife bought him for Christmas, and who’s going to say no? There’s no consistency.”
Secure the Network
The way around the security problem, some experts maintain, is to forget the end point and secure the network that all those devices are attempting to access. For example, IronKey’s Trusted Access product creates a cloud-based virtual environment. When users want to access corporate data, their requests go not to the corporate database but to IronKey, which vets them and then routes the data through its own network.
Pandora, which has most of its information systems and data in the cloud, uses Okta, a software-as-a-service identity and access management tool, to secure its application portfolio. With one call, says Cakebread, “we can take anyone off the whole system. We just decommission the password and login.”
Right now, Cakebread says he is looking at technologies for protecting and tracking mobile devices that go missing. Still, he considers all the risks of BYOD as minor compared with all the problems it solves. Above all, he says, “what we want is for our employees to be productive.”
As the BYOD trend accelerates, companies’ ability to support their employees’ productivity while attempting to control all those devices will be sorely tested. PwC’s Edelheit recommends proceeding with caution. “Take a phased approach,” he advises. “Pilot with power users. Find out what works, what doesn’t, what you can allow, and what you can’t.”