BYOD: The reality behind the buzzword

BYOD: The reality behind the buzzword

Summary: BYOD is the buzzword and one that IT departments will struggle to ignore as employees demand to be allowed to use whatever device suites them when they go online.

SHARE:
8

The pluses to a bring-your-own-device (BYOD) strategy can be compelling. First and foremost, if the employee brings his or her own phone or tablet to work, the company is saved the cost of providing one. Having to provide a new phone for your staff every couple of years is a sizeable expense to free yourself from.

Also, allowing the staff more flexibility be good for staff retention, according to recent research.

But what about maintaining the devices? What about reliability? Who pays the phone bills and who checks the usage? What about liability and security?

The initial issue facing the IT business is that, like it or not, the BYOD phenomenon is happening already. Research conducted by the analysts Ovum indicated that around the world 57 percent of full-time employees use their personal phone at work in some capacity.

Here's what is really worrying CIOs, right now

Here's what is really worrying CIOs, right now

Here's what is really worrying CIOs, right now

However, within that global figure there are large regional differences with South Korea, for example, the biggest user (around 88 percent of employees there say they use the devices at work for their own purposes) and similar numbers in Malaysia, India and the UAE saying the same thing.

The biggest European usage is in Spain and Russia (more than 50 percent) while the rest of Europe is behind. In the UK just under 40 percent say they use a personal phone for work purposes.

In addition, while the Ovum research indicates that everybody — companies, customers and users alike — agree that more and more devices are turning up in the workplace divisions set in when you start to ask if BYOD is something that should be encouraged.

While 45.8 percent of IT managers said they actively encouraged employees who wanted to use their own devices at work, 28 percent said they ignored the phenomenon and left employees to do what they would, and 17.7 percent said they had no feelings either way on the subject. Only a minority — 8.1 percent — said they actively discouraged it. A recent survey by Cisco and BT also found that some 36 percent of companies were implementing a BYOD strategy — or said they were, at least.

Analyst Gartner has identified a number of tips for employers keen on encouraging BYOD:

  • Maximise freedom of choice A BYOD policy that only allows one style or device will be avoided by employees.
  • Move data into the cloud Accessing data online eliminates worries over data formats.
  • License individuals, not devices If someone wants to change phones every three months, that’s their problem so they need to buy the new phones.
  • Authenticate people and applications Devices can swap between multiple individuals, so you need to authenticate both.
  • Embrace open standards Closed data formats are harder to share across multiple platforms.
  • Manage information, not applications Data is where the real business value lies.
  • Ensured data is encrypted whenever possible Security on mobile devices is tricky, but this helps.
  • Don't try to control what you don't own — and be can do and not can't do

Employers can gain through encouraging a BYOD strategy providing that they take control of it. A survey among SMBs by Spiceworks showed that, overall, 61 percent of SMBs have implemented a BYOD policy or initiative for employee-owned phones, tablets and/or computers. Around 54 percent of SMBs support employee-owned phones and 42 percent support tablets through a BYOD initiative. Fewer companies are willing to support employee owned computers, just 25 percent.

According to the Spiceworks survey, a third of IT professionals say their BYOD policy works well for some devices and poorly for others, while 23 percent say it's a headache for their department. Only 17 percent maintain that they fully embrace the trend.

Of those organisations that support BYOD, only 17 percent are actively managing mobile devices using a mobile device management toolset but an additional 20 percent have plans to address the management of mobile devices in the next six months. However, 56 percent have no plans to implement a mobile device management (MDM) solution anytime soon.

Analyst Ovum also looked at users attitudes to BYOD and one concern was privacy. When asked, "would data privacy concerns stop you using personal apps on a corporate-provided smart phone or table?", 47 percent said it would, 33 percent said it would not.

When asked, "would you find a service whereby your employer could wipe all of your personal data from your own smartphone or tablet useful if it were lost or stolen?" some 48.5 percent said they would.  Some 33 percent said they wouldn't.

Richard Absalom, analyst for consumer impact technology at Ovum, said IT departments were accepting BYOD. "At one time, the devices were seen as just another toy that the CIO would play with and talk about implementing, but that is not true any more," he said.

Read this

BYOD and the consumerization of IT

Special report: The Bring Your Own Device phenomenon is reshaping the way IT is purchased, managed, delivered, and secured. We look at what it means, how to handle it, and where it's going in the future.

IT departments, Absalom said, had to remember that it was no longer just a technology issue. "IT has to get the input and the buy-in from the business," he said, and part of the problem was that so many issues were not fully understood.

What is the impact of cost on a business that offers BYOD to its workforce?  "Look at costs," Absalom said. "Phone bills are typically four to five times higher when people use their own devices rather than one provided by the company."

The Boston-based analyst group Nucleus Research conducted a survey on BYOD earlier this year and tried to quantify the costs. While the raw cost of the device is likely to be low — around £150-200 retail cost  which amortised over the lifespan of the device will be around £10-15 per month — other costs can be much higher.

Nucleus said: "One hidden financial challenge with BYOD lies in reimbursing users for voice and data costs which....can be 10 times greater than the device cost." The lesson is that the phone may be cheaper than you expect, but the costs of running it can be way more.

Security was a big and obvious issue, said Absalom, but another was the need for forward thinking. He believed the key issue was applications: "What applications are needed, and what can and should be implemented?"

Topics: Mobility, Collaboration

About

Colin Barker is based in London and is Senior Reporter for ZDNet. He has been writing about the IT business for some 30-plus years. He still enjoys it.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

8 comments
Log in or register to join the discussion
  • BYOD is the ultimate IT-security assassin.

    By introducing BYOD a companie's IT department vastly looses control of its device-kindergarten and therefore can't maintain and sustain an effectively working security plan.
    All effort is in vain if workers mix and match private and business usage scenarios and keep a wanton indifference on security issues just because it's more convenient.

    1.) Ohhh my anti-malware sw hasn't been updated for 6 months ... oops I didn't notice.
    2.) Ohh last time I installed "Angry Birds" I disabled the sec- sw because otherwise installation failed.
    3.) Ohh I love logging-in to each and every open WiFi hotspot. That is dangerous ?
    ...

    That is what you get with BYOD. It's surprising that in the light of what Chinese hackers pull off US companies still believe in BYOD.
    EnticingHavoc
    • I couldn't agree more! BUT there is a practical solution to the BYOD Threat

      Those are some valid points about the security issues that go along with companies and the BYOD threat. I agree that not having an active up-to-date anti-malware sw on phones, and installing dangerous apps puts organizations at a very high risk to employee owned mobile devices.

      However, these companies don't have to be at risk, if they chose not to!

      The one point where I have to slightly disagree with you is when you said than an, "IT department vastly looses control of its device-kindergarten and therefore can't maintain and sustain an effectively working security plan" That is accurate that an IT department can lose control over this threat very easily, but they are not totally in the dark if they do their homework. I work for an IT company called NetClarity, and we specialize in helping SMB's deal with this threat coming from mobile devices.

      We have a very simple and practical approach to solving this issue - gain full control over your network by plugging in our box. Doesn't it make sense to first be able to know everything that is attached to your netwok? Our NACwall appliance will simply plug into an Ethernet-port and it detects ALL devices that are on a network in minutes! You then develop a list of trusted devices, and once a trust-list is established, it will not let ANY other device onto the network without you first being notified. Consider your network locked down. Also, there is zero-day malware detection, so if a trusted device becomes infected then it will automatically be blocked off in milliseconds! This way that device cannot get access to anything on the network, and you no longer have to deal with the threat of BYOD.

      Sure I work here, so my opinion is considered bias.. However, I am simply here to raise awareness to IT departments that our simple solution could help save them huge amounts of costs, not to mention headaches.

      If you don't believe me, checkout our datasheet or YouTube video and find out for yourself how easy our solution really is!

      Datasheet: http://blog.netclarity.net/download-netclaritys-datasheet-request/

      YouTube Video: http://www.youtube.com/watch?v=Ps-aXk9iXi4


      Email me at: lbaker@NetClarity.net if you have any questions or would like an online demonstration!
      LouisBaker
      • LouisBaker............BUT there is a practical solution to the BYOD Threat

        Hire Loverock Davidson as he is able to close a Telnet port and do all the compiling needed to secure anything and everything.....just ask him as he claims to know everything about everything............
        Over and Out
      • Or use active directory / group policy

        "gain full control over your network by plugging in our box."

        Or use active directory / group policy, which is what most businesses will do.

        But yes, the tech is out there to enforce network policies - which brings up the situation of a personal device feeling less personal, and making the user feel as if it isn't his/her own device anymore.

        A business could, for example, enforce the user not being able to install Dropbox on a device. If the user uses Dropbox extensively at home, how does the user deal with that?

        And what happens if the business enforces a device wipe? The user loses all of their data, even personal data that has nothing to do with the business. Now you've lost Uncle Joe's number and your childhood photos. Not ideal.

        I'm sorry, but I don't see BYOD is something that is workable.

        "Datasheet"

        Oh goodie, an attempt to get personally identifiable information (PII) from users. Why not just make the datasheet freely available with no strings attached? Why insist on collecting PII?

        No, I am not giving out my name, email, phone number, etc to an unknown entity merely for a datasheet. You earn my trust FIRST, then ask for information. You do not ask for my information before attempting to earn my trust.

        "YouTube Video"

        Uhhh - trusted until marked untrusted?

        No. That gives potential attackers a window of opportunity. Most professional solutions won't trust a machine until it can prove to the network that it can be trusted.

        Using a DoS attack to block assets?

        No. That could easily lead to unintentionally blocking nodes between the appliance and the destination machine, and could possibly decrease the overall capacity of the entire network. It might not even always be successful, if the destination machine has a high-capacity network connection.

        The product doesn't seem to be well thought out. There are far better, far more professional solutions to the problem.
        CobraA1
        • In Response to CobraA1

          I appreciate your input. In response to your datasheet information, in the past many people have actually been very grateful when I have reached out to them because they can get their questions answered very easily.

          As for the "trusted until un-trusted" aspect, I think there is a misunderstanding here. This is simply a way of gaining visibility/control over all of the devices on a network in the first place, because a lot of companies will find that rogue devices are attached to their network that they were unaware of and do not want on there. So first you establish a list of known devices or "trusted assets", then by having auto-blocking on, any device that is not on the list of "trusted assets" will be automatically blocked off. You will be notified immediately and can then decide whether you want to let the device onto the network or not. That vulnerable window of opportunity that you are talking about is before the list of "trusted assets" is established, which is the same vulnerability of the network's current state without the NACwall anyways.

          As for using DoS, the NACwall has blocking technology that uses an extremely low-bandwidth DoS that does not effect the capacity of the network. It also does not lead to unintentional blocking because the device will block off everything that you do not have on the "trusted assets" list, and has not been unsuccessful at blocking off a device. The NACwall sits at layer-2 and does not sit in-line with the network infrastructure, so even if for some unknown reason it was to stop working, then the network would still be functioning as it was beforehand.

          As for active directory/group policy, I agree that can be a great for protecting against users, but unfortunately they are expensive and can be quite a hassle to install software on all devices. Also a lot of devices don't have software for this, especially if they are smartphones or tablets. Even if the user is trusted (granted they have the right username and password), someone could potentially use a different device that is un-trusted and log in with those same credentials. It isn't the user's authentication that we protect against, it is the device itself. This can be a very difficult task when IT budget is limited and there are all different types of machines and OS's to protect, which is where the NACwall is extremely helpful.

          The main functionality of the NACwall is to allow SMB's to enforce their network policies and maintain a fully secure network in minutes (without having to install additional software on any devices - the NACwall is truly agent-less). It simply gives you full visibility and control of what's on your network, so that there is no longer a need worry about rogue/malicious devices gaining access to the network. This way IT staff can focus on all of the other tasks they face. Now I'm not claiming that the NACwall does something it doesn't. There are a lot security issues that networks face, but it certainly can solve one of the most important threats in a simple, fast and cost effective manner.
          LouisBaker
  • BYOD sec MDM software

    Its not completely hopeless There is plenty of MDM software out there. Take a trip to the RSA conference, zdnet even has a short story about it. Sure it quasi-advertising, but still informative.

    http://www.zdnet.com/blog/consumerization/10-byod-mobile-device-management-suites-you-need-to-know/422
    itandcoffee
  • thoughts

    "First and foremost, if the employee brings his or her own phone or tablet to work, the company is saved the cost of providing one."

    Except the employees may start demanding a stipend, in particular if they want to buy separate work devices rather than actually using their own personal devices. Not all employees will wish to use a personal device at work.

    I know myself that I never want to connect my personal device to a work network (and thus subject my device to network policies).

    The cost savings is actually questionable - as you point out yourself near the end of your article.

    So I am *still* left looking for the ultimate advantage of BYOD. I don't see it, sorry.

    "Also, allowing the staff more flexibility be good for staff retention, according to recent research."

    Except that it's barely more flexible at all - the BYOD user is still subject to network policies. Which are usually inflexible. I'd rather keep my personal device off the work network and buy a separate work device.

    "The initial issue facing the IT business is that, like it or not, the BYOD phenomenon is happening already. Research conducted by the analysts Ovum indicated that around the world 57 percent of full-time employees use their personal phone at work in some capacity."

    Did it say they merely use their phone at work, or that they were actually connecting to the work network?

    I do not consider using a phone at work, but staying on the cell phone network, to be BYOD. In fact - in that particular case the employee is likely to be goofing off, not working.

    "Move data into the cloud Accessing data online eliminates worries over data formats."

    Actually, it doesn't. Some cloud services don't work well together, or at all. You may have to hire developers to connect the APIs of one cloud service to another.

    "Embrace open standards Closed data formats are harder to share across multiple platforms."

    This is true regardless of the BYOD situation. Countless times I have hit the wall of closed file formats preventing the business from migrating to a new system or upgrading an existing system.

    "Don't try to control what you don't own"

    This is anti-BYOD by nature. If a business can't enforce network policies, then rogue devices can easily become a security breach. Thus, if you can't control it - you don't want to connect it to your network, period.

    Personally, I think BYOD is a fad, not a permanent trend. I don't see a long-term advantage to using it. The arguments provided were easily refuted.
    CobraA1
  • BYOD is dead

    BYOD is dead.

    It was the hip thing 2 years ago but now, employees are running back to a corporate provided device. (if they can get one) It was almost rogue like to say "I'm using my own device for work email", those days are now going away.

    Why?

    Mobile devices can now be easier managed (controlled) and there are a host of solutions to limit, monitor and do whatever your security team decides is "required" to protect corporate data. So it's not really an appealing situation now for employees.

    You also have two major stumbling blocks that no one has figured out:

    1. Privacy concerns
    2. Financial model

    Employees do NOT like the fact you can control their device, they don't want you snooping on their txt messages, photos, the Apps they use etc. On top of this there are regulations in Europe around this (where BYOD has seen limited adoption).

    BYOD only really works if you shift all costs to the employee, which they now realize how expensive this can be. Why bother managing a subsidy and all the work that will entail, basically your shifting your mobile spend to an expenese nightmare. There is still the non salary employees that no company wants to deal with due to compensation concerns. There is also the tax issues etc.

    This doesn't even touch all the other issues people list that get glossed over. Are there employees where BYOD works? Sure their the vocal minority, the 10-15% that (believe) know what their doing. Questionable how many actually adhere to SOX and other data governace policies but they will tout the "I'm productive" horn but show no proof other then they are using their device of choice. That's a preference not a proven operating model. They also wish to use a host of Apps that could potentially do all sorts of things to your corporate data that will make your legal and risk teams get all worked up. But it's all good, their PRODUCTIVE.

    The going opinion is the device doesn't matter, virtualize or contain the data and limit how and when it can be used. That's a valid approach but puts a huge dent in the reason they wish to use their own device, as it will often have usability impact. So it's a trade off.

    BYOD is dead
    MobileAdmin