The need for IT to get in front of the BYOD (Bring Your Own Device) problem


Published on

The Need for IT to Get in
Front of the BYOD Problem. VIA An Osterman Research.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

The need for IT to get in front of the BYOD (Bring Your Own Device) problem

  1. 1. sponsored byOsterman Research, Inc.P.O. Box 1058 • Black Diamond, Washington • 98010-1058 • USATel: +1 253 630 5839 • Fax: +1 253 458 0934 • • Osterman Research White PaperPublished October 2012SPONSORED BYsponsored byThe Need for IT to Get inFront of the BYOD ProblemONWHITEPAPERSPON
  2. 2. ©2012 Osterman Research, Inc. 1The Need for IT to Get in Frontof the BYOD ProblemEXECUTIVE SUMMARYWikipedia defines Bring Your Own Device (BYOD) as “the recent trend of employeesbringing personally-owned mobile devices to their place of work, and using thosedevices to access privileged company resources such as email, file servers anddatabases as well as their personal applications and data.i”Hidden within and implied by that seemingly innocuous definition are a number ofquite serious problems for corporate IT departments and organizations in general:• Separate ownership of the platform used to create and store data and the dataitself. This separation of ownership can make it more difficult for IT to accesscontent on mobile devices in a timely way, if at all.• The reduced control that IT has over devices and data with regard to encryptingcontent, retaining it in corporate archiving systems, deleting it in the event amobile device is lost, and otherwise managing content and devices in accordancewith compliance and other obligations.• The potential for personal applications to create security risks, such as throughloss of sensitive data or by the introduction of malware into the corporatenetwork.THE PROBLEM IS SERIOUSAs shown in the following figure, nearly three out of five organizations believe thatBYOD represents a problem for their organizations – we anticipate that as the trendbuilds over the next 24 months, the problem will become much more serious.Perceived Seriousness of the BYOD ProblemKEY TAKEAWAYS• BYOD is pervasive – employees in 82% of organizations are using personallyowned smartphones and/or tablets to access corporate systems like email,databases and various applications.Nearly three outof fiveorganizationsbelieve thatBYOD representsa problem fortheir organ-izations – weanticipate that asthe trend buildsover the next 24months, theproblem willbecome muchmore serious.
  3. 3. ©2012 Osterman Research, Inc. 2The Need for IT to Get in Frontof the BYOD Problem• BYOD offers some benefits as a means of potentially reducing corporate costsand improving employee morale and job satisfaction.• However, there is substantially more downside risk from unmanaged BYOD in anumber of areas: support for these devices is more difficult than it is forcompany-supplied devices, the cost of managing mobile devices can actually goup, content management becomes more difficult, network and applicationsecurity are placed at higher risk, and corporate governance can become verydifficult to manage.• All organizations should develop a BYOD strategy, implement the appropriatepolicies to manage personally owned devices, and deploy the technologies thatwill enable enforcement of these policies.ABOUT THIS WHITE PAPERThis white paper discusses the results of an in-depth survey conducted for QuestSoftware (now a part of Dell) – the sponsor of this white paper. This paper alsoprovides an analysis of the BYOD problem and what organizations should considerdoing to mitigate the risks and realize the benefits associated with it.The survey for this white paper was conducted during July 2012 with members of theOsterman Research survey panel. A total of 162 surveys were completed across awide range of industries. The organizations surveyed have a mean of 13,135employees and 11,463 email users (the medians are 1,500 and 1,200, respectively).Smartphones are employed by a mean of 46% of the email users in the organizationssurveyed; iPads and other tablets are used by 14%.BYOD IS BECOMING A SERIOUS ISSUEWHAT DO WE MEAN BY “BYOD”?The Bring Your Own Device (BYOD) phenomenon is the increasingly common practicefor employees to use their own smartphones, tablets, laptops and other computingplatforms and applications to access corporate systems like email and databases; andto create, store and manage corporate data using these devices. For example,Osterman Research has found that business email and Web browsing are the mostcommonly used tasks for which mobile platforms are used (employed by 99% and93% of users, respectively). However, use of personal social media, corporate socialmedia and the storage of business-related documents are also commonly used.PERSONAL DEVICES ARE INFILTRATING CORPORATIONSAs shown in the figure below, company-owned devices of various types are widelyused for work-related purposes – not surprisingly, our research showed that 100% oforganizations supply one or more computing platforms to their employees. However,our research also found that in 82% of the companies surveyed, personally owneddevices are used alongside company-supplied devices. While a majority of employeesare not yet using personal devices to access corporate systems, four out of fivecompanies are part of the BYOD trend to varying degrees.There issubstantiallymore downsiderisk fromunmanagedBYOD in anumber of areas:support…cost…content manage-ment…security…and corporategovernance
  4. 4. ©2012 Osterman Research, Inc. 3The Need for IT to Get in Frontof the BYOD ProblemPercentage of Employees Using Various Platforms for Work-RelatedPurposesWHY IS BYOD GROWING SO QUICKLY?The BYOD phenomenon is being fueled primarily by four trends:• Employees want the latest and greatestEmployees often want the latest and highest performance hardware – better andnewer devices than their employer provides for them across a variety ofplatforms: desktop PCs, smartphones, tablets, etc. This is due in part to the factthat decisions about personal devices are not constrained by the return-on-investment and limited budget considerations that often limit IT decision-making.Moreover, individuals are generally freer to make impulse purchases in responseto the latest and greatest hardware announcements – IT departments typicallymake more well-informed and more thoughtful decisions about purchasingcapital equipment and do so during normal hardware – and less frequent –refresh cycles. In short, individuals who buy new hardware for themselves arenot constrained by the need to make a business case for their purchases.• TeleworkA growing number of employees work at home as part of telework programs andso are not as constrained by their IT department about downloading andinstalling applications that may or may not have been vetted for use on thecorporate network. In other words, the distance between an employee and acorporate IT department is inversely proportional to the control that IT can exerton that employee.• IT is strapped for cashMany IT departments often cannot afford all the tools that users need; thevetting process for these applications is too slow to meet users’ expectations; orthe IT department simply does not allow certain tools to be used because ofconcerns over corporate security, the potential for data breaches, etc.• The blurring of work and personal lifeMany employees are happy to enable – or are at least willing to accept – ablurring of the distinction between their work and personal lives. This has beenborne out by Osterman Research surveys that demonstrate that the vast majorityIndividuals whobuy newhardware forthemselves arenot constrainedby the need tomake a businesscase for theirpurchases.
  5. 5. ©2012 Osterman Research, Inc. 4The Need for IT to Get in Frontof the BYOD Problemof employees bring work home with them, access corporate email after hoursand on vacation, and so on.WHY BYOD CAN BE A GOOD THINGThere are three basic benefits that BYOD can provide:• Corporate costs can be reduced (maybe)At least in the short term, corporate costs can be lowered by employees fundingsome or all of their mobile device and cloud-based application requirements. Forexample, while many employers will pay for employees’ mobile devices outright,some provide only partial reimbursement, if that. For example, an AberdeenGroup study found that carrier costs for employee-owned devices are $10 permonth per device lower than if the company owns the deviceii. Moreover, acomScore MobiLens study of BlackBerry users in late 2011 found that 22% ofemployers provide only partial reimbursement for users’ devicesiii.• Employee morale can be improvedThere is some evidence to suggest that when employees are permitted to choosetheir own mobile device their job satisfaction can be higher. For example, anAberdeen Group study found that 61% of companies that permit employees touse their own mobile device experience higher employee satisfactioniv.• Organizations can keep up with the latest and greatestMany IT departments have been subjected to frozen or declining budgets overthe past few years, particularly since late 2008. The result is that many have nothad the funds available to supply their employees with more advancedsmartphones and tablets. Because many employees are willing to supply thesedevices themselves, IT departments are often spared the expense of supplyingemployees with cutting-edge tools that can make them more efficient.WHY BYOD CAN BE A BAD THINGCOSTS CAN INCREASE WITH BYODAn analysis conducted by the Aberdeen Group found that a 1,000-seat organizationcan spend an additional $170 per user per year when using BYOD compared toproviding smartphones themselvesv. However, BYOD can lead to other, potentiallyenormous costs. For example if a company-owned smartphone that containscustomer data is lost and it cannot be remotely wiped, in most cases an organizationwill be obligated to report this data breach to all of the affected parties. If weassume, as Osterman Research discovered in another survey, that 69% of company-owned devices can be remotely wiped compared to only 24% of personally owneddevices, then the likelihood of losing data for the latter – and the cost of the databreach – will be 2.9 times greater.SUPPORT BECOMES MORE DIFFICULT WITH BYODOur research found that most organizations do not fully support their mobile users.As shown in the following figure, only one-third of organizations support mobile usersas they do users of more traditional parts of the IT infrastructure like desktop PCs orlaptops.Moreover, as shown in the next figure, support from IT and help desk is more difficultand more onerous for employee-owned than it is for company-owned devices. This isdue to a variety of factors, not least of which are the wide variety of smartphonesand tablets that users will employ, the different operating systems in use, differentfirmware versions in use, and the wide range of personal applications that areinstalled on the devices – some of which may represent a security threat.Support from ITand help desk ismore difficultand moreonerous foremployee-ownedthan it is forcompany-owneddevices. This isdue to a varietyof factors, notleast of which isthe wide varietyof smartphonesand tablets thatusers willemploy.
  6. 6. ©2012 Osterman Research, Inc. 5The Need for IT to Get in Frontof the BYOD Problem“What is your current practice or near-term plan for supporting mobiledevices and applications?”Ease/Difficulty of Managing Company- and Employee-Owned Devices% Responding Difficult or “a Real Pain for Us”43% oforganizations putexecutives on the“A” list formobile deviceand applicationsupport, butprovide only“best effort” foreveryone else.
  7. 7. ©2012 Osterman Research, Inc. 6The Need for IT to Get in Frontof the BYOD ProblemCONTENT MANAGEMENT BECOMES MORE DIFFICULTMobile devices contain a growing proportion of corporate data. For example,Osterman Research has found that more than 5% of corporate data is stored just onusers’ smartphones and tabletsvi– we expect this figure to increase dramaticallyduring the next 24 months as iPads and other tablets are employed in much largernumbers than they are today. Employee-owned devices make access to this data bycorporate IT or compliance departments much more difficult, such as when datamust be gathered during an eDiscovery exercise. This is not only because of thedifficulty that might be encountered in physically accessing these devices, but alsobecause of the potential privacy and other legal issues that are raised by companiesaccessing their employees’ personal property. This is particularly true in thosejurisdictions that place a heavy emphasis on employee privacy.However, for IT to know what data exists on mobile devices is much more difficult foremployee-owned devices than it is for those devices under IT’s control. This isparticularly difficult for legal counsel and others that must assess the information thatthe organization has available to it during eDiscovery, early case assessments, legalholds and similar types of litigation-related activities. Moreover, the probability ofspoliation of content when stored on personally owned devices is much greatersimply because it is not controlled by an IT or compliance department.Legal holds can be particularly problematic in a BYOD environment. When data thatmight be required in a legal action must set aside from the normal deletion cycle orfrom users’ manual deletion, it is critical that an organization immediately be able topreserve all relevant data, such as emails that might need to be produced during trialor pre-trial activities. Placing a hold on mobile data may be more difficult than it is fortraditional systems – and much more difficult when it is located on devices that areunder the control and ownership of individual employees.NETWORK AND APPLICATION SECURITY BECOME RISKIERAnother threat introduced by BYOD is that personal devices used to create, accessand store corporate data will normally bypass inbound content filtering systems thatIT has deployed in the corporate network. One result of this is a potentially greaterlikelihood for malware intrusion, particularly for Android devices. For example, F-Secure found that for the 12-month period ending in the first quarter of 2012, thenumber of new Android-focused malware families and variants had increased from 10to 37, and the number of malicious Android-focused application package files hadincreased from 139 to 3,063vii.Further, personally owned devices will normally bypass DLP and related systems,possibly resulting in more violations of corporate and regulatory policies focused onencrypting content or preventing disclosure of sensitive information. For example,researchers in a UK-based study acquired 49 mobile devices that had been resoldthrough secondary markets; forensic examination of the devices resulted in thediscovery of information on every device and a total of more than 11,000 pieces ofinformation collectively from all of the devicesviii.As evidence of the security threat that BYOD creates in most organizations is otherresearch that Osterman Research conducted during 2012. For example, we foundthat in organizations with at least 100 employees:• 44% of company-owned smartphones and 38% of company-owned tablets canbe scanned for malware. However, only 10% of smartphones and 9% of tabletscan be similarly scanned.• 69% of company-owned smartphones can be remotely wiped if they are lost, butonly 24% of personal smartphones can be wiped. Similarly, 54% of company-owned tablets can be remotely wiped versus only 21% of personally ownedtablets.More than 5% ofcorporate data isstored just onusers’ smart-phones andtablets – weexpect this figureto increasedramaticallyduring the next24 months asiPads and othertablets areemployed inmuch largernumbers thanthey are today.
  8. 8. ©2012 Osterman Research, Inc. 7The Need for IT to Get in Frontof the BYOD ProblemGOVERNANCE CAN BECOME A SERIOUS PROBLEMJust about every organization must comply with a variety of obligations to protect,retain and manage their business records wherever they may be found – oncorporate systems managed by IT, or on personal devices owned by employees.These obligations, which are focused primarily on the archiving, encryption andmonitoring of certain types of content, include the following:• The Health Insurance Portability and Accountability Act (HIPAA)requires healthcare and other organizations to protect sensitive health records ofpatients and others. However, the “new” HIPAA that took effect during the firstquarter of 2010 greatly expands the impact of the law. For example, while HIPAApreviously applied mostly to physicians, medical practices, hospitals and the like,now the business associates of these entities will be required to comply withHIPAA’s rules about the security and privacy of protected health information(PHI). That means that accountants, benefits providers, attorneys and othersthat are given access to PHI will now be fully obligated to comply with HIPAA.• The Federal Rules of Civil Procedure obligate organizations to manage theirdata in such a way that it can be produced in a timely and complete mannerwhen necessary, such as during legal discovery proceedings.• Electronic recordkeeping rules established by the SEC, FINRA, FSA and otherregulatory bodies are focused on financial services organizations’ obligations tomonitor and archive communications between registered firms and theircustomers.It is also important to note that firms registered with FINRA and the SEC arerequired to archive and monitor communications made using smartphones,whether company or personally owned. For example, FINRA Regulatory Notice07-59ixstates “…a firm should consider, prior to implementing new or differentmethods of communication, the impact on the firm’s supervisory system,particularly any updates or changes to the firm’s supervisory policies andprocedures that might be necessary. In this way, firms can identify and timelyaddress any issues that may accompany the adoption of new electroniccommunications technologies.”• The Payment Card Industry Data Security Standard is a set ofrequirements for protecting the security of consumers’ and others’ paymentaccount information. It includes requirements for building and maintaining asecure network, encrypting cardholder data when it is sent over public networksand assigning unique IDs to each individual that has access to cardholderinformation.• The Sarbanes-Oxley Act of 2002 obligates all public companies and theirauditors to retain relevant records like audit workpapers, memoranda,correspondence and electronic records – including email – for a period of sevenyears.• The Gramm-Leach-Bliley Act requires financial institutions to protect sensitiveinformation about individuals, including their names, addresses, and phonenumbers; bank and credit card account numbers; income and credit histories;and Social Security numbers.• Federal Energy Regulatory Commission Order No. 717 imposes variousrules on regulated and vertically integrated utilities so that transmission providersdo not give preferential treatment to their affiliated customers. The purpose ofthis order is to create an ethical wall between the marketing and transmissionfunctions of vertically integrated companies that distribute electricity and naturalgas between states.Just about everyorganizationmust comply witha variety ofobligations toprotect, retainand manage theirbusiness recordswherever theymay be found –on corporatesystems managedby IT, or onpersonal devicesowned byemployees.
  9. 9. ©2012 Osterman Research, Inc. 8The Need for IT to Get in Frontof the BYOD ProblemFundamentally, BYOD makes compliance with these and other obligations much moreonerous because of the greater difficulty associated with finding, retaining,encrypting, wiping and otherwise securing corporate data.WHAT SHOULD YOU DO ABOUT BYOD?FIRST OF ALL, REALIZE WHAT’S GOING ONBefore the BYOD problem can be brought under control, decision makers mustunderstand just how pervasive it is in most organizations. While most seniormanagers will surmise that some of their employees are using personally ownedsmartphones and tablets (given that senior managers often were the catalyst of thetrend after the introduction of the iPhone in 2007), they may not appreciate just howwidespread this use has become. Senior managers need to understand howpersonally-owned smartphones and tablets, as well as tools like personal file syncservices or Skype, are used throughout the organization, what types of data they areused to access and store, and the reasons for their use.DEVELOP BYOD POLICIESNext, decision makers faced with controlling BYOD should implement policies aboutacceptable use of devices and applications, perhaps creating a list of approveddevices, operating systems, applications and other personally owned or managedsolutions. These policies should be detailed and thorough, and should be included aspart of an organization’s overall acceptable use policies that are focused on use ofcorporate computing resources. However, as shown in the following figure, morethan two in five organizations has yet to develop a formal, documented strategy forBYOD.“Which of the following best describes your BYOD strategy?”One of the most important corporate policies for mobile devices should be that anymobile device can be wiped by the IT department in the event of its loss, and that allDecision makersfaced withcontrollingBYOD shouldimplementpolicies aboutacceptable use ofdevices andapplications,perhaps creatinga list of approveddevices, oper-ating systems,applications andother personallyowned ormanagedsolutions.
  10. 10. ©2012 Osterman Research, Inc. 9The Need for IT to Get in Frontof the BYOD Problemdevices that contain corporate content should be encrypted to prevent the loss ofsensitive data or intellectual property.Faced with a requirement to eliminate use of personal devices or applications, manyemployees will continue to use them secretly anyway, particularly those employeeswho work from home at least one day per week.EMPLOY YOUR USERS AS YOUR FIRST LINE OF DEFENSEUsers should be educated about best practices about accessing and managingcorporate data on personally owned devices or when using specific applications. Animportant reason for doing so is not only to make employees aware of the dangersthat can result if corporate data is not adequately protected, but also to achieveemployee buy-in and cooperation with corporate policies.DEPLOY TECHNOLOGIES THAT WILL ENABLE YOUR POLICIESIt is imperative that organizations deploy the appropriate technologies, such asmobile device management solutions, that will enable their policies to be enforcedand for overall corporate risk to be managed at an appropriate level. For example, anorganization that allows employees to use their own tablets should deploy a solutionthat enables full disk encryption, under IT’s control, that will protect sensitive data ifthe device is lost. Other technologies that should be on the short list of thosedeployed include anti-virus, malware detection and remediation, role-based access,content inspection and archiving – these apply to both personally owned devices, aswell as to employee-managed applications.ABOUT DELLDell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovativetechnology, business solutions and services they trust and value. For moreinformation, visit is critical to know the extent of personally owned device usage in your corporateenvironment; ignoring it means that your sensitive data may be living in thousands ofdifferent places and devices, all of them outside of the control of your IT departmentand your carefully designed security.The mere thought of inventorying and assessing all of the personally owned devicesin your environment may seem overwhelming. MessageStats from Dell can help.MessageStats gathers intelligence about your entire messaging infrastructure –including Exchange, BlackBerry, OCS/Lync Server, OWA, Windows Mobile/Active Syncand more – with one solution, visible from a single console (i.e., "a single pane ofglass").It is not uncommon for users to have multiple devices that are being used forbusiness purposes. MessageStats lets you know when new devices are activated, aswell as who is using them. You will also be able to identify the number of devices inuse by each user, as well as the carrier. MessageStats identifies all users and theirdevices, as well as reports on active use and if policy updates have been applied.Learn more at ITAfter your BYOD strategy is in place, consider enabling IT staff and users to accessimportant applications on their mobile devices. Use Mobile IT to administer Dellsolutions or enhance the value of other third-party applications such as your helpdesk management software, HR processing system, internal change managementsystem, etc. By enabling secure access critical applications from a mobile device,Mobile IT delivers the mobile administration and remote management thatIt is imperativethat organ-izations deploythe appropriatetechnologies thatwill enable theirpolicies to beenforced and foroverall corporaterisk to bemanaged.
  11. 11. ©2012 Osterman Research, Inc. 10The Need for IT to Get in Frontof the BYOD Problemorganizations need today. With IT applications at the heart of business operations, ITshouldn’t be tied to desktop applications; instead they need a way to handle issues asthey arise, whether or not they’re in the office.Mobile IT delivers the mobile admin functionality IT administrators need to do theirjobs, no matter where they happen to be. With Mobile IT, you can:• Get alertsBe alerted about events and issues via proactive notifications on mobile devices.You can stay connected and assess issues even while you’re not on site.• Take actionInitiate actions within your applications from your mobile device. You canrespond faster to business requests and execute tasks while mobile, whichreduces costly delays.• Run reportsRun reports that put your alerts into context, enabling you to make informeddecisions while mobile. For example, you can see what recent changes mighthave caused users to lose access to data they need.Learn more at
  12. 12. ©2012 Osterman Research, Inc. 11The Need for IT to Get in Frontof the BYOD Problem© 2012 Osterman Research, Inc. All rights reserved.No part of this document may be reproduced in any form by any means, nor may it bedistributed without the permission of Osterman Research, Inc., nor may it be resold ordistributed by any entity other than Osterman Research, Inc., without prior written authorizationof Osterman Research, Inc.Osterman Research, Inc. does not provide legal advice. Nothing in this document constituteslegal advice, nor shall this document or any software product or other offering referenced hereinserve as a substitute for the reader’s compliance with any laws (including but not limited to anyact, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,“Laws”)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes norepresentation or warranty regarding the completeness or accuracy of the information containedin this document.THIS DOCUMENT IS PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS ORIMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BEILLEGAL.i–thatisthequestion!viUnpublished Osterman Research survey data, October 2012viiSource: Mobile Threat Report Q1/2012, F-SecureviiiElectronic Retention: What Does Your Mobile Phone Reveal About You?