It was about five years ago, shortly after the release of the first iPhone that I first became familiar with the Bring Your Own Device (BYOD) trend. Of course, the term hadn’t been coined yet but one of my clients was asking for guidance on how to control what was happening in his organization. As the CIO of a hospital he was quite concerned that doctors were dumping their corporate assigned mobile phones and were using their own iPhones instead. Worse still, some of the doctors were buying and using their own iPhone Apps to assist them in their duties. I realized then that this would be an unstoppable trend and that IT leaders would need to adapt. The CIO’s concerns with respect to security, privacy and liability were valid but unfortunately I couldn’t point to a solution to address his concerns at that time.
What’s been driving BYOD?
- As with my hospital example, workers discovered that mobile devices marketed to the consumer segment were better designed and offered way more functionality than their corporate assigned devices.
- Since they couldn’t get these devices from their employers, workers bought their own.
- Employees discovered that they could be more productive by leveraging the added functionality especially when augmented with low cost or free Apps.
- Once hooked to the new technology, workers were not about to give them up in favour of the corporate assigned dinosaurs.
- Workers now found themselves carrying two or more devices (personal and corporate assigned) and began to find ways of incorporating business functions into their personally owned devices.
- Carrying multiple devices was a pain (many people still do) and employers were pressured to drop the mandatory requirement for corporately assigned devices and implement BYOD programs.
Many organizations just capitulated and authorized the use of personal devices even though they did not have the accompanying strategy, policies or security mechanisms and infrastructure. One of the contributing benefits often associated with BYOD, in addition to employees being more productive, was that it would lower costs since companies could reduce or eliminate the capital expenditures associated with mobile devices and have employees cover some or all of the associated monthly fees, so for many BYOD seemed like an obvious choice.
Prior to the BYOD trend organizations typically secured their mobile environment with BlackBerry’s Enterprise Server (BES). There was no practical way of applying the same type of security to the new emerging devices and therefore most companies assigned Research in Motion’s (RIM) BlackBerry phones to their employees.
Today, things have changed considerably. First the iOS and Android devices, the two OS’s most responsible for driving the consumerization of mobile, have improved their security capabilities considerably. While there will be some consolidation is this space (Citrix just acquired Zenprise) many Mobile Device Management (MDM) solutions have emerged which provide the ability to enforce strict security policies on mobile devices such as iPhones. Some of the leading vendors include:
Follow this link for a comprehensive list of MDM vendors.
In addition to the enhanced control and management of the devices, network infrastructures and associated management tools have also evolved so that IT can identify both posture (compliant / safe configuration) and profile (device is legitimate) of wireless devices and automatically allow or deny devices from connecting to the corporate network and assign access to appropriate resources.
BYOD – Benefits
Properly planned and executed BYOD can provide many benefits but it’s important to note as described later that many of these benefits can be achieved even if the mobile devices are not employee owned. It’s also important to note that many of the listed benefits are “soft benefits” in that they are somewhat intangible and difficult to quantify. BYOD can provide the following benefits:
- Employees are more productive
- Work from home and after hours
- Enhanced functionality of devices and associated Apps
- Employee hiring and retention
- Many potential employees, given a choice, will not work for an organization that forces them to use a corporate device they don’t like or want
- Depending on how the BYOD plan is implemented, organizations may reduce capital and recurring costs
- Increased productivity and reduced expenses can lead to competitive advantages
BYOD – Bring Your Own Difficulties
Since there are many benefits to BYOD and we seem to have solved most of the technical limitations, BYOD is the obvious choice right? Well not so fast. Many of the early BYOD adopters have since discovered that BYOD can also mean “Bring Your Own Difficulties”; for both employers and employees.
Some of the disadvantages of BYOD may include:
- Loss of control (at some level): device types, uses, security, privacy, etc.
- Increased security risks
- Increased risk of data loss
- Liability issues associated with both personal and company data
- Compliance issues associated with security / privacy standards and regulations
- Forensics (Employers can demand the immediate return of a company owned device and can do whatever they want with it, not so with employee owned devices)
- Costs can actually be higher (inability to pool usage minutes, volume and long term contract discounts, etc)
- Lack of visibility into expenditures
- Device replacement issues when an employee owned device breaks or is lost / stolen.
Some organizations have since retracted while others have completely eliminated their BYOD programs. I recently viewed a presentation from a large US corporation with more than 3,000 mobile devices which initially embraced BYOD. Recently they have moved to a complete corporate liability model. For this company, the main factors for the discontinuation of the program were cost and the difficulty of adequately managing the multiple device types.
This article highlights some of the potential pitfalls of BYOD.
One alternative to BYOD is to follow the old model where organizations force employees to carry a corporate device from a single manufacturer and severely restrict personal usage. If the employees want to carry their personal devices that’s fine but they are not allowed access to corporate resources from personal devices. That might make securing the environment simpler and costs more predictable but won’t yield the many previously listed benefits of BYOD.
Choose Your Own Device (CYOD)
CYOD can allow organizations to reap many of the benefits of BYOD while retaining better control of the security, liability, cost, manageability issues that can be associated with BYOD.
Many employees don’t care if they own the device or not. It’s not necessarily a question of ownership, rather employees want:
- Modern consumer devices.
- Ability to carry a single device for both personal and corporately use.
- Few restrictions on personal use.
- Reasonable usage / cost limits.
- Assurance that their security and privacy will be protected.
- Assurance that their personal information will not be arbitrarily deleted or infringed and a documented policy which states the conditions under which personal data could be compromised.
- Ability to port their personal phone number onto the corporate device and back out again when they leave.
There are many advantages associated with BYOD. However, it’s important to note that many of the benefits associated with BYOD are not necessarily because the devices are employee owned and that some of the same benefits can be achieved with properly executed corporate liable plans.
Many of the BYOD disadvantages can be adequately addressed. For some organizations the advantages outweigh the disadvantages. For others, there are security, privacy and liability issues that make BYOD a non-starter.
Whether you deploy a BYOD program or not, the decision should be based on a well-defined mobile strategy and the realization that many of the benefits associated with BYOD can be realized with a corporate owned and managed model.
Whatever strategy you choose, make sure that you have consulted with all of the stakeholders including:
- Executive leadership
- Line of business owners
- Individual users
- Legal and regulatory
Prior to executing on your strategy it is critical that you have defined and documented an associated policy and that all of the supporting management and infrastructural components are in place.