Showdown at the B.Y.O.D. corral
When mobile devices entered the world—first laptops, then early smartphones like the BlackBerry—the IT departments of large companies were the first to adopt them. Today, consumers drive adoption, purchasing cutting-edge technology on their own dime for their own use, forcing their companies to react to the reality that their employees often have better technology at their disposal at home than they do at work.
At first, IT departments did what you’d expect: refuse the sudden influx of personal devices in the workplace, often for very good reasons like security. But it’s a losing battle for many organizations, particularly those whose employees aren’t handling state secrets or financial results. The answer: “Bring your own device” programs that allow people to use their personal devices at work—provided they agree to some restrictions.
Though BYOD programs were instituted to ease tensions between employees and their companies, it turns out there’s still plenty to go around, particularly when it comes to security and privacy. Almost half of American workers said they would stop using their personal devices for business if their employer required them to install a specified security app, according to a July report from Harris Interactive, a market research firm, and Webroot, a cyber security company. Worries included employer access to personal data, the wiping of personal data in the event that a device is lost or compromised, the tracking of one’s location, and reduced performance due to the additional software running in the background.
“We discovered that BYOD—while it is a technology issue—it is also a communication issue that needs to be addressed,” said Mike Malloy, executive vice president of products and strategy at Webroot. “There’s a big disconnect between employees and IT in this matter.”
Some of these concerns are justified. Two-fifths of the U.S. IT professionals in the Webroot survey admitted they are only “somewhat” confident they could remove the security software on an employee’s personal device without wiping personal data or barring the owner’s access to it. It should come as no surprise then that fewer than one in five U.S. employees have a full security application installed on their personal device.
“The traditional viewpoint of IT departments is that they manage the devices they provide and have full control of and responsibility for them,” said Patrick Kennedy, a Webroot marketing executive who served as one of the leads on the report’s research. “BYOD has changed that and has forced IT departments to change way they think and the way they engage with employees. Suddenly they’re faced with a significant number of devices and can’t mandate everything that happens or is allowed to happen on that device.”
There is still plenty of good reason for companies to embrace BYOD. For the most part, corporations are happy to shunt hardware costs onto their employees, and the potential boost in productivity from enabling employees to work remotely and during off-hours also appeals.
But each additional external device connecting to a corporate network presents another possible point of failure—one more entryway for hackers, malware, and breaches. “Some of the major breaches that have happened over the last couple years originated on end points, whether on PC or mobile,” Malloy said. “It started with a piece of malware on an end point, and led to a great deal of exposure of the corporate network.”
Referring to security apps on personal devices, Malloy added: “If an employer doesn’t mandate it, it’s highly likely that that device is going to be vulnerable.”
As it turns out, employees are a fairly brazen bunch. The majority of them rely only on the security features that come preinstalled on their devices—think PINs to unlock and the like. Beyond that: nada.
Which is why most companies surveyed admitted that the opinion of employees with regard to the corporate security software installed on their personal devices has little or no influence on their decisions, even as three quarters of employees believe they should have some say.
“Bring your own device,” it turns out, is a bit of a misnomer in practice. So much for “own.”
“IT shouldn’t just give lip service,” Malloy said. “They need to talk to employees about it and seek out solutions.” And if they don’t? “You’re going to end up with a showdown that isn’t going to help anybody.”