Many companies are putting ‘Bring Your Own Device’ programmes in place, enabling staff to use their own mobile devices for work. This move, which has practically become a necessity, can bring real advantages but at the same time raises questions regarding security.
Policies enabling employees to bring personally-owned mobile devices to the workplace and use them to access privileged company resources such as email, file servers and databases - known as ‘Bring Your Own Device’ (BYOD) - are rapidly being formulated in many companies. Research carried out by Forrester for TrendMicro shows that 75% of all companies surveyed have begun to allow their employees to bring their own equipment to work and are formulating policies to cope with this ‘IT consumerisation’ trend. In the same vein, 60% of companies polled have already set up a programme related to mobile devices or plan to do so in the coming year. This finding comes as no surprise to Taher ElGamal, Chief Security Adviser at France-based software company Axway. "This trend is set to continue, driven primarily by individuals who as consumers spend more and more time on their smartphones," he explained to L'Atelier. However, this doesn’t mean that all companies are in a position to cope effectively with the trend. In fact, less than half (46%) of the companies that are planning to adopt, or have adopted, a BYOD programme have drawn up a formal protocol. The reason, according to Laurent Geray, Head of Techwatch & Business Innovation at Volvo IT France, an organisation which has implemented a system for integrating personal mobile devices into the company system, is that it might appear difficult to create such programmes. "Basically companies often suppose that a BYOD programme means a vastly expensive project, even though it actually brings reductions in support costs," he explains.
More productive workers
However, when an employee uses his/her own device this is likely to result in higher productivity - or at least 70% of all companies that have implemented this kind of programme cite that as a reason for doing so. And it’s a pretty good reason, reckons the Business Innovation Head at Volvo IT France, arguing that "when an employee uses his/her own equipment, that means s/he’s willing to use it more and in a better way - including for example using it outside the office." This view on the advantages is supported by the reasons companies give for putting their programme in place: firstly, to enable remote access to company data (63%); and secondly to facilitate the use of personal mobile devices for work (52%). These considerations should encourage companies to provide "the tools their employees need, especially easy-to-use tools, in order to respond to employee demands (…) because if they don’t, their staff will find their own way to access the data," warns Talher ElGamal. And this could give rise to security problems.
Lack of security thinking?
In fact, in spite of everything, a relatively small proportion (34%) of the companies surveyed have evaluated the security consequences of adopting BYOD programmes and only 37% have implemented a mobile device policy to protect company data and applications. Talher ElGamal thinks this is serious. When employees are bringing their own devices in to work with them, the company "needs to show special vigilance and should implement the full range of security solutions already available, such as staff awareness-raising and training with regard to sensitive and confidential data." But as far as Laurent Geray is concerned, the issue is much wider. "The problem is not that of the device - a USB stick can pose the same level of risk as document dissemination. What is needed is first and foremost a really comprehensive policy on data security, especially specifying which data is accessible and which is not,” he underlines. It is also noteworthy that 31% of companies which have adopted a BYOD programme have changed the way they reimburse staff telephone costs and 32% have changed the way they reimburse data download charges.