Mention BYOD to different people across an organisation and you're likely to get many varied reactions. Some will say that it's boosted staff productivity and morale, enhanced business technology adoption and done all this quickly and with minimum cost. Others – most notably the IT managers – are probably tearing their hair out, uttering the words ‘unmanageable chaos' and bemoaning employees with lax risk-awareness.
The reality is that BYOD is something in-between. A by-product of the ‘consumerisation of IT', it has liberated employees, torn up the rule book on working hours and made agile companies work faster and better. But it is also a big security risk – with the growing number of access points potentially vulnerable to insiders losing the device or data, or hackers stealing information by using malware or social engineering tactics.
And yet, there's clearly no stopping this trend. Gartner estimates that one in three mobile devices will be in enterprises by 2018 – that's around one billion units – while IT recruitment agency Robert Half Technology puts the current adoption around three in four of all UK companies. Reputable sources tell SC Magazine UK that employees at some companies are even being hired on the premise that they bring certain types of technology with them to the workplace.
All of this means that IT departments have to react, and fast too. A study from Forrester shows that 70 percent of enterprises across Europe and North America are expecting to provide more mobile support to their staff over the next 12 months as a ‘high' or ‘critical' priority, and that should perhaps come as little surprise – these devices are not only holding confidential data but are also highly susceptible to spear phishing and malware attacks. They're also becoming increasingly powerful – as evidenced by the new 64-bit processor in the iPad Air and the biometric sensor on the iPhone 5S – making them difficult to manage.
“64-bit iPhones are just as powerful as PCs,” says Norton Rose Fulbright global CISO Paul Swarbrick, when speaking at the first SC Congress in London recently. “We need to consider risk the same way. Technology changes but the problems remain the same. I come across people moving old working practices onto new devices.”
Nonetheless, with IT staffs increasingly evaluating how to manage these personally-owned devices, SC Magazine UK sat down with various information security experts to get a handle on what methods businesses are using to get ahead. Their views varied but Ovum analyst Richard Absalom was keen to point out that with BYOD being driven by consumers, it is natural for the debate to start with employees.
“The first thing to recognise is that BYOD is a behavioural thing. You don't necessarily have to adopt policy,” Absalom said.
He added that most businesses are now enough on the ball with BYOD to recognise that management should perhaps start with acceptable use policies, perhaps leading on to some mobile device management (MDM) or mobile application management (MAM) solution.
“We think every business is now aware of the risks around this,” says Absalom. “Most people know they need to do something – although there are still some that think BYOD is too much hassle and so are not interested in what's going on anyway.”
Mark Brown, former CISO at SABMiller and now director of information security at the consultancy group EY, agrees that views are changing on BYOD and says that forward-thinking companies are starting to realise this is not an ‘IT-only' issue.
“Four years ago it was a brave new world,” he says, adding that a few companies embraced the technology, while some CISOs saw it as a distraction. “Two years ago, people started realising that if you're going to leverage BYOD, you're going to need to involve HR and legal too.”
Subsequently, the ICO has issued guidelines to help data controllers secure work data held on employees' smartphones and tablets, and that these devices are locked with strong passwords and managed with software that has data-wipe capabilities.
“Mobiles and tablets are at risk,” Simon Rice says. “They will get lost or stolen. Organisations have to recognise that and make sure there is a strategy in place to deal with it.”