Some Growing Pains, but No Stopping BYOD

Are companies souring on the bring-your-own-device policies that allow employees to connect their own smartphones and tablets to the company network?

According to a new survey on BYOD, they might not have been as enthusiastic about the practice as once thought. Despite the “puff and promise” of BYOD, adoption is quite low, found Azzurri Communications, a U.K. provider of managed communications services. Just 17.2 percent of the companies it surveyed have an enterprise-wide BYOD policy, compared with 31 percent that practice choose-your-own-device (CYOD), in which the company owns the device, but employees have more choices about which ones they want to use.

Some companies may be rethinking BYOD strategies as the task of managing company data on employee-owned devices proves complicated and the cost savings aren't living up to expectations. “The big BYOD push was that ‘This will be easy! We don't have to manage their phones, and it will save us a lot of money,'” says Chris Crowley, an independent security consultant who works with the Department of Defense and as a certified instructor for the SANS Institute, a computer security training organization. He says it hasn't quite worked out that way.

“The reality is that protection of the data on devices not owned by the company is tremendously complicated,” says Crowley. “A salesperson has a list of sales prospects on a personal device, then leaves the company. The company declares ‘That's our data, give it back,' and the salesperson says ‘It's my phone, you can't touch it.' Now you have a control issue.” As it has been deployed, companies are realizing how challenging it can be to control data on a device that someone else manages, he adds.

Also true, says Crowley, “Now that BYOD has been operationalized, there isn't the huge cost savings companies expected. They end up paying for the data plan and maybe also a container solution,” such as Good for Enterprise or Mobile Echo. These solutions effectively isolate applications like e-mail or a calendar; the enterprise maintains control of any information in that container, but they come at a price.

Still, says Azzurri CIO Rufus Grig, BYOD delivers value, measured in productivity. “There's all sorts of reasons costs go up, including corporate data plans and imposing mobile device management licenses. In most cases the value proposition is that your employees are happier with the devise they're using, which makes them more productive wherever they are. If they've got a device in a pocket on the weekend, they'll get on top of e-mail straight away, whereas a brick of a phone will stay in the briefcase.”

Crowley observes that BYOD best represents cost savings when used for simpler functions, like accessing calendars and e-mail remotely. “At that level of data access, BYOD is a very clear cost savings proposition,” compared with CRM or deeper enterprise functionality, “and a very clear win for users for functionality. Being able to check e-mail once or twice a night is a huge productivity boost for business.”

Despite the concerns, many companies are still planning to move to BYOD platforms, perhaps with the hope that new data management solutions will solve some of the current problems that BYOD creates. In a May survey of CIOs worldwide, technology research firm Gartner predicted that 38 percent of companies expect to stop providing devices to workers by 2016, and nearly half will require employees to purchase their own phones and tablets by 2017.

Cross-Border Challenges

U.S. enterprise may be especially comfortable with BYOD because, “We don't have the same sort of restrictions from a privacy perspective that other countries have,” says Jim Guinn, managing director in PwC's advisory practice.

That is, until you travel to those regions to do business. “If you work for an oilfield services company that operates in the Middle East, United Kingdom, and North America and you perform transactions on tablets, like taking or approving an order, there's the possibility that you create a taxable event in that foreign entity. Do you have an entity to handle the tax implications in that country, if there are any?”

“The reality is that protection of the data on devices not owned by the company is tremendously complicated.”

—Chris Crowley,

Independent Security Consultant

The same holds true with privacy laws, says Guinn. “If my company reaches my personal information like personal banking information, what laws in that region does the company have to abide by when comingling personal and business information on a handheld device?”

Some companies react with a mixed-mode deployment of BYOD and CYOD. Executives are issued multiple devices with ones specifically for a country in which intellectual property theft is common, with a higher number of breaches, or in which the government controls the telecom infrastructure. “Who's to say all of that information is not being sniffed? I've seen clients deploy limited-use devices that are very secure, or are wiped immediately, with the information not traversing from the corporate network,” says Guinn. Functionality on such a device like encryption or its camera can be enabled or disabled with geotagging, so the user effectively cannot breach any regional privacy or financial regulations. 

Practical, Scalable Solutions

Corporate software giant SAP manages more than 70,000 employee-owned devices worldwide in its BYOD program, using its own SAP Mobile Secure suite, which includes content management, app protection, and a device lifecycle management solution, among others. Its Afaria mobile device management (MDM) solution is used to manage BYOD worldwide for companies like Hewlett-Packard.

“What we see, especially for large enterprises, is that they can't keep up with device refresh cycles, and employees expect new operating system features,” says Senthil Krishnapillai, head of SAP's Mobile Secure Group. The easier route is the data services model—managing the data rather than the device.

SAP advises customers to enforce contracts with users, giving the company the right to control portions of a device. “For example, the e-mail or any content you may access and applications you install to access the company, says Krishnapillai. “And the company has rights to access and wipe certain data, and enforce policies like passcode strength.”

A second step is to enable deeper use for higher productivity. SAP's Mobile Documents is a mobile content management (MCM) solution that allows users to connect to back-end applications like Sharepoint or SAP Portal, enabling use beyond e-mail, calendars, and texting.

HAS BYOD OR CYOD ADOPTION INCREASED?

The graph below from Azzurri Communications shows an increase in support, in principle, for “bring your own device” (BYOD) and “choose your own device” (CYOD) where devices are used for both business and personal use. But has actual adoption increased at all?

Token BYOD: where a few lucky employees (