Staff say 'yay' to their own devices, IT says 'nay' to security, management and cost
All his fault? Steve Jobs' iPhones and iPads have led the charge into the enterprise.
Several pieces of research just published are pointing to the fact that 2013 may well be the Year of Bring Your Own Device (BYOD), but along with supposed improvements in productivity and morale come the inevitable concerns about security and cost. So who's going to win this battle, staff or IT?
Juniper Research has revealed the findings of its 'Mobile Security Strategies: Threat Solutions & Market Forecasts 2012-2017' report, which found that the number of employee-owned smartphones and tablets used in the enterprise will reach 350 million by 2014, more than double the 150 million at present. However, the report also found that the majority of devices did not have any security software on them.
Commenting on the research, Koby Amedume, director of EMEA marketing at IT systems management expert, Kaseya, said: "The benefits of BYOD can be significant - with greater flexibility and mobility, as well as familiarity with such devices, ultimately boosting productivity and staff satisfaction. However, as Juniper Research's report indicates, BYOD does also bring about a number of security challenges - a fact that was further underlined by our own research, which found that more than a quarter of IT organisations believe BYOD to be a greater threat to their organisation than data breaches and the cloud."
"If businesses are to truly make the most of BYOD, then the right Mobile Device Management (MDM) solution must be implemented to automate and secure the management of devices and networks," Amedume said. "An effective MDM solution should not only enable business to successfully and securely embrace BYOD, but also improve operational efficiency and reduce the burden placed on IT departments. With BYOD here to stay, companies must act now to address security issues and reap the significant benefits."
Meanwhile an independent survey of 1,457 British office workers commissioned by Hornbill Service Management found that 53% of respondents believe that corporate IT is failing to keep pace with the needs of the business. What are they doing about it? 40% said that they will use personal devices in an attempt to improve productivity, without getting permission from, or informing, IT.
"Technology doesn't stand still: from social networks to apps to tablets, new devices and ways to use them are flying at the workforce at a breakneck pace," said Patrick Bolger, chief evangelist at Hornbill. "This data shows that if the IT department can't adapt to these changes and support new devices and ways of working, it won't only be unable to keep pace with the needs of the business. It could also become divorced from the needs and expectations of users, meaning that they take more and more into their own hands. The IT department needs to ensure it is working with its users, either by supporting their personal devices, or by offering the same capabilities on corporate devices. By doing this it can keep pace with expectations, as well as unlocking previously untapped productivity for the business as a whole."
The research Hornbill commissioned also found that workers believe that using personal devices allow them to save on average nearly 2 hours per month through working more effectively and efficiently. That may not sound much, but as the firm pointed out, it actually equates to over £2 billion per year nationwide.
As you would perhaps expect, the propensity to bring devices in under the radar is even more pronounced among younger workers between the ages of 16-24 and 25-34. 64% of 16-24 year olds and 60% of 25-34 year olds believed that work IT was failing to keep pace with the needs of the business. Almost half of each group admitted to using personal devices without informing or seeking permission from IT (49% and 48% respectively).
That particular survey also investigated at what point workers felt the IT department should take responsibility for supporting a personal device. More than half (59%) of respondents believe that, as long as a device is used for work at least 20% of the time, it should be supported. 38% stated that IT should support all devices regardless of how much (or little) they are used. Only 15% said that the IT team should ensure a device was used for work 51% or more of the time before supporting it.
"IT departments need to work with their users to gauge at what point a device needs to be supported," said Patrick Bolger. "While supporting any and every device might be impractical, the department should make crystal clear at which point it will support devices and ensure that users understand this. It can then put processes in place both to guarantee that level of support and to ensure it doesn't over-stretch itself."
Bolger continued, "The IT department should remember that it is not alone: peer-to-peer and community support are popular channels for users to help one another."
82% of survey respondents said they would ask a colleague to help resolve simple IT questions or problems, rather than going directly to the IT department. The IT department needs to foster and underpin this propensity for users to support each other. Forums to encourage collaboration, knowledge banks to encourage research and self-service tools to encourage fast resolution of issues can all help users support themselves and each other, according to the firm.
"Shadow IT and personal devices are now legitimate competition for internal IT groups," Bolger said. "The only way we can ensure that we perform better than our competitors is to get closer to the customer, understand their challenges and deliver solutions that provide what they need. If IT is seen as a trusted advisor and is agile enough to provide what is needed, when it's needed; there is no reason for the customer to look elsewhere."
ID management in the era of BYOD
Earlier in the month, identity and security management firm Lieberman Software published a study which it said confirms that BYOD increases costs to the business.
Respondents were asked if they believed allowing employees to connect their own devices (such as USB drives, mobile phones, portable PCs and home computers) to the corporate network increased costs - and 67% said that it does.
When asked what caused the organisation the biggest headache, almost half (43%) cited an employee device introducing a virus; more than a quarter (26%) pointed the finger at employees losing a device, with employees stealing data the biggest concern for 22% of respondents.
The survey of around 250 IT professionals was carried out by Lieberman Software in London. These IT professionals are at the front lines of protecting organisations, Lieberman noted, having to balance the desires of the workforce for flexible and convenient working practices, against the organisation's requirement for reliable yet secure communications.
Philip Lieberman, president and CEO of the company, said he believes the BYOD wave is being driven by companies, such as Apple, pushing their products as corporate ready or compatible - even if they're not. "We've been here before," he said. "It's the same classic back door sales process used to promote PCs in the 1980s, where the large IT shops controlled both the glass house and what was on the desktops. Back then users and managers would show how PCs were better, faster and more flexible than the 'stone age' solutions offered by IT. Ultimately IT was forced to adopt PCs as their corporate standard. The new twist today is that the interlopers are devices that will always be owned by the consumer, not the company."
The core of enterprise trust and authentication has been in-house enterprise identity management with the use of fat clients (i.e. Microsoft Windows) and web browsers that provide integrated authentication of corporate credentials. In the case of many government users, this is further strengthened by the use of smartcard standards such as CAC and PIV.
Lieberman added that, "In today's consumer-owned devices, the ability to adopt and sustain enterprise access and revocation controls is non-existent or impaired. In an effort to meet the demand of BYOD, enterprises are being forced to employ soft certificates with diminished security. While end-users might love the convenience, a lost or compromised device can fast become a nightmare for the CIO. Make sure you understand what you're opening the organisation up to when you allow, or even encourage, your workforce to bring their own devices."
Fear of the unknown?
It seems clear that corporate IT departments are seriously concerned about the BYOD trend - especially when employees are bringing devices in without their knowledge or consent. Commenting on research by Tenable Network Security and Cintrex, MSM Software - a provider of bespoke software and database development - said the threat from BYOD must at least be considered.
The company noted that research has found that 90% of UK firms fear mobile devices pose dangers to their business, while one fifth are not controlling mobile device usage at all.
Nevertheless MSM said fighting the trend will ultimately prove impossible, leaving firms with no option but to embrace it. Thomas Coles, managing director of MSM Software, said, "92 per cent of companies already have employees who use personal devices for work, and so businesses must be prepared for the mainstream introduction of BYOD schemes."
"Employees are increasingly demanding that their work devices and applications are as powerful and easy to use as those they use at home. Employers who refuse to service these demands may eventually struggle to attract the best talent," he added. "BYOD provides an easy solution, and while concerns remain around security and data protection, I firmly believe the benefits of BYOD far outweigh the difficulties."
However Coles said he believes the increasing mobility that BYOD offers to employees could have the potential to cause disruption for organisations considering the scheme: "The higher level of freedom created by BYOD presents a threat which must be considered. With employees working independently a silo culture could seep in, causing widespread confusion and communication issues. This could be prevented however, by implementing a single cloud solution, removing the need for employees to store data locally."
"Our working environments are changing rapidly, but through effective planning and ensuring the right software is tailored accordingly to support these changes, BYOD could provide cost and productivity benefits without organisations having to fear its implementation," Coles added.
Last month there was another report, this time by security behemoth Symantec, which found that while digital information makes up 49% of an enterprise's value, it's not always easy to protect. In the UK last year, 65% of businesses experienced some form of information loss for a variety of reasons, such as human error, hardware failure, security breach, or lost and stolen devices. In addition, 76% have had confidential information exposed outside of the company and 32% have experienced compliance failures related to information.
"Focus on the information, not the device or data centre," the firm argued. "With BYOD and cloud, information is no longer within the four walls of a company. Protection must focus on the information, not the device or data centre."
"Our survey reinforces the fact that the stakes in the information game are higher than ever and there will be winners and losers. By adopting an information-centric protection strategy, companies can make their information work for them, instead of against them."
From BYOD to BYOS?
Also last month, there was news from a company called Varonis, which offers unstructured and semi-structured data governance software. It said that there is a shift underway from bring your own device (BYOD) to bring your own service (BYOS), talking about the likes of cloud-based storage and collaboration services. The company said its own research found that while 80% of companies do not allow their employees to use cloud based file synchronisation services, 70% would use these services if they were as robust as internal tools.
"The results indicate that while the vast majority of organisations would like to harness the power and ease that file synchronisation technology could give them, only 20% currently allow these services due to fears of data leakage, security breaches and compliance issues," Varonis said. "To protect themselves against these threats, 59% of organisations use a combination of policy backed up with blocking techniques to stem the tide of enterprise files spilling onto external servers and devices. A further 20% rely on policy alone to stop the mass leakage of proprietary and regulated data."
With BYOS threatening to sweep past all company defences and carry away the company data, the reaction seems two-fold: while the majority of companies block file synch services completely, the rest leave their employees free reign. David Gibson, VP of strategy at Varonis, said, "As workers are increasingly required to divide their time between working on the move, at home and in the office, companies and employees alike yearn for the ease of use and convenience of file synch services."
"Even organisations that block these services may have employees using them when they're not connected to the corporate network, breaching the defences of a corporation and introducing a host of new vulnerabilities," Gibson said. "The Challenge is to provide companies with a service that has the robust controls of its internal system while empowering staff to do their work wherever, whenever and from whichever device they need."
One final question: will the launch of Microsoft's and its partners' Surface tablets, running Windows, alleviate many of the concerns about security, manageability and cost, that are really aimed at Apple's iPad (let's be honest). ""Businesses will prefer Windows 8 devices by a wide margin, just as they prefer Windows PCs over Macs today, and for exactly the same reasons," said Paul Thurrott, Paul Thurrott's Supersite for Windows, 16 March 2012. "While we can broadly manage most devices, including iPads, with Exchange ActiveSync (EAS) today, no device on earth is as highly managed as a PC. And Windows 8 devices will be PCs, something that IT admins and IT pros understand. Windows 8 will destroy the iPad in the enterprise. There won't be any contest at all."
In that scenario, even more companies move to a BYOD model after the launch of Microsoft Windows 8, and the tablet computer takes its place as a serious business tool, not just something to impress colleagues with in meetings.
So lots of different data points around Bring Your Own Device, with the consensus seeming to be that it's going to be nigh on impossible to hold back the tide. With all the research and all the chatter, could 2013 be shaping up to be the 'Year of BYOD'? Comment below or on twitter.