In a recent survey of office workers, 78 per cent of those who had both a personal smartphone, tablet or laptop and a work-issued one, reckoned that their own was superior. Yet as anyone who has asked IT for the ability to collect work email on their iPhone probably knows, getting businesses to take advantage of this is an uphill struggle.
This consumerisation of IT, where consumer devices outperform and are preferred to business-oriented ones, has picked up speed dramatically in recent years, first with the advent of smartphones and then again with tablets. In that same survey, which was carried out by Vanson Bourne for UK managed data service provider Six Degrees Group, 76 per cent of office workers said they had a mobile device, and three-quarters of those brought it to work with them.
This latter trend has spawned its own acronym: BYOD, or bring your own device. Yet while the phone makers and mobile networks have enabled devices to have multiple phone numbers and “personalities”, so executives can use one device for everything, businesses remain resistant. In a second survey, by Redshift Research on behalf of networking company Netgear, 54 per cent of IT managers said they did not allow guest devices onto the network, and 23 per cent said they considered unsupported ‘smart devices’ to be a massive issue.
In part, this is down to quite reasonable fears over security, says Steve Durbin, global vice president at industry body, the Information Security Forum (ISF). “From the malware perspective, downloadable apps are the number one route into the organisation, especially now that there are really only two smartphone operating systems for the authors to target, ie. Android and Apple iOS,” he adds.
Embracing BYOD enables you to get a grip on the potential risks
Consumerisation is not going away though. Burying one’s head in the sand not only delays the inevitable and postpones potential benefits such as saving on corporate hardware purchases, it also introduces new and unknown risks. That is because workers who want to BYOD will seek ways around IT’s blockade, such as installing rogue apps or unauthorised and vulnerable wifi access points.
On the other hand, embracing BYOD at least enables you to get a grip on the potential risks, suggests Pejman Roshan, VP of mobility for ShoreTel, which has developed BYOD software for IP telephony and unified communications. As well as malware and software vulnerabilities, risks include misuse of the device itself and interference between personal and business apps. There is also the issue of who owns the device, which limits your ability to remotely wipe it, for instance if its owner leaves your company.
“Most apps are written to perform as if native to the device,” says Mr Roshan. “That is very reasonable if the device belongs to the organisation mandating the app, but it’s more tricky if the device belongs to the end user. You have to create the app so it doesn’t disturb the owner’s personal data, yet protects your corporate data. The app also has to know where it is, to distinguish between business and personal use and so on.” He adds that your app also needs to be superbly usable: “If you make it hard to use, they won’t use it – and often they’ll find rogue apps to use instead.”
“You have to assume that the mobile device is a hostile environment, and not put too much data on it,” agrees Kevin Mahaffey, the co-founder and chief technology officer of mobile security firm Lookout. “On mobile devices, there’s a lot of the same security vulnerabilities as on PCs or servers, so it pays to be a little paranoid – though not too much.”
Fortunately, there are quite a few ways to reduce the risks of BYOD at the device end. Examples are giving the enterprise apps their own private encrypted network channel back to base, and the use of segregated software wrappers often known as sandboxes to keep enterprise apps and data separate and deletable. “The move to cloud computing is also a good answer to some of these issues,” adds Mr Durbin. However, he notes that it is also vital to do a holistic assessment. “Advanced companies say this isn’t about devices, it’s about data – which data is crucial and which we’re more relaxed about,” he says. “So first put in place data guidelines, then think about devices.”