Bring Your Own Device optimize

BYOD? Forget about it!

Scott Lowe highlights a few reasons why organizations might want to put the kabosh on BYOD initiatives, particularly when it comes to mobile devices.

How many articles have you read that praise the virtues of various Bring Your Own Device (BYOD) initiatives? Probably a lot and, if you're an avid TechRepublic reader, you may have even read one or two authored by yours truly. However, being the open-minded, pragmatic fellow that I am, I realize that there are two -- or more -- sides to every technology and support decision. So, in this space, I'm going to discuss a few reasons why you don't want to embrace BYOD, particularly as it pertains to mobile devices.

Disclaimer: Obviously, there are ways to overcome some of the challenges I describe below, but overcoming them implies that there will be an expenditure of time, money, or both in doing so.

Unfocused IT

Perhaps one of the biggest challenges in many BYOD initiatives comes from the need for IT to potentially add a plethora of devices to their already burgeoning support load. While some organizations will attempt to place restrictions on what devices can be supported, once the BYOD door is opened, it's very difficult to rein it back in.

Organizations that are considering BYOD initiatives must think carefully about the hidden costs inherent in these initiatives and decide if the benefit is worth the added burden to the IT group. It make more sense to simply say no to BYOD and allow IT to add value to the organization in other ways instead.

New licensing costs

Do your existing software licenses include the ability for you to install software on employee-owned devices or to consume software through employee-owned devices? Even something straightforward, such as accessing a VDI-based desktop from an iPad, could place your organization in licensing jeopardy.

Don't forget that any mobile device management systems that you purchase will need to be extended to deal with employee-owned devices. When the company was providing devices, there was some control in this area, but there's the potential for the floodgates to open once BYOD comes to town.

On the app front, employees are able to download and use any and every app under the sun. How will you handle reimbursement for such apps and what happens to them when the employee departs the company?

New data security issues

Do you like your data snug and secure on devices that you control? With BYOD, you could have company data running around on a myriad of devices and be none the wiser. Story time: I have a friend of a friend who works in the mental health field. She was very pleased that she could carry around all of her patient files on her iPad so that they were accessible wherever she went. I asked how she did this, and she named a common iPad app that just uses regular PDF files with no additional security or encryption.

When you control the devices, you can control how their security mechanisms work. When someone else controls the device -- and particularly when they own the device -- it become much more difficult to secure the device and the data on it.

Litigation potential

Once you open the BYOD floodgates, imagine this scenario: An employee saves mail in non-standard ways to his personal device, which synchronizes with the corporate mail system. What happens if the company receives a discovery order? Do employee-owned devices now fall under this order? If so, how do you handle what could be messy logistics?

Now, what happens when an employee loses a personal device that has a bunch of corporate information on it? Who will hold responsibility for that loss? Does the company get bad PR and a class action lawsuit and/or is the employee held legally liable?

Malware

Anytime new devices are brought into an organization in an unstructured way, new potential is created for the introduction of malware across the organization. With employee-owned devices, it's not inconceivable to envision the ease by which malware can be carried behind the firewall, particularly on devices that can plug into a PC's USB port and look like a standard storage device.

Summary

If you think this article is all doom and gloom, don't lose hope! These are a few items that simply must be considered by organizations that plan to undertake BYOD initiatives.

About

Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive w...

19 comments
cshuey
cshuey

I've been having these conversations with our Directors over the past several months, working on a strategy.

geofftechrepublic
geofftechrepublic

Virtualization and thin clients can address all of these concerns. We needn't "touch" the device and the device needn't "touch" our enterprise. I agree with the person who said "it's your job. do it or someone else will!" Failure to provide ubiquitous computing and mobility rob the enterprise of an incredible efficiency and capability that competitors are sure to embrace and exploit to their advantage.

krsmav
krsmav

I used to work in a large law firm (>1000 users) that was hyper-cautious about BYOD. They gave everyone a primitive Microsoft corded mouse with a mechanical roller that constantly got gunked up. After long hesitation, they let me bring in my own cordless laser mouse (with extra buttons), but they absolutely refused to let me install the driver because they hadn't tested it. And they wouldn't test it because it would take to much time, for the benefit of a single employee. They also wouldn't let anyone switch from Internet Explorer to Firefox, and with the constant new versions of FF, they said they couldn't evaluate it fast enough. And in IE, they wouldn't permit the addition of an ad blocker. I went crazy when I tried to look up a phone number and had to hunt it down on a page full of flashing, jangling ads. However, they hadn't disabled the USB connections for thumb drives, and Portable FF worked fine. . . . It's a structural clash between IT caution and user's needs.

belli_bettens
belli_bettens

A company should provide their own apps through which employees can download company data in a secure way. This way all access to the company network can be blocked unless you're using the company approved tools. The app should be easy to use such that employees aren't tempted to fall back on easier to use insecure apps. It should also be made clear to the users that copying company data to a (mobile) device is as much of a security breach as copying data to a usb-stick (when done outside of the approved applications).

Dyalect
Dyalect

Endless support calls, security issues, compatibility problems, legal ramifications. No creditable organization would ever allow BYOD.

pipiolo
pipiolo

RIM has recently announced BlackBerry Fusion which is a technology that comprises some servers to being able to accomplish what it is mentioned in this article. Two of the components already exist (BES and BES Express 5.0.3). With BES and BES Express you can implement already BlackBerry Balance which is a technology that allows you to create that boundary between Personal and Corporate data and applications, so an employee like in the article would not be able to copy patients records and using it leisurely without password or encryption. Of course, that is only for BlackBerry Devices. There is another component called BDS which is a BES like for Playbooks and the upcoming BB10 devices. It implements Balance as well in the same manner as BES or BES Express. And the last component is UDS which will manage iOS (iPhone and iPad) and Android (phones and tablets) devices enforcing work perimeters where passwords are required in order to access corporate applications and data. Besides, this UDS can control what applications can be installed and used when in the work perimeter (in the personal perimeter it works as normal however access to corporate data is disabled even though it can reside in the same device) and there are certain measures that the IT can also enforce as not allowing, for example, bringing devices that are either jailbroken or rooted.

CharlieSpencer
CharlieSpencer

How does it damage efficiency if the company is already providing a device for you?

SKDTech
SKDTech

Instead of just an app, the company publishes a list of approved devices which the user can supply if they want to BYOD and the company does not allow any of them onto the network until they have been flashed with a company provided ROM that does not allow the user to do anything unauthorized? That way the company can ensure the devices meet necessary security specifications, block root access which could allow circumvention of security measures, and can ensure the device has the necessary software to perform remote wipes in case of theft or loss. I think BYOD is a mistake, but I will admit there are measures that could be taken to make BYOD safer and more feasible.

adornoe
adornoe

so, the best method for keeping data and applications and systems safe from theft, is to not even make them available outside of work, and to not allow BYOD at work. What you're suggesting is kind of like, someone that knows it's illegal to commit a crime using a gun, where, the criminal already knows it's illegal, but is going to do it anyway.

Pete6677
Pete6677

Many credible organizations do in fact allow BYOD. There's no stopping it. All of the arguments against it could also be made against desktop computers. It would all be easier if every user had a dumb terminal, but that wouldn't be very useful for most people.

roamy_quigman
roamy_quigman

No creditable organization can afford to bury their heads in the sand. Unless of course they want a big expensive "no" factory.

adornoe
adornoe

with the encryption keys are probably more dangerous and more likely to be the point of biggest data and resource theft. Techies or IT personnel are likely to have company issued equipment to use outside of work, but, what about the company owned devices which those people have at their disposal at work and outside of work. How does the company provide for protection from those devices and from those most trusted with their data and software and hardware? In the least, no smart device, company owned or employee owned, should have access to company data that can be copied to those devices. If an employee needs to access company resources, then they should be doing so from a device which serves as, basically, no more than a terminal, and something like that would be a tablet with just enough memory for software and not enough for data storage.

CharlieSpencer
CharlieSpencer

Anyone else smell canned pork? Blue can, yellow letters, with a key on the bottom?

Pete6677
Pete6677

That wouldn't be BYOD. That would be PYOMFTCD (Pay Your Own Money For The Company's Device).

adornoe
adornoe

and, if they do bring laptops to the office, then it's still a dangerous move allowed by the powers at the company. A dumb terminal does not have to be useless. A company could allow connectivity with a dumb terminal or with a very crippled tablet. A crippled tablet would be one with very limited data storage capabilities.

SKDTech
SKDTech

How much is just enough for apps and not enough for storage of data?

Sonja Thompson
Sonja Thompson

and it doesn't appear to be copied and pasted, but I get you, Palmie :-)

adornoe
adornoe

They're the ones that should determine what is usable and what a device should be capable of or not.