The genie is out of the bottle, the toothpaste is out of the tube, and the use of personally-owned devices for work—or at least, in the workplace—is an established practice.
Everybody worries about the security risks of bring-your-own-device practices, but almost as many enjoy the increased productivity and lowered corporate costs associated with them. While this isn’t all that new, the fact that the conundrum still exists is worth further examination.
And now, there’s an added twist: It seems those who use their own devices at work, and those who supervise them, aren’t always as altruistic as they might seem.
What work-life boundary?
Evolve IP, a cloud services company, surveyed 566 upper-level executives at companies ranging from fewer than 100 employees to those with more than 2,000 employees. Ninety-five percent of this sample enable or support BYOD programs.
Key results are fairly cheerful. Workforce participants report working remotely 10.5 hours a week, on average; 67% report using devices while commuting, adding 24 minutes to their work day; and 80% of the workers feel that the ability to work anytime and anywhere is a positive.
“The results clearly demonstrate that not only are employees happily embracing the technologies, the companies deploying them are seeing real gains in productivity,” says Guy Fardone, COO and general manager of Evolve IP.
Gartner Inc. has repeatedly looked into the BYOD phenomenon. In one study it finds that approximately 40% of U.S. consumers who work for large enterprises say they use their personally owned smartphone, desktop, or laptop daily for some form of work purposes.
“The lines between work and play are becoming more and more blurred as employees choose to use their own device for work purposes whether sanctioned by an employer or not,” says Amanda Sabia, principal research analyst at Gartner. “Devices that were once bought purely for personal use are increasingly being used for work, and technology vendors and service providers need to respond to this.”
But then there’s the dark side.
Many engage in sloppy device behavior
Intralinks commissioned the Ponemon Institute to survey more than 1,000 IT security professionals—including those in the financial services sector—in the United States, United Kingdom, and Germany about the risks of BYOD.
The conclusion, from Larry Ponemon, chairman: “Data leakage and loss from negligent file sharing is now just as significant a risk as data theft. While most companies take steps to protect themselves from hacking and other malicious activities, this report shows that these same organizations are entirely unprepared to guard against risky and ungoverned file sharing using consumer-grade applications like Dropbox … The goal of senior leadership should be to provide appropriate, secure solutions, and enforce policies to reduce the risk of employees behaving badly.”
[Dropbox is a free service that lets users post their photos, documents, and videos anywhere and share them easily.]
About 61% of this sample admit that they have often or frequently done the following:
• Accidentally forwarded files or documents to individuals not authorized to see them.
• Used their personal file-sharing/file sync-and-share apps in the workplace.
• Shared files through unencrypted email
• Failed to delete confidential documents or files as required by policies.
Ponemon isn’t alone. Kensington, which specializes in physical security of electronic devices, surveyed a number of North American industries, including financial services, about their approaches to BYOD. Findings show that 73% say that BYOD represents greater security risks for their organization, and yet 59% still approve the use of personal devices for business usage.
“With the rapid rise in the use of mobile devise and laptops, organizations need to become vigilant in their ability to protect those devices from the risk of theft or loss that may put critical business and personal data in the wrong hands,” says Judy Barker, global product marketing manager, Kensington.
OK, so maybe the balance tips other way, too
Security risks are all bad enough, but it gets more complicated. Back to the Gartner study. That research finds that, sure, the devices are used for work, but that’s not all. Playing games, tracking social media, and checking news and weather rank high on the list of what respondents admit using their devices for at work, particularly tablets. It might be of some comfort for bankers to know that, on desktops and laptops, online banking and completing online purchases also rank high.
Also, in this particular survey, Gartner found that of the 75% who chose to use their own device, half say they do so without their employers’ knowledge.
Even the Evolve IP survey has a similar finding: 90% of the respondents confess to using their mobile device for nonwork-related functions during work hours.
How to spend your money
Gartner adds another twist. In another study it looked at the economics of employers supporting their employees’ devices, while incorporating suitable security measures and controls. The long and short of it: It would behoove employers to support personal tablets, as opposed to smartphones, instead of trying to issue tablets.
“IT leaders can spend half a million dollars to buy and support 1,000 enterprise-owned tablets, while they can support 2,745 user-owned tablets with that same budget,” says Federica Troni, research director at Gartner. “Without a stipend, direct costs of user-owned tablets are 64% lower. When organizations have several users who want a tablet as a device of convenience, offering a BYOD option is the best alternative to limit cost and broaden access.”
Costs of enterprise smartphones vs. risk-mitigated private smartphones would be roughly equal, Gartner says. “While BYO initiatives for mobile devices can lead to cost savings, it is not always the case,” Troni says.
Beware “shadow IT”
BYOD shows no sign of slowing down—the economics and cultural imperatives are just too dramatic to ignore. One key thing to begin to manage the phenomenon is at least to have the corporate IT group be in charge of setting policy and monitoring compliance throughout the organization—instead of having individual lines of business set their own standards. The latter is sometimes known as “shadow IT.”
“The negative effects consumer-grade file-sharing and collaboration platforms are having on the enterprise are clear,” says Daren Glenister, CTO at Intralinks. “CIOs need to regain control of data, and to do that they need tools designed for the enterprise with security and compliance in mind, but without sacrificing end-user ease-of-use. Shadow IT is a powerful force, and it is one that CIOs need help fighting if they are to ensure the security and compliance of critical data.”
Sources used for this article include: