BYOD’s Productivity and Security Collision Course

For the past few years, the bring-your-own-device (BYOD) trend has been at the center of a classic IT debate pitting two common foes – productivity and security – against one another.

In a perfect world, these two opponents would not be opponents at all. But in the world of BYOD, productivity and security can find themselves on a collision course littered with technical and non-technical pitfalls organizations must try to avert. 

A recent study performed by Forrester Consulting on behalf of Unisys sheds light on the situation. In a survey of 2,600 employees who use mobile devices for personal or business reasons, 44 percent said they used smartphones for work, with nearly a third of those phones being purchased by employees. Additionally, 15 percent said they used tablets, with more than half of those being bought personally.

Companies looking to BYOD face risks related to regulatory compliance and security, but what they often don’t realize is they face these problems anyway even if they lock systems down and prohibit employees from using their devices, opined David Johnson, an analyst at Forrester Research.

“Employees will use their own devices anyway, and it’s extremely difficult to keep enterprise data off them,” he said. “The data is very clear – we expect to see a 2X increase in employee-owned tablets and laptops being used for work by 2016.”

The Unisys survey also revealed something else: 56 percent of the respondents said they use unsupported apps or personal devices for work out of necessity, and their organization does not provide an alternative.  

Regardless of the reason for its growth, the prospect of BYOD raises a number of questions – who owns the device, and what does that mean in terms of user privacy? If there is a breach involving an employee-owned device, is the corporation responsible if business data on the phone falls into the wrong hands?

Clear policies – and the enforcement thereof – are key. In the event of a lawsuit, the failure of an organization to comply with its security program will be used by plaintiffs or regulators to argue for liability after a breach, wrote attorney and InfoLawGroup co-founder David Navetta in a blog post earlier this year.

“This presents a serious problem in the BYOD context,” Navetta wrote. “For example, assume an organization’s own mobile device security standard requires encryption of all sensitive data on company-owned computer devices, and the employee’s BYOD mobile device is not achieving this standard. If the employee’s personal device is hacked and the unencrypted sensitive data stolen the company’s Mobile Device Security will likely be used to argue that company did not implement reasonable security.”

A study of 260 companies released in April by the Aberdeen Group found that large organizations (5,000 employees or more) are more than twice as likely as medium-sized companies (251 to 5,000) and more than three times as likely as small ones (1-250 employees) to restrict network and data access only to  devices from an approved company list. In the case of small businesses, 53 percent said they allow any device.

According to Johnson, more firms have formal policies this year than last, but it is still a small minority. Most organizations are dealing with the issue on an ad hoc basis, he said.

“Everything we do in business has a significant component of trust needed to maintain information security and high ethical standards,” he said. “Unfortunately, sometimes firms make the mistake of thinking that the only way they can maintain this trust and information security is by enforcing policies with tools installed on the endpoint, such as data loss prevention, filtering tools, and so on. In a BYOD world, this is nearly impossible because of the device diversity we now see. So, trust of employees is a critically important element of every BYOD program.”

The tools to implement BYOD securely exist, but “there is definitely some cost,” he continued.

“Secure containerization on a smartphone or tablet can be achieved with tools like Good Technology, MobileIron and others and are pretty well proven,” he said. “Wiping of employee-owned hardware in its entirety is a bad idea obviously unless the device is irretrievably lost or stolen, so the tools have some safeguards in place to help prevent accidents. Another approach we’re seeing is applying a hypervisor to Android smartphones to provide a separation between personal and work environments, but this has some challenges and doesn’t work for iOS.”

According to technology services firm CSC’s “CIO Barometer”, employees are increasingly taking control of IT, with 45 percent of respondents saying that their personal hardware and software are more useful to them than the tools and applications provided by their company.

Additionally, CSC explains that while the consumerization trend is improving employee morale, security is still a top concern for IT mangers. According to their study, 88 percent of survey participants said that the use of personal devices increases employee job satisfaction, yet 72 percent of companies cited increased security incidents resulting from the use of mobile devices.  

Companies are primarily worried about the loss and exposure of confidential data, as well as the loss or theft of application access credentials that may be saved on the device, said Tom Clare, senior director of product marketing at Websense. To address these issues, organizations are turning to mobile device management for passcode enforcement and device management as well as encryption services and data loss prevention technology for mobile devices, he said. 

“The blended BYOD and work device presents many challenges for security, control, auditing, forensic analysis and usage,” he said. “The years ahead will set precedent from legal judgments on liability, responsibility and the breadth of forensic analysis for BYOD used in work environments.”