Who Killed BYOD?

Once seen as a fast and inexpensive way to enable enterprise mobility, BYOD presents too great a risk for most organizations.

WKB ImageIn a perfect world, bring-your-own-device (BYOD) initiatives would simply relieve your organization of the cost of equipping employees with smartphones, tablets, or laptops without any downside risk. Alas, we do not live in a perfect world, leading to the increasingly common view that BYOD’s future in the organization is limited.

It’s true that BYOD looks easy. It’s inexpensive and it lets workers use their preferred devices, which should boost productivity. But the reality is more complex. For most security-conscious organizations – and certainly for those in the highly regulated financial and healthcare industries – BYOD simply isn’t worth the risk.

The problem is the people

BYOD requires employees to understand and embrace security protocols whose importance they may not fully grasp. This can lead to security lapses when workers fail to keep devices current with the latest application updates and patches, access poorly secured Wi-Fi networks, or move documents between the network and their preferred cloud storage services. This can also put the network and corporate data at risk.

By initiating a BYOD program, you are empowering employees to share anything their devices might pick up “in the wild” with your systems. This significantly raises the bar for the kind of defenses an organization should – but likely won’t – have in place.

In a global study commissioned by Aruba Networks, nearly a third of workers reported having lost data due to the misuse of a mobile device. Such misuse, whether intentional or not, thwarts the very productivity gains promised by BYOD, and can expose the organization to a variety of security breaches.

The study, titled Securing #Gen Mobile: Is Your Business Running the Risk?, illustrates the surprising risks that your most tech-savvy employees might represent. Younger workers, those between 25 and 34 years old, are twice as likely to experience data and identity theft as workers over age 55. Add to that the fact that over 50 percent of respondents would willingly disobey their boss in order to get their job done, and the risks grow larger. Worse yet, 77 percent said they would be willing to deal with device issues themselves, rather than wait online to get in touch with IT departments.

The study polled more than 11,500 workers in 23 countries and found 87 percent of employees assume their IT departments will protect them from threats, and yet 31 percent admitted to losing data due to mobile device “misuse.” In addition, brand and operating system ranked far higher in priorities than security when this generation of workers makes purchase decisions.

More frightening for an IT security team, Aruba found that device sharing is rampant. Fully, six out of ten workers surveyed reported sharing their work and personal devices with others. Worse, almost 20 percent don’t use basic password protection on their smartphones or tablets, while 22 percent stated “they don’t have security measures in place so that they can share more easily.”

The Aruba study also shows 39 percent of respondents at financial institutions admitting to losing company data. That’s 25 percent higher than the average industry surveyed.

Business owners operating or contemplating a BYOD initiative really have to consider it much more of a security concern than an IT or operational issue. The organization has to ask whether it can truly secure BYOD. Unfortunately, at the end of the day, the answer is probably “no.”

One of the main issues to come from the Aruba study is that workers actively disobey policies. Tracking and correcting such behaviors can be daunting. It is possible for companies to perform regular device checks and block out-of-compliance endpoints, but you’re virtually guaranteed to create some ill will in doing so. It will require buy-in from the C-suite to enforce the rules and discipline workers who break policy.

So, when you ask the question, “Who killed BYOD?”, the answer – as it often is – is opportunistic hackers taking advantage of typical workers.

CYOD to the rescue

A choose-you-own-device (CYOD) program strikes a much more desirable balance of convenience, cost, and control for most organizations.

Yes, the organization will incur more direct upfront and carrier costs – and some workers might grumble that you didn’t pick their particular favorite device – but the ability to secure and control all devices will greatly reduce the impact of any rogue behavior on the part of users.

A CYOD framework is pretty straightforward. The organization identifies the menu of smartphones, tablets, and laptops it wishes to offer workers, and workers make their choices from that menu.

In the CYOD scenario, workers get a voice in which devices they use, and IT gets to install security software and set up administrator, firewall, and network permissions before a worker powers it up for the first time. Then, over time, IT can continue to monitor and patch devices, secure in the knowledge that it has visibility into their settings and the applications running on them.

When planning your CYOD rollout, don’t skimp on the “C”, or choice. To get real buy-in from users, it helps if you provide a choice of devices equal in capability and quality to those which they might consider if they were purchasing one themselves. This is especially important if you’ve been running a BYOD program, where workers personally selected and purchased devices.

“If you’ve been running a BYOD program, you will probably face some resistance from some workers who love the device or OS they’re used to,” says Zones solution architect and mobility specialist Chris Brown. “When making the transition, you’ll want to clearly communicate the benefits to the organization, and then provide training on the new devices to allay workers’ concerns.”

SJ107 Cover
Read more about mobility issues, trends and solutions in the Spring 2015 edition of Zones Solutions Journal.

The mobility solutions experts at Zones can help you chart a course to a CYOD deployment that includes every element required for success. With access to all major carriers including AT&T, Sprint, T-Mobile, and Verizon, Zones can activate services before devices deploy, so they’re ready for you to distribute when they arrive. From mobile device management and enterprise mobility management platforms that secure and control devices, to delivering secure wireless networks and mobile cloud solutions, Zones has what it takes to keep your users and your infrastructure safe and nimble.