BYOD - The results of the Pirean survey
The “consumerization of IT” has meant that employees are using their personally owned PCs and mobile devices for work purposes, whether they are supported by their it departments or not. In this post, Security Consultant Stephen Williams discusses the results of a Pirean survey designed to ascertain how employees themselves feel about "Bring Your Own Device" (BYOD).
Introduction of a BYOD program into the workplace is becoming a necessity for any organization wishing to control employee's personal device usage and the associated security threat. In fact, Gartner predicts that by 2014, 90% of organizations will support corporate applications on personal devices.
SO WHAT EXACTLY IS BYOD?
Bring Your Own Device (BYOD) simply describes an employee’s use of a personally owned device for work purposes. The most common example of BYOD would be an employee using their own PC, smartphone or tablet to access their work email accounts.
A BYOD program, or policy, is the set of rules that outline the extent to which an organization will provide IT support for employee-owned devices, and can vary in form vastly from company to company. Some organizations provide employees with a grant to both purchase and support suitable technology of their choosing, whilst others extend their in-house support to cover personally owned devices in addition to standard-issue company devices. The extend to which an organization will do this varies greatly and is dependant on a number of factors, such as the employee’s status within the business, their application access requirements and the make/model of the technology itself.
AN EMPLOYEE SURVEY
Everyone is talking about “Bring Your Own Device” (BYOD), and most businesses will need to review their policies to accommodate it. There is much confusion around how (and if) BYOD will benefit organizations, and we are all too familiar with hearing from technology vendors, analysts, and alike about the security challenges that they will need to overcome. But what do employees think about BYOD and do they actually want it? We took the opportunity at Pulse 2012 to find out by conducting a survey. It consisted of just 5 questions, all designed to ascertain the employee’s feelings towards BYOD, and level of willingness to embrace a BYOD program at their place of work.
We asked for preferences on whether programs should be employer or employee funded, whether BYOD was something the employee actually wanted, and if introduction of BYOD gave people concerns over personal data privacy.
BRING YOUR OWN, OR BUY YOUR OWN?
The first question we asked respondents was “If your employer offered you a choice of options regarding the technology you used to perform your role, what would be your preference?” Only 20% of surveyed users said that they would prefer to use their own device, with 51% of users preferring to select a device at their employer’s expense and 29% of users preferring a standard company device. This result indicates that users may actually prefer the option of ‘Buying’ instead of ‘Bringing’ their own device, turning the BYOD concept on its head. In this scenario an organization seeking to support a ‘Buy Your Own Device’ policy would require merely the extension of existing device asset management processes to cover those that are mobile, in addition to more traditional assets such as desktop and laptop PCs.
When rolling out a BYOD policy within an organization a number of considerations and mitigations must be made by the user, which traditionally would have been carried out by their employer, such as device insurance and the introduction of specific security measures such as mobile device firewalls, anti-virus and patching. This placement of responsibility onto the user could result in a lack of BYOD policy engagement on their part, thereby minimising any efficiency gains. To understand more about this scenario, we asked more generically “Would you be happy to support a BYOD program at your place of work?”.
Out of those users surveyed, 22% stated that they would not be willing to do so, with 57% stating that they would (but only with an employer backed stipend or expense limit to cover all associated costs), and finally only 21% stated that they would support a BYOD policy at their own expense.
The results for both questions one and two show that the deployment of a ‘Bring’ you own device policy is much more challenging to realize than an optional ‘Buy’ your own device policy. This is predominantly due to user acceptance rather than technical reasons.
Even if an employee is using their own device for work purposes, an employer will still need to ensure that they have the most relevant and up-to-date software available to them on that device in order to be as efficient in their role as possible. Plus, following the explosion onto the market of endpoint management solutions, which generally incorporate automated patch and endpoint security tools, it has become very easy for employers to automatically update any device as soon as it connects to the corporate network.
Our next question – “If using your own device for work purposes, would you be happy for your employer to automatically download software to it via the network?” - was asked to determine whether or not employees would be happy for this to occur automatically if they owned the device themselves. 71% of those surveyed would be happy for this to happen, but of those nearly half (34%) would only agree if their employer had financially supported the purchase of the device in the first place. Nearly a third of those asked would want to have control over what software was downloaded to their device over the corporate network and when.
PERSONAL DATA PRIVACY CONCERNS?
To understand why there is some perceived resistance towards a BYOD policy, we asked “If you were using your own device for work purposes, would you be concerned about personal data privacy (e.g. online banking, personal email account)?”.
51% of respondents stated that they would be very concerned about their employer’s ability to respect and protect their own personal data, with an additional 35% stating that would also require some level of assurance from their employer.
The UK Data Protection Act (DPA) 1998 states “Appropriate technical and organizational measures shall be taken against unauthorized or unlawful processing of personal data, and against accidental loss or destruction of, or damage to, personal data.” Similar policies governing data protection are in place in the majority of countries worldwide, so if an organization were to transmit and store personally identifiable data about relevant persons (i.e. employees, customers, business partners) on a device that is not wholly governed by internal security policies, could it be in breach of the DPA and equivalent localized policies?
PLEASE CAN I SEE SOME IDENTIFICATION SIR?
One of the reasons BYOD has come into focus recently is that users are now using mobile devices as a single panel through which they carryout numerous everyday tasks, many of which were traditionally the domain of the PC. Tasks such as mobile banking, social networking, eLearning, document authoring and report analysis, are already regularly being carried out on mobile devices due to their mobility, usability, screen resolution and high-speed network access. As a result the number of both physical and virtual identities an average user holds and maintains whilst on the move has increased significantly. To understand to what extent these have increased, we asked “How many separate credentials, both physically and virtually, do you believe you currently hold and require to prove your identity in every context?”.
Approximately 51% of respondents stated that they currently held more than 20 separate identities, with 25% of that group stating that they held more than 50 separate physical and virtual identities. The remaining 49% of respondents stated that they currently held less than 20 identities. Even prior to the “computing age”, the total number of identities held by the average person was increasing dramatically. When you add into this the increased use of social networking, and Cloud-based and mobile services, it’s clear that users will need to hold, manage and protect an ever increasingly large set of identities.
ESSENTIAL CONSIDERATIONS FOR A BYOD PROGRAM
Reviewing the results of our BYOD survey we can conclude that whilst such a policy has a number of significant benefits and can produce organizations with significant cost savings, there is still a great deal of work to be done with the end-user to ensure that their requirements and security concerns are factored into any process. Some of the main areas I perceive as requiring attention are:
- What would happen if the employee lost their device or it became faulty? Would they be provided with alternative device arrangements, and from whom?
- Who would be responsible for ensuring the device was properly insured?
- If the employer’s device updates happened to cause a fault within the user’s device, would liability sit with the employer or employee to resolve?
- Could the employer confiscate the employee’s device in the case of a security investigation to preserve evidence?
- Would the employee be permitted to continue to install any applications onto their own device that they saw fit to use, even if this device contained company data?
- Could the employer put sufficient safeguards in place to ensure they wouldn’t be in breach of relevant data privacy and protection policies?
- When communicating updates to and from an employee’s device, how could an employer BYOD platform avoid the generation of large data usage bills on the side of the employee?
- For organisational data that is made available to devices within a BYOD policy, how can confidentiality, integrity and accountability of the data be preserved whilst it is at rest and in transit?
- Through which process can employers demonstrate the continued protection of existing user data on a mobile device?
In order to provide a complete solution that responds to these areas, and which can deliver a BYOD policy with all its associated user efficiency, user engagement and cost improvements, there is a need for organizations to employ a holistic approach that encompasses business, technology, legal, and financial considerations. By working with tried and tested risk management, endpoint management and business intelligence reporting platforms, such as those within IBM’s portfolio, organizations can ensure that they deliver a BYOD policy that meets the needs of both the organization AND its varied user base, instead of simply introducing a point solution which only meets a limited set of existing technology requirements.
Along with many of it’s peers, Pirean sees the potential for a massive increase in the support for BYOD programmes, which take account of the new way in which users and organizations interact with their business data and processes. In the short term Pirean predicts that organizations will begin to offer support for ‘Buy Your Own Device’ policies, including the deployment of policies and platforms that support smartphones and tablets. Once established, Pirean believes that these policies and processes will evolve to support additional mobile and transient users, other than employees, who wish to ‘Bring their own device’ such as contractual staff, third party providers and business partners.
To conclude, whilst the advent of BYOD can initially appear a great proposition for businesses in terms of increasing employee efficiency and reducing costs, they must ensure that the introduction of any BYOD program in the workplace is properly thought out prior to introduction and all angles considered. Most importantly, they should involve their employees in the process and ensure that they are happy and confident with the policies being put in place, as ultimately it is this end-user buy in which will lead to both success and a return for the employer.
FURTHER INFORMATION ON BYOD
What do you think? To join in the BYOD discussion, join the Pirean User Security Forum on LinkedIn.