An increasing number of organisations are accepting employee-owned mobile devices in the trend dubbed bring your own device (BYOD).
What’s driving this trend, what are the risks and what should CIOs factor into the decision whether to support user-owned hardware?
According to Forrester Research analyst Christian Kane, the trend is the result of pressures from two different directions.
“On the one hand, consumers have developed a love affair with new devices and all the different ways they can be used. Since most consumers are also employees, they have created a groundswell of demand to bring familiar personal devices to work. Some consumers are executives, and they also want to bring their smartphones or tablet computers into the office, so they pressure IT to give them access.”
On the other hand, says Kane, finance departments are pushing for BYOD by asking the following question: “If our employees already own these handsets and they’re using them for work, why does the company pay for devices and communications services?”
Recognising this move towards blending personal and business use of technology, many companies are already writing rules and guidelines for BYOD into their mobile device usage policy.
On top of that, organisations are relaxing rules to accommodate personal handhelds for at least some business services.
“CIOs must embrace it, and in doing so, open and innovate quickly in the corporate workplace,” he says.
Companies that do embrace BYOD are cutting costs in at least two ways. The first is that employees usually share at least some of the expense of buying the device.
The second is that less training and support are required.
The worker chooses the handset usually because he or she is already familiar with it and doesn’t need to be shown how to use it.
But not everybody is on board. Naomi Connell, CFO of construction business VolkerWessels UK, says that hardware savings are offset by the need for extra IT resources.
“There is no doubt that BYOD brings some savings to the company. Hardware costs are reduced and staff can more easily connect to company systems from home on their own devices,” she says.
“However, these benefits are currently outweighed by the additional IT resources required to support the different devices and additional connectivity, as well as the software and procedures needed to protect the network.”
Forrester’s Kane warns CIOs that the new mobile platforms have been designed for the consumer and not the enterprise.
“Many firms find that these platforms don’t provide them as much control as they have with enterprise-grade systems, such as Blackberry Enterprise Server,” he explains.
“Furthermore, consumer applications which synchronise with cloud services present the danger of company information being stored somewhere the company doesn’t control.”
Some see other risks.
VolkerWessels UK CTO Melanie Nurse warns that non-standard clients invite security breaches.
“With malware releases that exploit your mobile data already at an alarming high and set to double in the next year, it is more important than ever to adequately protect our company’s data and this is extremely difficult without standardisation and control,” she says.
CIOs on the BYOD bandwagon are overcoming these challenges by deploying state-of-the-art mobile device management (MDM) platforms which allow them to control a variety of handsets.
Such systems allow IT to remotely configure user devices and selectively prevent them from connecting to certain IP addresses – for example, the addresses of untrusted cloud services.
MDM platforms typically provide a number of other features, such as automatic backup, data encryption, and device wipe and lockdown.
Many organisations that allow BYOD install virtual private network (VPN) software on the employee devices that connect to company data services.
One of the fears of IT directors is of split tunneling, where a device is simultaneously connected to a public internet site and to the enterprise through a separate, secure tunnel.
Here too a solution exists: split tunneling can be disabled on all devices through a central MDM platform.
While there are some dangers and some mitigation strategies, each company has to assess its own risks and weigh those against the benefits of BYOD. To make an informed decision, IT and finance directors should ask themselves the following seven questions:
When devices hold sensitive corporate data, will the IT department have the right to perform a full or partial device wipe?
This issue treads in murky legal waters, because while the hardware belongs to the employee, the information belongs to the company. Many companies are having staff sign an agreement allowing IT to automatically remove company information from personal devices.
When data is automatically backed up from mobile devices by a management platform, does the platform have to distinguish between corporate and personal data?
Organisations should have staff sign agreements on what data gets backed up.
Some employees do not want their personal information copied, because they consider it an invasion of privacy.
Others view having the company back up their information as a useful service they don’t have to pay for themselves.
Can IT be sure that all devices are running adequate virus protection software?
BYOD opens the door to a wide range of platforms. Since most companies can’t support everything, they limit their policy to certain types of devices running specific operating systems.
In the process of selecting which handsets will be included in the policy, one must consider whether the proper virus protection software is supported.
Can IT be sure data is adequately encrypted on each device?
When the workforce needs sensitive information on their personal handsets, the company needs to ensure that information can be encrypted on the device.
Here too it’s important to limit the number of supported platforms to those that can run the necessary security software.
Under what conditions will devices be allowed VPN access?
While some job functions never require mobile workers to log in to secure applications, whenever employees have to access systems behind the firewall, they need proper VPN software to get them in.
IT directors need to have a clear idea of who needs VPN access and what kind of handsets those users have.
What platforms have to be deployed to render application content on a variety of device types which have different screen sizes and characteristics?
Creating a mobile solution is never simply a question of squeezing the functionality of a desktop application into a smaller device.
Content has to be reformatted to fit the smaller screen, and data has to be synchronised between the remote device and enterprise servers. A variety of gateways perform these functions and more.
BYOD makes the matter a little more complicated by increasing the range of devices, resolutions and operating systems on which to render content.
No mobile application gateway will support absolutely every handheld – in fact, most only support a small number, so some models will be outside the BYOD remit.
Along with the MDM platform, application gateways must be factored into decisions on which handsets to include in the BYOD policy.
Who pays the communication bill and how can costs be controlled?
BYOD is not only about the device; it’s also about the communication plan.
Once a worker uses a single handheld for both personal and business matters, he or she will also have a single communication plan.
Some companies provided an allowance for communication costs, which they base on average monthly charges across the worker populations.
In this scheme, employees pay their own bill and then file expense reports so they can be reimbursed up to the amount of the allowance.
Many organisations encourage workers to use the same network provider as the company.
Employees usually benefit by getting lower rates, the operator benefits through increased volume, and the IT department benefits by having fewer numbers to call when they need to troubleshoot network problems.
In some cases, doubts remain on certain issues.
There might be a popular device that can’t be supported by the selected MDM platform. One solution is to provide different classes of service. The IT department can provide full support to devices on its preferred list, and rudimentary support to all others.
Some companies partition the problem by type of software. They provide full support for work applications and “guidance” on questions related to personal applications.
Having weighed the costs and benefits and factored in the risks, many organisations are moving forward with BYOD at a steady pace.
To all IT directors considering an employee-owned device policy, Forrester’s Kane offers the following advice:
“Make sure you have a mobile policy which states who’s eligible for BYOD and what constitutes proper use. Adopt a mobile device management platform to begin getting some control over the devices, but don’t think it will be a silver bullet that will solve all of your management and security issues.
"Keep in mind that the technology is still evolving and still has plenty of room to mature. Above all, start now with long-term goals to support as much as you can, but make baby steps in the beginning. Don’t give access to everyone and every device immediately.
"Most firms start with email contacts and calendar only and don’t provide full network access right away. Some firms start with iOS first or only allow certain operating system versions (for example, iOS 4.3+ and Android 2.2+).”
Perhaps understandably for a telecoms provider, Telefonica already has more than 1000 users in its BYOD programme, and its group CIO Jordan agrees that organisations should get started on similar schemes.
“Securing all personal devices and offering an elegant and native BYOD capability is a great way to increase productivity and create fans of IT inside the company,” he says.