Unlike many IT buzzwords, BYOD is not going away. In fact, the trend toward organizations adopting a bring-your-own-device policy that allows users to connect to enterprise information systems is only growing. Forrester Research predicts that 200 million BYOD smartphones will be in operation globally in 2016.
Gartner predicts the biggest BYOD adopters will be midsized and large companies, and that by 2017 half of such organizations will require users to supply their own device for work purposes.
“Any organization that is looking to reduce costs and complexity while improving security of customer or corporate data can benefit from BYOD,” says Tisa Murdock, director of industry solutions at VMware. “We have seen an explosion in the devices that employees want to use to access corporate applications and information.”
Midsized and large organizations are aggressively pursuing BYOD strategies for a variety of reasons. A key motivation is the promise of creating new and efficient mobile workforce opportunities.
A growing number of organizations also realize that a properly designed BYOD program can help the bottom line by increasing user satisfaction and reducing or even eliminating the expense of deploying enterprise mobile devices to users.
Before an organization deploys a BYOD strategy, management should carefully consider how users and operations will benefit from the practice. Setting specific organizational goals helps to get the most value out of a BYOD program, says Anil Desai, an independent IT consultant based in Austin, Texas.
“When developing the strategy, planners should pay close attention to the BYOD needs identified by line-of-business stakeholders,” he adds.
Organizations planning a BYOD strategy should also consider the various operational, security and administration tools needed to manage and support the large number of users who employ mobile devices for work-related tasks. Organizations in highly regulated industries, such as finance and healthcare, should also examine how a BYOD program might affect their ability to meet compliance mandates.
Designing a BYOD strategy also requires an organization to address BYOD's thornier issues, such as which devices and operating systems will be supported, whether users will receive compensation for device purchases and service charges, who will own and control specific apps and data, the establishment of acceptable use guidelines, the extent of help desk support and exit procedures for securing the devices of departing employees.
The decision to formally support user-owned devices opens the door to a variety cost considerations. Increased efficiency and productivity, achieved as devices are used to support everyday work tasks, are BYOD's leading benefits.
“Another plus is gaining control over devices that many users will bring to work anyway, regardless of the existence of an official BYOD policy,” says Sean Ginevan, senior director of strategy for MobileIron, a mobile device management (MDM) and enterprise mobility services provider.
Actual costs include any compensation provided directly to users for device purchase and support.
“The additional costs have to do with the need to support hardware that the firm hasn't specified, which includes the training of support staff,” says Rob Enderle, president and principal analyst at Enderle Group, a technology research firm. “Another cost is implementing tools to secure and manage the company-owned files that may reside on the devices.”
Yet another cost tradeoff, Enderle notes, is “putting in place some kind of security audit process and network access control to ensure these devices aren’t compromised and contaminate the organization with malware.”
Companies need to look at both sides of the picture when planning a BYOD strategy, says Jeff Holleran, vice president of corporate strategy for mobile device maker BlackBerry.
“BYOD can reduce some of the IT infrastructure costs, such as paying for mobile devices, but on the other side can cause big security risks for an enterprise, which can lead to a loss of millions of dollars.”
Security concerns discouraged many companies from immediately embracing BYOD, even as users covertly utilized their personal devices for work-related tasks. Such reluctance has now mostly faded away thanks to wide range of BYOD administration tools, including MDM and enterprise mobility management (EMM) products that plug security loopholes and enable IT staff to quash new threats as soon as they arise. Such tools also effectively limit data access to users who require specific information to conduct necessary tasks.
“IT needs these tools to be able to set policies and entitlements to ensure that the proper level of access per user or groups is set,” Murdock says.
Secure Sockets Layer virtual private network (SSL VPN) technology, long used to provide secure remote access to PC and notebook users, has also become a widely used BYOD security tool. An SSL VPN is uniquely located at the network edge, offering visibility into all endpoints (such as a PC or mobile device) and providing the ability to enforce policy-based control over access to network resources.
A virtual desktop infrastructure (VDI) is also often used to provide BYOD security.
“With a VDI, data can be kept in the data center and nothing is left on the endpoint device,” Murdock says.
Encryption provides yet another way to protect important data.
“To bolster data security, organizations should implement encryption for the entire duration of the data lifecycle – in transit and at rest,” Ginevan advises. “To prevent unauthorized access, particularly in event of a security breach, the IT department should have control of the encryption keys.”
While network protection is a prime BYOD focus, lost and stolen devices also pose a grave security threat. A first level of defense to protect against a lost or stolen device is to enforce the use of a passcode required to access the device that may lock the device automatically after a short period of inactivity. This practice can be enhanced by directing the device to automatically erase all data, or to perform a selected wipe, after a specified number of failed passcode attempts.
“An EMM product gives IT the ability to remotely wipe any corporate information or data and manage access depending on network, location or user entitlement,” Murdock says.
Mobile policies vary widely depending on each organization's specific needs and goals. Yet all successful mobile policies should be carefully thought out and flexible enough to accommodate new mobile technologies and needs.
Central to most mobile policies is a section that specifies which platforms (mobile device models and operating systems) will be allowed under the BYOD program.
“It is important to decide exactly what 'bring your own device' means,” Desai says. “Does it mean bring only iPhones? Only Androids? Androids and iPhones? Are tablets OK?”
The policy should also specify which types of users will qualify for participation in the BYOD program. Sales representatives and field technicians may qualify, for instance, while production line workers may not.
Mobile policies typically address the level of technical support users can expect to receive from the organization.
“It's necessary to define the support IT will provide for broken devices and malfunctioning apps,” Desai says. “Will the company, for example, provide loaner devices for employees while their phone or tablet is being serviced?”
The policy should also describe privacy protections and exceptions, apps that are allowed, required or banned, and specific user activities that are prohibited. Users also need to know the procedure for reporting a lost or stolen device. Device or service subsidies, if any, should also be described within the mobile policy.
Most organizations place their IT department in charge of enforcing mobile policy requirements, as well as ensuring that a BYOD program runs smoothly and efficiently.
“Fortunately, centralization and automation of processes, such as device configuration, registration, application provisioning and group policy settings make management easier and less onerous for IT,” Murdoch says.
“Monitoring tools that report on the health of the entire platform reduce the burden on IT to diagnosing root causes if something should go wrong,” notes Craig Mathias, principal at Farpoint Group, a wireless and mobile technologies firm. “IT is not a gatekeeper, it's an enabler.”
If an organization’s IT personnel and infrastructure aren't prepared to meet the demands created by a new fleet of mobile devices, even the most thoughtful, fair and carefully crafted BYOD strategy will ultimately frustrate both users and management. BYOD typically places several new responsibilities on IT staff, including device management, security, training and support.
BYOD's voracious enterprise network demands often place a massive new burden on existing resources. A network must be able to seamlessly handle the dynamic requirements of a wide range of personal devices, ensuring that they work as responsively and reliably as traditional desktop systems.
“There are no shortcuts to BYOD network support,” Desai says. “The capacity, or the ability to scale up capacity, is either there or it is not.”
The rapid pace of mobile technology evolution can also create a headache for IT leaders.
“The number of different devices and OS platforms can challenge IT professionals on the management front,” Holleran says. “Compliance issues, in particular, are only going to become more challenging as consumers adopt new technologies at a faster pace than IT can react and governments impose additional regulations.”
Further complicating the situation is the fact most of the mobile devices BYOD users carry to work are designed for casual consumer use and lack the capabilities necessary to meet rigid compliance requirements.
“For instance, several popular smartphones do not support text message archiving that may be mandated by regulatory bodies for certain industries,” Holleran observes.
But many IT managers dealing with such complications have a valuable source of help to turn to: the experience of their peers. As BYOD hardware and software have matured over the past several years, so has the insight of BYOD program managers.
"An IT leader who is hesitant in looking at BYOD now has the ability to speak to peers in their geography or industry to understand what has worked and what hasn't worked," Holleran says.