The BYOD Dilemma
Should more be done to ensure that employees can work effectively and safely using their personal devices?
According to an Arabian Computer News IT Security Behaviour Survey, just 16% of GCC organisations have coherent and flexible bring-your-own-device (BYOD) policies. The survey also revealed that 30% of companies had no rules to govern company data on personal devices.
The survey results were at odds to industry predictions from the past year. In 2013, the enterprise technology world was up in arms about the need to allow employees to use their own devices for work purposes. However, the organisations advocating BYOD also implored CIOs to think about the security ramifications of the trend. They proposed all manner of mobile device management solutions, which could containerise company data, monitor traffic or even remotely wipe personal devices. BYOD was the next big thing, they said, and enterprises had better prepare for it.
However, a year later, there have been precious few official BYOD implementations taking place, at least in the Middle East. And despite all the furore over BYOD that last year saw, talk about the trend seems to have died down. That said, while enterprises have failed to commit to BYOD officially, it seems that, unofficially, employees are relatively free to use their own devices for work purposes.
“We find BYOD implemented in a lot of organisations across the Gulf region. Sometimes the IT organisation decides to just shut their eyes and the BYOD activities happen under the radar. Sometimes it is a conscious decision where mobile e-mail is compared to providing access to e-mail via Outlook Web Access (OWA) and there is no perceived difference from a security perspective,” says Leif-Olof Wallin, research vice president at Gartner.
“The main driver is that we don’t see a lot of organisations that have moved beyond mobile e-mail in their B2E mobilisation. We expect this will change as other mobile apps starts to become popular.”
This presents a number of issues, not least for the network manager. With the growing proliferation of devices running the Android operating system — now infamous for the amount of malware present in the ecosystem — network managers worry that users could be putting company data at risk by using potentially infected devices. As Wallin says, many opt to simply provide e-mail to personal devices, but others have few controls in place to dictate what employees can access and from which device.
It would seem, then, that trade-offs need to be made when it comes to BYOD. On the one hand, there are claims that allowing users to use their own devices for work purposes will hugely boost productivity. On the other, there are serious concerns over security, particularly if the enterprise in question creates plenty of confidential data. Fahad Al Hassawi, CCO at du, explains the choice that enterprises need to make.
“A survey carried out for an anti-virus security company shows that up to 40% of companies polled say BYOD helps them to reduce their IT costs. As well as cutting costs, surveyed businesses are finding that BYOD provides many different benefits; it seems that when allowed to use their own devices, employees enjoy increased mobility, higher job satisfaction, and improvements in efficiency and productivity,” he says.
“While we have seen a lot of interest in BYOD as a concept, in general, very few companies in the Middle East have a documented BYOD policy due to either lack of awareness or their apprehension of such a policy. Companies and their IT departments need to evaluate the benefits and trade-offs before arriving at a conclusion.”
Worth the effort?
To guarantee security while allowing employees to use their own devices, the consensus is that enterprises need to explore various solutions that provide network and device management capabilities. Many solutions are packaged as mobile device management (MDM) products, but sometimes it isn’t quite as simple as installing a new product.
“With BYOD, it is not just allowing employee devices, but also a lot of group work on access rights, what kind of corporate data can be accessed and who can access it and it is needs to be standardised across the board,” explains Megha Kumar, software research manager at IDC MEA.
“While letting users use their own device allows for improved productivity and comfort levels; the whole aspect of device management, data access and security are cumbersome for the organisation.”
In light of this, the question then becomes, “Is implementing a proper management solution worth it, particularly if you can compromise by simply allowing access to e-mails?”
Asfar Zaidi, principal consultant at Huawei Enterprise Middle East believes that it is. He says that, while CIOs are facing greater pressures to allow personal devices to access corporate networks, they are traditionally reluctant to it, simply because of the greater risk of information security breaches. Because of this, he explains, the only option is to implement an MDM solution, which he believes will provide strong benefits to the business.
“Mobile Device Management (MDM) platforms are essential for businesses to manage the flow of data into the network from smart devices and crucial to build a safer environment. It is also equally important to understand the full lifecycle of BYOD devices. We see this as four phases, namely acquiring and registering assets, deployment, running policy enforcement, and retiring devices once no longer required,” he says.
“Today, vendors like Huawei can offer a holistic MDM solution across this device lifecycle, and that equips end users with a much more compelling proposition to their business. As an example, Huawei is transforming the office of the future with its Huawei AnyOffice solution – a single platform through which to securely access a wide range of applications and handle important business tasks anytime, anywhere, and from any smart device.”
Another expert — Ian Lowe, senior product marketing manager, Identity Assurance, at HID Global — agrees that, to really get the most out of BYOD, a certain amount of investment is required. However, he says that many enterprises are still unsure about what BYOD means to them – the scope of the kinds of data that employees may want access to from their personal devices may change from company to company. With any BYOD policy, security is a key consideration, he says.
“From an HID Global viewpoint, as employers and employees’ attitude towards BYOD trend matures, it is very important for Middle Eastern enterprises to identify key technology partners and adapt their infrastructure whilst managing and creating their security platforms,” he explains.
“Protecting against mobile malware is similar to traditional intrusion detection and prevention. Similarly, the types of threats are constantly evolving and organisations need to keep abreast and stay ahead of combatting this malware. As we have seen with traditional threat management, keeping BYOD secure means identifying a trusted partner with a proven track record in mobility to protect your enterprise.”
The question of cost
If it is generally accepted, then, that to really reap the benefits of BYOD, enterprises need to make certain investments, the question inevitably moves towards how much a BYOD implementation will cost. According to Manish Bhardwaj, the answer can simply be found in the savings that are made from not having to buy mobile devices for employees.
“Recent research conducted by Aruba Networks and published in a report titled BYOD in EMEA: An Overview of Adoption, Challenges and Trends surveyed 773 companies and found that, while 92% of companies still purchase laptops for employees, only 70% purchase smartphones and an even lower 51% purchase any kind of tablet device. Furthermore, the report showed that 69% of organisations in the EMEA already allow some form of BYOD today,” he says.
“The low purchasing figures for smartphone and tablets compared to laptops indicate that organisations are happy to shift the cost liability of mobile devices from the business to the individual. This doesn’t however mean that they are absolving themselves of the responsibility to protect these devices and ensure the security of corporate data that might reside on them. In fact, the cost savings from no longer having to purchase and maintain all these new mobile devices can be channelled into platforms that offer support for BYOD in a safe and secure manner.”
Nicolai Solling, director of technology services at Help AG, agrees that all too many enterprises view BYOD as “a free ticket”, and that BYOD should be viewed as more of a productivity-enabler, rather than a cost-saver. He describes the trend as a complex problem, which requires decent investigation and risk assessment on the part of the organisation considering it. Unfortunately, he adds that providing access to the corporate network for all employees is still perceived as an overhead that outweighs its benefits. That said, he believes that there are correct ways to go about approaching BYOD, and that this can still yield benefits.
“Today, IT solutions offer extremely granular control and allow network access to be governed by a number of critical factors. Understanding how these can be fine-tuned to the needs of the organization will ensure that security, which remains the main concern in the enterprise mobility discussion, is given its priority,” he says.