BYOD: Bring your own device or breach your own data?

January 08, 2013

It’s January, and employees are back from the holidays showing off their shiny new toys – smartphones and tablets from Apple Inc. and other makers. And they want to use them at work.

It sounds innocent enough. But chief information officers and others familiar with the Bring Your Own Device, or BYOD, trend say organizations need to carefully think through the advantages and the challenges of allowing employees to access corporate data with personal devices.

 

“This is part of an evolution in the way we work and live and use technology.” said Dan Mazzola, director of the Center for Advancing Business through Information Technology at the W. P. Carey School of Business. “It's becoming more and more mobile, personal, and flexible -- and it adds more uncertainty and risk.”

Consumerization at the office

BYOD was the subject of a panel discussion at the recent Phoenix CIO Executive Summit, hosted by CABIT and produced by the conference firm Evanta at the Fairmont Scottsdale Princess. CABIT hosted the summit as part of its mission to foster collaboration between information-technology and business professionals, Mazzola said.

Traditionally, before BYOD became part of the tech vocabulary, employers provided their workers with IT resources, initially computer terminals, then desktop and laptop computers, Mazzola said. IT departments owned and maintained the devices and managed the software, upgrades and patches.

Today, though, devices aimed at consumers have become powerful, affordable and capable of doing almost anything that old-school, business-oriented technology could. Such “consumerization” has spread throughout the IT world.

“In this modern age, where people will get a cellphone that has computational powers that rival what used to be a standard-issue laptop of years ago, people want to be able to bring their own device to work,” Mazzola said. “They don’t want to be told what to use. They want to be able to get the latest iPad, the latest tablet or latest cellphone, and they expect their work environment will enable them to work using their own devices versus having to use a corporate device.”

Younger workers, who grew up in the Internet world, expect to be able to use their own devices to access corporate resources. At the other end of the corporate hierarchy, outsiders who serve on boards of directors also expect prompt access to information about what’s going on inside the company.

Increased satisfaction and productivity

The concept of employees using their personal devices for work has its advantages, Mazzola and others say.

Perhaps the biggest advantage is employee satisfaction, particularly for those who expect to be connected anywhere, anytime to both work and personal lives. With expectations high, so is the pressure on IT departments to adopt BYOD.

Amkor Technology Inc., a global manufacturer of semiconductor packaging, had long supplied employees with BlackBerry smartphones but started seeing the BYOD trend when Apple’s iPhone and iPad, with the iOS operating system, soared in popularity. In countries like South Korea, where Samsung Electronics Co. Ltd. is headquartered, employees wanted Samsung devices, which use Google Inc.’s Android operating system. “People wanted to bring their own, to connect to the corporate network and sync their email and calendar,” said Alex Pilar, senior vice-president of corporate IT operations at Chandler, Arizona-based Amkor and an alumnus of the W. P. Carey Executive MBA (1994).

Caren Shiozaki saw the trend, too, when she joined Santa Fe, N.M.-based Thornburg Mortgage Inc., now TMST Inc., in 2007. Some employees of the mortgage provider liked the convenience of using their home computers for work instead of lugging their company-provided laptops back and forth. There were no hard and fast rules about using company-provided cell phones for personal calls, either, she said.

Mobility was an important advantage for Amkor, whose sales force deals with customers around the world. Salespeople like getting emails and company information on their mobile devices instead of having to take their laptops to corner locations with Wi-Fi, Pilar said.

Advocates of BYOD often cite productivity gains they see when workers are connected at home, on vacation or traveling, compared to workers whose time and energy is limited to the office or another single, physical location. Letting people use the devices they are accustomed to also saves an organization from having to train employees on unfamiliar devices.

The skeptical viewpoint

BYOD skeptics, though, contend workers are just as productive on company-provided BlackBerrys or laptops as they would be on their own devices.

Cost is another factor that can go either way. Some organizations might find BYOD spares them the initial investment of buying, say, iPhones for several hundred workers at once. For others, regardless of the hardware savings, paying for software licenses or airtime can add up to a significant, ongoing expense.

BYOD’s list of outright challenges, however, is longer and trickier to address than the list of advantages. “There’s a lot more ways for things to go wrong than for things to go right,” Mazzola said.

The challenges stand out so much that Shiozaki says BYOD can also stand for Breach Your Own Data. “A lot of times employees don’t think about that,” she said. “If you choose to use your own device and the rules aren’t there and/or you don’t follow the rules, a lot of what you do on your personal device may get caught up in the net of what is business when it comes time to getting discovery for a lawsuit,” she said. “Granted, a lot of your personal photos and text messages may not be responsive to the lawsuit. However, the fact that a third party is going to see them, any normal person is going to feel a sense of violation.”

The main issue facing CIOs, Shiozaki and others note, is maintaining the security of corporate data. Companies might be accustomed to restricting photography of proprietary processes within factories, or limiting what information employees can send out via email. “BYOD just exasperates the issue,” Mazzola said.

Rules of the road

Setting up a BYOD policy might start with determining what kind of data the organization has and who is allowed to see it. For example, a salesperson might need nothing more than read-only access to product brochures, while software developers working in remote locations might need more complex access to more sensitive systems. Other questions follow: What sort of password requirements do you set up? What applications, or apps, will you allow or prohibit? How much will you encrypt data being transferred to or from personal devices? How and where will you draw the line between private and corporate information on devices? If an employee loses his or her device, can you remotely wipe the corporate data so the finder cannot see it?

Amkor addressed its BYOD issues in 2012 with a mobility policy that Pilar says culled “the best of everything” from Internet research and from policies of other multinational companies. Employees using company-supplied devices and employees seeking access to the corporate network with their personal devices must sign an agreement detailing what they can and cannot do with the devices, Pilar said. Among the restrictions: No illicit or pornographic material and no texting while driving.

At TMST, Shiozaki thought about developing the right controls for BYOD, but then had to focus on the company’s financial survival through its 2009 bankruptcy filing and associated lawsuits. A veteran of the highly regulated financial-services industry, she said the legal issues drove her decision to not allow BYOD. If she had proceeded with controls, she says she would have allowed BYOD based on an employee’s role in the company, or she would have offered employees a choice of accepting rules on BYOD or sticking with company-provided devices and standards.

Deciding what devices to support is another big hurdle. The various operating systems might introduce new versions each year, and bad guys discover new vulnerabilities seemingly daily. Some employees diligently download every upgrade, but others will ignore or even resist corporate instructions to do the maintenance on personal devices.

Amkor decided to support both company-owned and employee-owned devices that operate on Apple and Android operating systems. Recognizing that workers don’t want to carry two phones, Amkor allows employees to use company-provided devices for personal use, too.

The company uses a Mobile Device Management, or MDM, provider to deploy new devices, manage the inventory of devices, provide encryption, protect passwords, whitelist applications that can be installed, blacklist prohibited ones and wipe corporate data from any lost or stolen devices.

Organizations also need to make decisions on ownership of devices, phone numbers and data, and spell that out in their BYOD policies. Shiozaki said policies ought to include rules on what people can put on their devices, what the company will do regarding encryption and wiping or partitioning data, and the consequences of losing or misusing devices.

Words of wisdom

What lessons have BYOD veterans learned? CIOs who have been through the experience say they would give peers this advice:

  • Create a mobility policy and address it at the highest levels.
  • Select an MDM solution that is right for your organization.
  • Educate employees on the risks of using their own devices for work. Even if their personal data has nothing to do with a lawsuit against the company, lawyers from the opposing side still will want to see everything on the device.
  • The CIO should partner with the general counsel and the security officer to plan and roll out a BYOD policy, just as they would for developing policies on acceptable use of the Internet.
  • Keep up with changes in technology, especially as organizations store more data in the cloud and less data on hardware. “What we have today won’t stay forever,” Pilar said. “There will be new developments every year, and you need to stay on top.”

Amkor is watching adoption of new operating systems, such as Microsoft Corp.’s Windows 8 for tablets, and might add them to its list of standards if adoption grows. TMST, on the other hand, is deferring a policy on BYOD until its bankruptcy reorganization is complete. That gives Shiozaki the luxury of seeing how other companies are developing controls and resolving issues around BYOD.

“Regardless of whether there are advantages or disadvantages, the almost certain, predictable future is more BYOD,” Mazzola said. “CIOs have to come up with policies, along with the chief information security officers and compliance organizations, because this wave is coming. There’s nothing you can do to stop it from happening. The issue is how best to manage the risk relative to the benefits.”