Despite the rise in the use of personal devices for business use, U.S. consumers show little concern for security when it comes to BYOD. According to a recent survey by Gartner, Inc. a quarter of business users admitted to having had a security issue with their private device in 2013, but only 27% of those respondents felt obliged to report this to their employer.
Yet, Meike Escherich, principal research analyst at Gartner, said, “The key to having a secure device is making sure it is well-managed.” Does that mean going back to the old model of corporate-liable devices?
Too late. This point has already tipped. In fact, Gartner also predicts that by 2017 half of all employers will not just offer BYOD, but require users to supply their own devices.
For the 50 percenters who do not, Escherich warns, “Failure to embrace BYOD will force it underground and into the shadows, where it will have the potential to publicly expose private data and open the enterprise to a data breach situation.”
To Bring or Choose
Allowing BYOD causes risk; not allowing BYOD causes risk. The answer may, instead, be in allowing employees to choose their own devices (CYOD.) This may seem simple enough, but a SolarWinds poll indicates that IT pros are also nearly split on which mobile enablement strategy is more acceptable—53% preferring CYOD to 47% preferring BYOD.
On one hand, there is a very real difference between the two, and they can be seen as completely separate strategies, according to SolarWinds Head Geek, Lawrence Garvin. “This difference does involve choice in that BYOD involves end users providing their own devices from a virtually unlimited set of possibilities and connecting it to the corporate network and resources, while CYOD involves allowing end users to choose their soon-to-be corporate-connected mobile devices only from a defined list that IT supports.” Essentially, the difference involves security, cost, ease of device management and network complexity.
On the other hand, BYOD and CYOD are very much related. In fact, Garvin said, “Think of CYOD as simply BYOD with an actual support policy.” BYOD has actually always meant that organizations needed structure around which devices to support, because it’s also always been impossible to support all the devices users might bring. However, BYOD policies have not kept up with the pace of change and many businesses do not even know how many BYO devices they have.
“Offering the end-user a choice of pre-defined devices, in other words CYOD, can be thought of as a more responsible implementation of BYOD,” Garvin pointed out.
Choice, in this case, means limits. Employees may have a version of an iPhone—and iOS is well-defined, updated on a fairly regular schedule and most users are on the latest version—but when it comes to Android, there are hundreds of devices, with fragmented versions of the OS and most users are not on the latest version.
Garvin said that the OS is part of the pathway to creating a defined list of options. One of the first things to consider is in-house expertise. IT must have the skills to deal with the considerations of iOS, Windows, Android and BBOS, as well as the various versions of each. “Some employers may choose not to support one or more platforms simply on principle, or may choose not to support older versions,” he said.
Beyond the platform, there’s also the availability from the chosen carrier or carriers. “If CYOD presumes that the corporate entity has also negotiated rate plans with a carrier—or possibly, but not likely, multiple carriers—then the specific models of devices available in the CYOD program are going to be limited by what that particular carrier offers or supports,” Garvin said.
Benefits for All
First up is choice. Obviously BYOD allows employees the most freedom, but also causes the most headaches for IT. CYOD can balance both.
Securing BYOD devices is much more difficult than securing devices identified and supported by IT. “All devices can open sensitive information up to hackers if not sufficiently secured, but the fact that IT cannot ensure support of every device under the sun means under a BYOD model, security gaps are more likely. On other hand, CYOD can give nearly total control to IT, which avoids security breaches and gaps in compliance,” noted Garvin.
Cost is another key factor. While some organizations cut costs through BYOD, they still have operational expenses in supporting network connections. For instance, the cost of reimbursing mobile usage and other expenses can be high when it comes to BYOD when compared to company-provisioned ones where service plans are already negotiated and prices are reduced, such as you would likely find with a CYOD strategy. Garvin said that the reality is with CYOD, supporting mobile devices can be much more efficient because the helpdesk staff is only asked to support known device types.
Data management is also a consideration. With BYOD, responsibility largely rests with users to properly store and share data; CYOD enables enterprises to delete sensitive data and other corporate information in the device should it get lost, compromised or an employee leaves the company.
Network complexity can also be simplified with CYOD. Garvin said, “CYOD allows enterprises to evaluate the limited choice of wired or wireless devices and provides configurations that respective users need based on company requirements. For instance, it’s common for BYOD users to try to use WLAN without permission. CYOD reduces many of these unwanted hiccups and allows administrators to take necessary precautions.”
As with all parts of a mobile strategy, the decision will depend on each organization’s unique requirements, but, in either case, policies must be created, communicated and enforced.