BYOD: Innovative Cost-Cutting Strategy or a Security Nightmare?

BYOD also known as ‘bring your own device’ describes the phenomenon of workers bringing their own devices such as smartphones and tablets, alongside their applications and data into the workplace for both personal and business use (Scarfo, 2012). Tasks may range from using devices for accessing corporate emails, documents, applications and networks.

This trend is first said to have entered the corporate environment when Intel recognized the importance of employees using their own devices to access their corporate resources and networks however, it was only when service providers including the likes of Unisys and Citrix Systems shared their views on the emerging trend in 2011 that organizations started to consider it (Gajar, Ghosh, and Rai, 2013). 

This is now a rapidly growing trend, based on marketing research conducted by Cisco on 600 IT leaders from 18 different industries. One in particular, mobility is pervasive, found that 78% of their employees bring a mobile device to work, 44% of employees are knowledge workers who telecommute at least one day each week, saving the company 2500$ year (‘Cisco study: IT saying yes to BYOD’, 2012).

In this scenario, several frameworks based on state of the art of telecommunication technologies, such as label switching are emerging to address all required functions of new generation converged/unified heterogeneous mobile networks, from the initial authentication and configuration, security, session control, resource reservation, admission control, to quality of service and policy management use (Palmieri, 2005; Scarfo, 2012). With this taken into account, companies are revising IT models, 75% of them believe the share of employee owned devices connecting to corporate networks will increase vastly over the next two years. Furthermore, 88% of IT leaders see BYOD growth and 76% consider it extremely positive (‘Cisco study: IT saying yes to BYOD’, 2012).

The reason for the growth in this trend could be down to the suitability of mobile devices, which can now be well connected to the corporate network through Wi-Fi`s. Hence they can always stay connected and access their resources. All the applications of the organization can be accessed through the Web such as business, sales, customer support, finance, technology etc. Hence this single point information accessibility also reduced various technical requirements within a device. An increase in the growth and development of mobile devices with vivid features and functionality has raised the bar to be used as an acceptable device within an organization. 

These devices are now more powerful and sophisticated and have performance very near to that of desktops. The increased security features within the device have also helped it in its acceptability (Eschelbeck & Schwartzberg, 2012). This growth in the popularity of BYOD may also be down to the fact that the phenomenon relates closely to other technological trends.

Bandwidth improvements and the growth in cloud computing make it possible to move the work wherever it may be desired, and therefore becoming accessible on employees mobile devices regardless of where they are situated. So utilizing worker owned devices’ seemingly increases the benefit of this revolution. It is predicted that BYOD will have a big impact on the IT of corporations and in the next decade they will find that technology diversity will become the norm rather than an exception, which will pave the way for a fall in operational costs and complexity. In the future rather than management focusing on the platforms and systems, their focus will be shifted to the applications that can be deployed within a variation of systems (Scarfo, 2012).

The underlying reason that most companies are encouraging the trend rather than shying away from it seems simple; it improves productivity and reduces costs. This is because more opportunities are available for employees to collaborate, using preferred devices means that employee morale is boosted and the devices are utilized as efficiently as possible. Consequently, BYOD could be considered the “silver bullet” for productivity improvement; this is especially applicable for roles where mobility is a strong enabler for the adoption of new business models (Scarfo, 2012).

Corporations may be more inclined to encourage workers to use their devices in the workplace than not as this allows for their IT departments to manage these devices whilst ensuring that security is not compromised as they can impose security checks on devices before they are given the capacity to store corporate data. If organisations discouraged the use of employee devices in the workplace then they would face the risk of employees disobeying this rule and having untrusted devices connecting to the corporate network. 

In terms of benefits, bringing employees devices into the workplace can enhance the functionality of the employees themselves as this makes corporate information and data more readily available as they have access to it on their personal devices such as smart-phones and tablets regardless of whether they are, whether that may be the workplace, in the comfort of their own home, or on the go. In the past an organization’s employee would have to be sat in an office behind a computer if they wanted to access corporate data, with the implementation of BYOD this is no longer the case. It is also beneficial to the organization in terms of procurement and training. In the past newly hired employees often were unfamiliar with the systems in place within their new workplace, because of this time would be spent familiarizing themselves with the new system and adjusting to its functionality. 

Something really beneficial which BYOD offers is the fact that employees do not need to spend time adjusting in learning the functionality of a new system and can carry out the tasks required by the organization using devices which they are already accustomed to. Procurement may no longer be a requirement for the organization as there is no need to keep investing money in keeping up with the latest technology, as employees provide their own devices for use in the workplace.

Often the morale of employees can be affected when they are forced by their employer to work with technology that is slow and outdated, this is not a problem with the use of BYOD due to the fact that users have the opportunity to work with whatever level of technology they feel is necessary, providing it allows them to carry out the requirements of their role. Employees are likely to be comfortable with the functionality of their devices, as they use it day in day out and due to the fact that they purchased it, they are likely to hold more regard for the safety and upkeep of the device, this may prove a more effective approach than forcing employees to work on devices that may be outdated, that they are unfamiliar with and have no regard for (Gajar, Ghosh, and Rai, 2013).

Despite the benefits, there are concerns and risks that are associated with implementing BYOD. Due to the portability of the devices used within a BYOD policy, devices are moved around as frequently as their owners. In the past employees of organizations have only had access to the company’s data within an office, which is locked at the end of each day, which means both devices and data can be considered secure. With BYOD this is not the case as each device that stores corporate data is transported anywhere the employee goes, Transporting devices, which store sensitive data inevitably increases the chance of that data being lost or compromised. Alongside the threat of loss and theft BYOD also leads to the integrity and confidentiality of data being brought into question. Unauthorized applications can potentially affect the integrity of the device and the data residing upon it (Gajar, Ghosh, and Rai, 2013). 

With the potential for devices storing corporate data to be taken wherever the employee goes for example, a device such as a mobile phone is used within an employee’s social life and therefore taken to social events. Data could be shared by employees with their friends or even changed for a practical joke. The portability attraction of BYOD to organizations also proves to be a major issue as the likelihood or that data being lost or stolen significantly increases and data confidentiality and integrity is put under threat.

In comparison to computers used by corporations within their offices employee owned devices may be lacking in sophistication when it comes to anti security measures, firmware and configuration settings. Hence making these devices vulnerable to security breaches.

Due to the fact that BYOD uses a wide variety of devices all of which have a range of different operating systems, it is likely that devices have the potential to become outdated very quickly. Devices are said to be lacking in controls with respect to the device, security and data, this is due to a lack of enterprise-strength controls across a range of platforms for mobile devices examples include BlackBerry, Android, IOS and Windows this is because each platform is said to bring with it an individual security model. The privacy of employees also becomes an issue with their devices storing numerous credentials and data including that from their personal life and also from the workplace, therefore it is not just corporate data but also data on the individual that is at risk.

When data from the workplace and personal life of employees exist on the same device, finding a balance between a strict security protocol of enterprise standard, and privacy of personal data becomes a challenge, especially when the device is not issued as a corporate asset. Another challenge is incident detection; within an organization they can employ security operational centers to deal with the task of managing security breaches, this involves detecting incidents. With BYOD it becomes a challenge differentiating between the different types of incidents. When an employee loses a device, their device may be genuinely lost or they may be unaware that it has been stolen, making it vulnerable to malicious attack.

 Further vulnerabilities occur when devices that store corporate data are used outside of the organization’s network. For example, when on the go and the company network is out of range, employees may resort to sending and receiving confidential information over an unsecure channel. Therefore devices are more vulnerable to malicious attacks when they communicate over different channels (Gajar, Ghosh, and Rai, 2013).

 Human factors also prove to be a risk with disgruntled employees having the ability to store sensitive data on removable media, which they could use maliciously for example by giving it to competitors which would result in a loss being caused to the organization. Furthermore ensuring that employees comply with contracts, laws and company policy outside of the workplace may prove challenging (Navetta, 2015).

A research study carried out by ESG, which was carried out on 315 security professionals working into organizations with over 1,000 employees asked them what their most difficult mobile security challenges are, and they were mainly related to access to data and applications, attacks to devices and the network and protection of data. A full breakdown of the security concerns is shown below (Scarfo, 2012).

  •   48% enforcing security policies
  •   46% lost or stolen devices which contain sensitive data
  •   46% maintaining data confidentiality and integrity when stored on mobile devices
  •   41% threat management on a mobile device
  •   41% supporting new device types
  •   40% creating security policies for mobile devices

 It is important that organizations give great consideration before deploying or dismissing a BYOD policy. It is possible that the threats that arise from the phenomenon may be enough to make some companies shy away from investing in it however, considering its implementation is important due to the fact that they may find that regardless of their decision, non corporate devices are being brought into the workplace, and they may find that by avoiding BYOD in fact devices are more difficult to manage securely as employees try to keep their use hidden, and the organization will be unable to set up policies to keep corporate data on such devices secure and private. 

The implications of BYOD need to be considered from multiple perspectives including legal, security, and safety of the employee, whilst taking into consideration the organizations current infrastructure and security policies. After taking into account the profitability and increase in efficiency associated with BYOD policies a conclusive recommendation would be in support of a carefully implemented policy for using employee devices in the workplace, with focus on training and educating the individuals who own the devices on the privacy, security and legal implications of using their devices in the workplace which is the key to ensuring that likelihood of these implications occurring is reduced and that the policy works as efficiently and securely as possible for the corporation.

References

  •   Cisco study: IT saying yes to BYOD. (2012, May 16). Retrieved March 25, 2016, from http://newsroom.cisco.com/release/854754/Cisco-Study-IT-Saying-Yes-To-BYOD
  •   Eschelbeck, G., & Schwartzberg, D. (2012). BYOD Risks and Rewards. How to keep employee smartphones, laptops and tablets secure.
  •   Gajar, P. K., Ghosh, A., & Rai, S. (2013). Bring Your Own Device (BYOD): Security Risks and Mitigating Strategies. Journal of Global Research in Computer Science, 4, 62.
  •   Navetta, D. (2015). Bring Your Own Device Security and Privacy Legal Risks.
  •   Palmieri, F. (2005). An MPLS-based architecture for scalable QoS and traffic engineering in converged multiservice mobile IP networks. Computer Networks 47, 2, 257–269.
  •   Scarfò, A. (2012). New security perspectives around BYOD. Seventh International Conference on Broadband, Wireless Computing, Communication and Applications