The term "BYOD" sends those in IT running for the hills these days. Creating a BYOD policy presents a difficult choice for companies: Either you limit the use of devices that may make employees more productive and happy or you open up the enterprise to some huge security and legal issues. In many respects, it's a catch-22 for enterprise IT.
The goal of BYOD is to serve the needs of the employees better and make sure companies adhere to sound security and data compliance policies, as well as leveraging technology in the right way. Also, employees need to leverage their device for personal use without getting the company in trouble around privacy issues.
According to Aberdeen Group, last summer the bring-your-own-device (BYOD) phenomenon emerged during the third wave of smart phones. The rapid growth and interest in BYOD coincided with the debut of the online "app store" in 2008. "In seven Aberdeen reports published between January 2008 and July 2012, the percentage of respondent organizations that permitted employee-owned mobile devices to be used for business purposes grew from 10% to more than 80%, a compound annual growth rate (CAGR) of 70%," according to Aberdeen Group. (See Figure.)
However, in 2013, we saw a bit of a pushback on BYOD, as cloud platform security became more of an issue.
"For three in four IT security professionals, bring-your-own-device is one of the 'greatest inhibitors to effective cloud security,'" said Cloud Tech's James Bourne, in reviewing a recent report from AccelOps that talked to 176 IT security personnel. The results of the report put BYOD ahead of data control and data loss -- traditional topics for cloud security worriers -- as the main security threat.
No matter where your enterprise is in this learning cycle, perhaps it's time that you reevaluate your policies and strategy around BYOD.
The first priority of a sound BYOD policy is to secure the employee device to meet any number of corporate security standards, allowing them to participate on the network as a managed client. Moreover, enterprises need to secure corporate data. Finally, allow the employees to use their devices freely for personal use.
The first wave of BYOD and mobile policies seemed to be a kneejerk reaction to the demands of employees to use their phones and tablets at work. Indeed, if an enterprise did not support the use of the device, its employees just figured it out on their own, security policies be dammed.
Today, many enterprises are revaluating their BYOD/mobile policies, typically doing at least one of the following two things:
- Create tighter policies around BYOD, including clear and detailed guidance around what devices are supported, what is considered proper use of these devices when dealing with corporate data and even legal agreements between the company and the employees who are leveraging their own devices.
- Leverage device management software to manage these devices to meet the degree of security and governance required by the company. While these systems vary greatly in capabilities, they allow for much more control over employee-owned devices, sometimes limiting how the device is used and monitoring sensitive data transferred to the device.
The downside is cost and liability. People are needed to administer and enforce tighter policies, and they require resources. Moreover, any technology required to manage employee-owned devices is at an extra cost as well.
In some cases, employees have sued employers over the use of monitoring systems, claiming undue invasion of privacy. Employees have also sued for unpaid work, as employers have found that BYOD devices are an easy way to get some extra work done after hours. For example, Chicago police are suing the city of Chicago, making the claim that the city owes the officers overtime pay for work performed on BlackBerry phones provided by the city.
You can count on the use of mobile devices within larger enterprises to be more trial and error over the next few years. Where once the policies were very open and liberal, these days enterprises place more restrictions around the use of devices not owned and controlled by enterprise IT.
About the author
David "Dave" S. Linthicum is with Cloud Technology Partners and an internationally recognized cloud industry expert and thought leader. He is the author and co-author of 13 books on computing, including the best-selling Enterprise Application Integration. Linthicum keynotes at many leading technology conferences on cloud computing, SOA, enterprise application integration and enterprise architecture.
His latest book is Cloud Computing and SOA Convergence in Your Enterprise: A Step-by-Step Guide. His industry experienceincludes tenures as chief technology officer and CEO of several successful software companies and upper-level management positions in Fortune 100 companies. In addition, he was an associate professor of computer science for eight years and continues to lecture at major technical colleges and universities, including the University of Virginia, Arizona State University and the University of Wisconsin.