The genie is out of the bottle, the toothpaste is out of the tube, and the practice of bringing your own device to work will not go away.
It’s a function of economics, pace of technology advancement, and the cravings of individuals and the businesses they work for to always have the best tools to do their jobs.
Everybody benefits with BYOD. Companies benefit by avoiding costs to keep their employees fitted with the latest gadgets, while gaining increased productivity in return. Employees benefit by avoiding frustration with having to use less useful company-provided gadgets and instead are able to use the better, faster, and cooler new gadgets.
Crooks, unfortunately, also benefit from BYOD, especially if, as employees and employers rely on outdated security measures or, worse, forego any security measures at all, they enable data theft, tampering, or destruction.
Still, like it or not, BYOD is no longer—if it ever was—just a fad. It is, or should be, a discrete corporate strategy.
“For CIOs to consider BYOD activities within their organization to be a temporary problem generated by a few disaffected employees would be a tragic mistake,” says Darryl Carlton, research director at Gartner. “This is a leading indicator of change for which an appropriate response is required. Reasserting control is not an appropriate response. This is a permanent and irreversible shift in the way that IT is procured and implemented to support the organization, suppliers, and customers.”
Similar sentiments pop up elsewhere. Dean Douglas, the new CEO of Unify—which used to be known as Siemens Enterprise Communications—had this to say when he took over the corporate reins: “We’re in a dynamically changing market, driven largely by trends around the rise of the anywhere worker, bring your own device, and the role of millennials in the workforce. Users are demanding intuitive apps, instant gratification from technology, and the ability to work from anywhere with seamless collaboration across multiple devices. These big trends have created an environment where today’s businesses are faced with the challenges—and opportunities—of meeting the demand for the new way to work.”
Last summer, the business analyst Ovum released survey results that conclude BYOD is “here to stay.” It shows that 68% of smartphone-owning employees bring their own smartphone to work, and more than 15% of these do so without the IT department’s knowledge; 21% do so in spite of an anti-BYOD policy.
“Trying to stand in the path of consumerized mobility is likely to be a damaging and futile exercise,” says Richard Absalom, consumer impact technology analyst at Ovum. “We believe businesses are better served by exploiting this behavior to increase employee engagement and productivity, and promote the benefits of enterprise mobility.”
Not to belabor the point, but Juniper Research, in its own study, estimates that the number of employee-owned smartphones and tablets used in the enterprise will exceed 1 billion by 2018, or more than a third of the total installed base of consumer-owned tablets and smartphones.
Juniper takes this a step further (as do the others, either implied or inferred): “While BYOD has the potential to benefit organizations in terms of enhanced employee satisfaction and productivity, the threat from unprotected employee mobile devices is of significant importance.”
Dovetailing into this, the Ponemon Institute, on behalf of Lumension (a provider of endpoint security) polled 676 IT security professionals, and more than 75% said mobile devices pose the biggest security threat in 2014, up from just 9% in 2010. While 68% said their mobile devices have been targeted by malware in the past 12 months, 46% said they do not manage employee-owned mobile devices.
And dovetailing once more into this, is Wendy Nather, research director for 451Research: “Mobility and BYOD are no longer theoretical—even for enterprises that think they’ve banned them—and the risk isn’t confined to the devices themselves. They affect the entire organization from the standpoints of security and compliance.”
She was speaking on behalf of Trustwave, which specializes in digital network security and which last year unveiled a dedicated mobile security practice aimed at providing BYOD protection. The practice includes several discrete but connected services: enterprise mobility assessment; “self-sealing” network protection; and Trustwave SpiderLabs Services for Mobile—a team of threat researchers, forensic investigators, and ethical hackers.
(Note: ABA’s Corporation for American Banking lists Trustwave’s network security and data protection services as one of its endorsed set of solutions. More information)
A quick internet search found a number of other vendors similarly providing BYOD security services for businesses, each taking various approaches. Each should be evaluated on its own merits.
With such profound and growing risk involved, it’s a little surprising that the banking regulators have not said much about BYOD. A earch of OCC, FDIC, the Federal Reserve, and even the CFPB produced no results for “BYOD.”
The main governmental body that’s shown any formal interest is the National Institute of Standards and Technology, which last summer issued “Guidelines for Managing the Security of Mobile Devices in the Enterprise.” These are only guidelines, and are directed specifically at smartphones and tablets, and not laptops, desktops, or old flip-phones. Still, they are something. In a nutshell, NIST says organizations should:
- Have a mobile device security policy.
- Develop system threat models for mobile devices and the resources that are accessed through the mobile devices.
- Consider the merits of each provided security service, determine which services are needed for their environment, and then design and acquire one or more solutions that collectively provide the necessary services.
- Implement and test a pilot of their mobile device solution before putting the solution into production.
- Fully secure each organization-issued mobile device before allowing a user to access it.
- Regularly maintain mobile device security.
Rest assured, NIST’s document goes into a lot more detail on each of these points.
But the cat remains out of the bag, the horse is out of the barn, and BYOD…well, you know. Ovum in a separate, looking-ahead-to-2014 piece, says this:
“Businesses are already responding to BYOD with CYOD (choose your own device) or COPE (corporate-owned, personally enabled) strategies—in which employees are given a choice of devices to use by their employer and may also be permitted to use them for personal purposes—and we expect to see more of this in 2014.”
ABA offers a series of five cybersecurity webcasts/briefings through March, some of which address BYOD. Topics include: Third Party and Outsourcing Risk Management: Exploring the OCC and Federal Reserve Guidance; Mobile Banking Security; Endpoint Security and Anomaly Detection: Protecting Your Customers; Managing Cloud Computing; and Distributed Denial of Service Attacks: Managing and Mitigating the Threat. More information
Sources used for this article include:
- Wave of M&A Predicted to Hit US Community Banks
- Why Wells Fargo Is Looking to Exit the Asset Management Business
- Bank Customer Satisfaction Rising, ABA Reports
- Bank On It: How to Serve Underbanked Communities
- PPP: SBA Issues Guidance on Changes in Ownership and Full Forgiveness Eased for Smaller Loans