BYOD savings may be lost by security and admin costs

Monday, November 12, 2012

Rainer Enders

5a8300df8aa4169096932e433ec884b5

There is a difference between enabling a mobile workforce and enabling a BYOD (bring-your-own-device) workforce.

Companies need to mobilize, that is without question -- but for too long BYOD has become nearly synonymous with this effort. In reality, BYOD is just one of the ways enterprises can mobilize, and in many cases, it is not the most secure, or necessarily the most cost-efficient way to do so.

The Aberdeen Group found that BYOD, on average, costs companies 33 percent more than adopting a company-owned device policy. This is particularly surprising because, at first glance, BYOD seems to be the ultimate cost saver.

Your employees buy their own devices, equipping themselves with the resources needed to be mobile. The ROI seems incredibly high because there is very little initial investment. But the problem comes in when companies jump on the BYOD bandwagon without properly assessing the associated costs and coinciding risks.

After all, it's foolish to believe BYOD, a drastic departure from typical corporate protocol, comes without costs.

For one, BYOD requires significant cross-departmental overhead to ensure that everyone involved in employee administration is on the same page. This includes executives from IT, human resources, finance and other different departments.

If an enterprise has a particularly mobile sales force, which many companies do, then the head of that division needs to be on board, as well. Accordingly, rules and protocols need to be developed, refined and then implemented in order to educate employees on the proper use of their now hybrid personal/professional devices that will be with them at all times. In order to coordinate and execute these protocols, time must be taken from all departments -- time that could be devoted elsewhere.

Security can also be a dangerous and costly concern for companies implementing a BYOD culture. Enterprises need to protect themselves from employees unwittingly exposing company data to insecure networks and people outside their organizations.

Because so many individuals own multiple mobile devices these days, a single employee could conceivably access an employer's corporate network from upward of a half-dozen different devices. This makes developing the protocols around BYOD exceedingly complicated.

If security is a priority, then VPN software will be an absolute necessity. This requires locating a VPN that can work properly across a wide range of devices and operating systems. Then, depending on the type of software used, this could involve installing software on every device an employee plans to use, from an iPhone to a home desktop.

Bear in mind, even under these most stringent of security circumstances, particularly in BYOD cultures, employees may believe it is acceptable to access sensitive information from, say, a friend's computer or a public terminal, in the process leaving the network particularly vulnerable.

This begs some essential questions: Who is responsible for the damage that might be incurred when company security is compromised via employee-owned devices? Who determines who is responsible? What is proper punishment? These need to be answered, especially if the compromised information has legal ramifications.

Then, of course, there is the issue of employees leaving the company. Where does a CIO draw the line between respecting the former employee's privacy, and mandating that personal devices be scanned so that he or she does not leave while still being able to access the company network and documents? For companies that embrace mobility through employer-issued devices, these types of questions do not require exploration.

This is not to say that BYOD should be outright banned or wholly discouraged. Rather, at companies, particularly those with high-risk profiles, CIOs should consider investing in company-owned mobile devices for employee issuance. Doing so would allow for greater oversight of the entire network and ensure higher security.

Unlike in BYOD environments, the CIOs could dictate which devices and operating systems are used across the company, in addition to standardizing applications installed for remote access. There would certainly be an initial investment in devices, but this might be offset by fewer hours spent on security implementation and coordination between departments. And the bottom line is, eschewing BYOD leaves enterprises with more control over what happens with -- and on -- the devices rightfully owned by them.

Mobility is no longer an option. It is a requisite for survival. And with the incredible advances made in handheld devices over the last decade, there is an undeniable pull toward employees using their own resources to work from home or the road -- and an even stronger pull to indulge in these perceived cost savings.

And while trends as powerful as BYOD should not be ignored, their consequences should, at the very least, be fully considered.

Possibly Related Articles:
6873
Firewalls IDS/IDP Network Access Control Network->General SCADA Budgets Enterprise Security Policy Security Awareness Security Training General
Information Security
Enterprise Security Mobile Devices Policies and Procedures BYOD
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.