Blog Post

BYOD wave sparks big security concerns

Stay on Top of Enterprise Technology Trends

Get updates impacting your industry from our GigaOm Research Community
Join the Community!

The BYOD bandwagon keeps rolling and along with it the growing concerns of IT professionals about supporting employee-owned devices in the workplace. Protecting corporate data is at the top of their list of worries.

It is clear that most companies — large and small — face the bring-your-own-device dilemma whether they want to or not. Employees use the tools they like  at work.  If they use Dropbox or another cloud-based storage system with their iPhone for personal stuff, chances are they will use it at work, especially if the company’s shared storage solution is hard to use or nonexistent. The problem then becomes how to integrate those tools —  predominantly iPhones(s aapl) and iPads from what I can tell, but other smartphones and tablets as well — into their IT infrastructure in a way that protects corporate assets.

New Gartner research drawing on a survey of 938 businesses worldwide with 500 or more employees showed that BYOD is a primary concern among respondents, 90 percent of whom have deployed smartphones. And 86 percent said they plan to deploy media tablets later this year.

The wording in the Gartner statement is not clear on what percentage of  respondents actually have a BYOD policy in place, but it did say that “many” respondents provide support for personal devices. In fact, personal devices constituted 32 percent of smartphones, 37 percent of tablets and 44 percent of laptops supported overall. Companies in developing nations (Brazil, Russia, India and China) are more likely to support these personal devices. Nearly half (44 percent) of BRIC respondents said they support personal devices, compared to 28 percent of respondents in developed nations.

According to a statement by Gartner research director Chai-Gi Lee:

Mature countries consider BYOD programs as bringing with them both legal and technical issues, whereas emerging countries only see technical issues. For instance, mature regions are more concerned with security and data privacy regulations for immature MDM than emerging regions. In BRIC countries, employee turnover can be high in some sectors, leading to more theft of devices and data. BYOD and virtualization can reduce those enterprise losses.

What to do about BYOD

It’s a knotty problem, as any IT pro will attest. Gartner said that to allay security concerns, companies should focus on mobile data protection (MDP), network access control (NAC) and mobile device management (MDM) tools to support their BYOD and new enterprise mobile platform efforts. And it  recommends that all shops set up a mobility strategy team within IT to handle data management and control.

I think most IT shops would agree that’s a good plan but would also say the chances of it coming fruition in many companies is nill. IT pros who have commented on past GigaOM stories on this topic blasted company management for expecting support of myriad devices while cutting IT budget and staff.

10 Responses to “BYOD wave sparks big security concerns”

  1. Agree that support for “myriad devices” is hard to do if you don’t have infinite budget. An inexpensive first step is to apply security controls to your network. Your network is one thing (not myriad of things), and you control it (unlike the personal devices that you don’t own). With network access control (NAC), you can gain immediate visibility and control over every device on your network, including the brand new device that someone just bought last night at Best Buy. So NAC is a future-proof solution. The leading-edge NAC products can tell you about the security posture of mobile devices like iOS and Android, letting you make wise choices about whether to allow certain devices (e.g. jailbroken phones) onto the network. With NAC, you can control where each type of user and each type of device can go on your network, thus protecting your network resources from attack and data loss. Check out this SANS report T for more information.

    • This sounds good but if NAC is as capable a protection as you say, why are so many IT people so concerned about BYOD? “It’s a knotty problem, as any IT pro will attest.”

  2. It is a tricky balance – giving users access to data but to still maintain control over corporate data. Ultimately IT doesn’t want data to be uploaded into consumer applications. This is the exact problem we’re trying to solve at Oxygen right now – our approach is to support and integrate with existing storage systems, allow IT to keep their own data on-premise but still give users mobile access.

  3. ^^ I think the point here is if there is a choice, then the employee should be able to make that choice to BYOD or have a company supplied. In my company I would rather BYOD so that I have all the tools required to do my job at my hands, rather than put up with an inefficient SOE with only half the software. Getting programs added to the SOE is restrictive and not a timely exercise once approvals, testing and deployment occurs. Positives and Negatives on both sides of the fence I guess.

  4. Any reputable company will expense what hardware is needed by their personnel to get the job done. Companies expecting employees to bring their own equipment, and expecting employees to then pay for it out of their own pocket when it breaks during work use, is not a company I would want to work for. If my boss demands I use a laptop, I give him a detailed hardware estimate with machine specs and tell him to “buy me one”. BYOD = being taken advantage of.

  5. “IT pros who have commented on past GigaOM stories on this topic blasted company management for expecting support of myriad devices while cutting IT budget and staff.”

    So they will just have to be flexible and work harder.

    Just like every other department has been forced to over the past decade.

    The tail should not wag the dog, IT need to realise they are providing a service to the company employees, not enslaving them.

  6. Naturally, Gartner reports reflect the bias,particularly the geographic perspective, of the report authors. this one appears to have been written with a “global” bias. Were the release/report written based on US market perspectives, the emphasis, IMHO, would be different. What I often find missing in organizations who are not at the leading edge, is the strategy and policy work, prior to choosing tools to solve problems.

  7. focher

    I still fail to understand why a tablet, smartphone, or laptop introduce a data security issue any different than the photo copier or a USB stick does. It’s still comes down to IT being locked into a mindset of control, but it’s really just a facade.

    • Because, tablets and smartphones are consumer devices without enterprise controls. Companies can monitor files leaving their laptops and force encrypt USB sticks. Once data is on a tablet, it’s gone..

      This is ignoring data loss reporting requirements from all 50 states if customer personally identifiable information is lost.. Good luck not being sued.