A Look at the Landscape: The State of BYOD
On the surface it makes a lot of sense. You use your MacBook Air or iPad at home. You have your own smartphone for personal use. Why not trim down the number of devices you carry and use the ones you like most at work?
According to Accenture, more than 40% of employees feel comfortable and capable making their own technology decisions for work, and management and IT executives are recognizing the importance of employees using the latest technology -- nearly 90% of them agree that consumer technology utilized by their employees can improve job satisfaction.
The number of personal devices connecting to the corporate network has more than doubled in the past two years -- with nearly half of those devices storing sensitive data, according to a survey from CheckPoint Security.
The Impact on IT Departments
IT departments have handled BYOD in varying ways -- by fully embracing it, by improvising a response or by simply ignoring it. And that's understandable, given how employee devices change the user-IT paradigm.
A multi-platform environment where some devices are personal and others are corporate-owned is the new "normal," but it comes with a series of new challenges:
- For the first time, enterprises are being exposed to multiple operating systems, models and operators -- requiring IT teams to become educated on a per-platform basis to support the safe use of each device type within the enterprise.
- The capabilities associated with each platform are different, as are the security of iOS, Android, BlackBerry and Symbian devices.
- IT departments are losing the ability to apply standard OS images to devices and control the security software. Full control over the mobile device landscape is no longer possible.
- Organizations' ability to recognize volume discounts from their usual suppliers is reduced given the purchase of fewer devices.
- Companies face the potential financial impact of compliance breaches resulting from private data leakage.
IT departments that are allowing BYOD can get caught in a perpetual state of "catch up" -- but this can not be the case when it comes to the security of corporate data on personal devices.
BYOD's Inherent Security Vulnerabilities
90% of organizations will support corporate applications on consumer devices and 80% of professionals will use at least two personal devices to access corporate data by 2014, according to Gartner. As such, the regulatory and security concerns caused by the BYOD revolution are becoming very real for IT departments.
A recent report from Checkpoint Security reveals that 71% of businesses believe mobile devices have caused an increase in security incidents, citing significant concerns about the loss and privacy of sensitive information stored on employee devices, including corporate email (79%), customer data (47%) and network login credentials (38%).
BYOD presents unique challenges and potential vulnerabilities because IT departments lose the ability to control the OS image, enforce strong device-level security policies, restrict unverified third party applications and mandate security patches and OS upgrades. In short, they have lost administrative rights over the device. Consider the following:
- Most employees have their phones locked with a pin code as a key security measure in place; but according to McAfee, 11% of all pin numbers are one of five combinations. Additionally, consumer-grade mobile OS's have been notorious for exposing vulnerabilities that can make it easy to bypass a device's passcode.
- Corporate IT teams can often manage remote wipes of mobile devices if devices are lost or stolen. The problem is that by the time employees discover that they have lost a device, the data could have already been stolen, copied or reviewed by a third party. Also consider the fact that the wipe command won't be received if the SIM card has been removed or the radio turned off. And finally, many IT departments are not permitted to wipe personal-liable devices even if they are lost or stolen due to personal privacy regulations and fear of employee litigation.
- Like it or not, convenience wins. Therefore, employees often bypass security measures to access the information, applications or data that is needed when and where an employee needs it.
Mobile Risk Management and the BYOD Workplace
BYOD can, and most likely will be, a truly powerful enabler for both employees and the companies they work for. But as we move away from a "command and control" environment and put more power into the hands of the employee, we need to move as an industry from risk avoidance to risk management, respecting the balance between personal productivity and corporate data security.
There is little doubt that the consumerization of IT and BYOD trends can pose serious threats to IT security and compliance. But if embraced properly and with a thoughtful risk management approach, they could ultimately help usher in a new generation of security practices that effectively balance business needs with IT security requirements -- and in an interest paradox, could actually increase the levels of security and compliance while putting more power in the hands of the end-users.
About the Author:
Tyler Lessard is the chief marketing officer of Fixmo.
Tyler heads up the marketing and product strategy group at Fixmo. He brings over a decade of experience in wireless technology, mobile apps, business development, alliances and solutions marketing. Prior to joining Fixmo, Tyler was Vice President of BlackBerry Global Alliances and Developer Relations at Research In Motion (RIM) where he managed a global team responsible for building and supporting an ecosystem of thousands of wireless app developers and enterprise solution providers on the BlackBerry platform.
Tyler can be reached at [email protected].