Network security

Why Does No One Talk about BYOD Anymore?

The emergence of BYOD has been a revolution in the work world. For the first time, employees were able to use their own preferred, personal piece of equipment (e.g., smartphones, tablets, and laptops) at work instead of being issued devices by their company. Many establishments have enthusiastically adopted the BYOD concept, often simply in the attempt to reduce expenditure on computing and communication devices. Businesses were released from the burden of investing heavily up front in company-bought devices to support their mobile workforce that works on the go or must be within reach 24/7.

BYOD programs are enabling mobile workers to operate their own systems and connect to the company's network to access enterprise IT resources and data whenever and wherever they need them. BYOD looks like a win-win situation: from a business standpoint, its adoption relieves a company from the initial acquisition cost of devices for their employees; for staff, it is the possibility to use mobile devices they own and know well to access the company's networks, systems, and resources to work on the move, as needed.

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Start Learning

Through time, concerns have raised for the security risks related to having personal devices access information that could become a target in a breach. Though the concept has become popular amongst organizations, the hype surrounding BYOD hasn't sped its adoption, as "businesses are still cautioned to adopt and leverage personal mobile devices in the workplace [because of] new security concerns, not to mention data accessibility and the like," as mentioned in a TEKConn blog post.

It has eventually become challenging for organizations, in particular for IT security professionals who are responsible for data governance and risk management, to devote to the full-time task of executing appropriate measures to ensure appropriate implementation of the bring your own device (BYOD) movement. As David Willis, vice president and analyst at Gartner said, "BYOD is not for every company or every employee."

Why is the BYOD trend slowing? The issues that are hindering adoption.

Though BYOD has undoubted benefits such as increased employee satisfaction, improved productivity (as it promotes flexibility, mobility and efficiency) and reduced costs (having the potential to allow savings on hardware costs even though the enterprise will likely need to reimburse employees for their out-of-pocket expenses), it has also lead to security concerns and an increase in safety measures and risk mitigation safeguards.

Information systems professional are challenged with having to secure their business network while still allowing access to a variety of personal devices of different brands, with various operating systems and loaded with apps and software of different nature. Their enterprise mobility management (EMM) strategies need to let users still have control of their own devices while ensuring the security of data accessed; they should be safe from attack or unauthorized access without increased effort by the end user.

The variety of devices and platforms is a challenging aspect and barrier facing BYOD deployment. IT security planners need to put in place a BYOD framework to ensure that the enterprise's data, files, and applications are safe. To raise security compliance requires loading software on personal devices, which can be expensive and challenging to support. Taking into consideration that no two devices will be configured exactly in the same manner, security goes far beyond simply locking devices and using passwords, but also requires encryption settings on personal devices as well for both data in transit and data at rest. Even more, BYOD requires push software updates in real time and an IT manager in the company to monitor all devices to make them better, more effective business tools. To raise security compliance requires loading software on personal devices, which can be expensive and challenging to support.

While many organizations are taking considerable strides to satisfy the demands of the modern day mobile workforce taking considerable steps towards BYOD adoption and remote work policies, the security issues that companies face remain a significant barrier for many to embrace BYOD with confidence. For that reason, some firms are clearly choosing to solve those issues by avoiding BYOD altogether, rather than devising ways to adopt it fully.

In addition to the objective difficulty in securing a network accessed by a variety of machines with different characteristics, one of the challenges that hinder BYOD growth is the risk of the obsolescence of mobile security solutions, and with new and more advanced persistent threats and vulnerabilities associated with wireless computing, there has been some reluctance to invest in counter-measures that could quickly not be applicable to new devices or might not cover old and new devices at the same time.

Also, the BYOD model might increase the risks associated with the "human factor" vulnerability. An InfoSec Institute report shows how about 30% of all worldwide data breaches in 2013 were due to human error (which includes employee negligence), and the fear is that the level of attention that employees keep when entrusted with company-owned devices might not be the same when BYOD is involved. Employees might let their guard down more when using personal devices, and some work environments have resisted leveraging personal mobile computing being preoccupied with the human behavioral elements associated with bring-your-own devices.

These worries might not be unfounded. For example, according to a survey conducted by Gartner, Inc. in the last months of 2013, a quarter of 995 BYOD workers admitted having problems with their personal device, and 73 percent of them failed to report to their employer the possible risks.

Some companies will never move to a BYOD model and opt instead for employer-provided devices that already have the necessary pre-installed security software, including been updated with the latest patches and configured.

BYOD, Growth or Decline?

After years of uninterrupted growth, the BYOD phenomenon may now be on the decline. According to a CompTIA survey of 375 U.S. IT professionals in various private businesses, 53% of private companies have gone on to ban the use of personal devices for work, as told Matt Hamblen, the Senior Editor for Computerworld; the numbers went up significantly from the 34% reported in 2013.

Dennis Doyel, Chief Operating Officer at Mobile Solutions Services, Inc., explains that the reason for BYOD "fading fast" in many corporate environments is not simply the rise in new security concerns to be managed and the potential loss of control over who accesses corporate sensitive data, but there are also additional motives. For one, BYOD often fails to bring real cost savings to employers after factoring in reimbursement to employees for incurred expenses and the costs of managing MDM software. Also, it can be a disruptive phenomenon without proper accountability, management of usage and oversight of data security, Doyel said.

Employees, in general, are also getting colder about the bring-your-own-device movement. The concerns are for the safety of their personal data and their proper segregation from anything company-related, and, more importantly, the difficulty of keeping the work-life balance required to continue being productive employees. A BYOD device makes the line between personal and professional life blurry for many who would rather keep the devices separate as a physical reminder.

Nevertheless, Gartner's research continues to believe that BYOD is on the rise and predicts that half of all businesses will require workers to use a personal device for work by 2017. According to Bob Egan, an analyst at Sepharim Group, however, the growth in BYOD is "more myth than matter."

So who is right about BYOD; will it be at an even greater trend or is it on a decline and fading fast? Will the rapid rise of the BYOD movement continue to be fueled by the need to rely on collaboration in real-time from any location? Alternatively, will BYOD no longer be a common practice in the work environment, as the security risks are just too much and could potentially outweigh its benefits?

Though BYOD does increase challenges and changes, the risks can be mitigated by educating employees on best-practice policies and governance, particularly the appropriate use of company's data on personal mobile devices. Brandon Jones, marketing manager for Rocket Software, and the owner of MMT Advertising believes that "all-in-all, while some may look at BYOD as "Bring Your Own Dilemma," at some point it may be a dilemma that your company may just need to work through." Surely, putting a ban on personal devices will solve many issues when it comes to corporate security, but companies will soon discover that there might not be that many differences between a corporate-owned or personally-owned device in mobile device management (MDM) strategies that take a full-device approach to a secure BYOD solution deployment.

A proper and strict policy can help. Though there are the hassles and headaches of getting mobile workers to follow the company's BYOD policy, the benefits of implementing one for employee-owned hardware that the enterprise manages is paramount. Gartner suggests that BYOD policies shall be based on the enterprises' business requirements and risk profiles, other than a matter of strict policy enforcement and compliant users. It ought to define clear expectations around device usage, confidentiality and privacy requirements, to mention a few areas to address, and then it shall be kept current, monitored and enforced. It should be a living document and available to make staff aware of the requirements in end-user behavior as they change; that way, employees will be ready to deal with any number of issues, including loss, disclosure, or exploitation of corporate data on mobile platforms and take the necessary steps to secure their mobile devices.

Conclusion

So why does no one talks about BYOD anymore? There might be many reasons. Well, the companies that have successfully implemented the program have now made it an integral part of their business strategy and no longer consider it a novelty. Supposedly, they have in place the right IT structure to support it and have implemented the right policies to sustain it.

Companies that had concerns and have done away with the program altogether no longer consider the issue and are taking advantage of technology advances that reduce device prices and of the many package deals offered nowadays by common business carriers.

All other companies are choosing simply not to face or consider the issue. Three years ago, a Microsoft study found that 67 percent of people already used their personal devices at work, whether or not the company had an official BYOD policy. In many cases, then, employees are already using their own devices to work and keep in contact, so the company prefers not to raise the issue and simply continue with the established practice.

Everything considered, Will BYOD survive? Well, despite the undeniable success of BYOD so far, there is still a long way to go before the potential of BYOD is fully realized in becoming the norm used as a standard practice in the workplace. BYOD is not for every company or every employee.

Whatever is the truth, "it's still a matter of heated debate whether BYOD is gaining favor or not –or is even a good business decision," says Hamblen. The debate on both ends of the discussion continues.

References

Brecht, D. (2013, June 19). BYOD Adoption Reveals Enhanced Employee Productivity, yet Security Concerns Remain. Retrieved from http://technews.tmcnet.com/mobilemarketportal/mobile-security/articles/342711-byod-adoption-reveals-enhanced-employee-productivity-yet-security.htm

Doyel, D. (2015, October 6). Fading Fast? BYOD Growth Is Slowing Down. Retrieved from http://mobilesolutions.net/byod2-2/

Gartner, Inc. (2014, May 14). Gartner Survey Shows U.S. Consumers Have Little Security Concern With BYOD. Retrieved from http://www.gartner.com/newsroom/id/2739617

Gartner, Inc. (2013, May 1). Gartner Predicts by 2017, Half of Employers will Require Employees to Supply Their Own Device for Work Purposes. Retrieved from http://www.gartner.com/newsroom/id/2466615

Hamblen, M. (2015, July 17). The BYOD debate is not over. Retrieved from http://www.computerworld.com/article/2948905/mobile-wireless/the-byod-debate-is-not-over.html

Hamblen, M. (2015, July 15). The bring-your-own-device fad is fading. Retrieved from http://www.computerworld.com/article/2948470/byod/the-bring-your-own-device-fad-is-fading.html

Hertz, I. (2013, December 3). Productivity vs. Security: BYOD Pros and Cons. Retrieved from https://www.sysaid.com/blog/entry/productivity-vs-security-byod-pros-and-cons

Jones, B. (2015). 5 reasons your company won't incorporate BYOD. Retrieved from http://betanews.com/2015/01/27/5-reasons-your-company-wont-incorporate-byod/

Jones, J. (2012, July 26). BYOD–is it Good, Bad or Ugly from the User Viewpoint? Retrieved from http://blogs.microsoft.com/cybertrust/2012/07/26/byod-is-it-good-bad-or-ugly-from-the-user-viewpoint/

Nelson, M. (2014, June 11). The BYOD horse is out of the barn: Risks and consequences of mobile devices in the workplace. Retrieved from http://www.insidecounsel.com/2014/06/11/the-byod-horse-is-out-of-the-barn-risks-and-conseq