The bring-your-own-device (BYOD) phenomenon is now in its fifth year, ancient by technology standards but new by corporate management timelines. But is it a trend or a fad? Various surveys say yes to both, leaving IT and business folks alike confused.
For example, a recent CompTIA survey suggests that BYOD is waning at companies, yet every analyst firm's survey shows it has been steadily growing, now the norm at 70 percent or more of companies and for more than half of all users.
Several factors muddy the underlying trends. If you filter out the mud, you'll see the clear trends.
Though it's a well-established phenomenon, BYOD remains a highly emotional, contentious issue in many IT organizations, which fear loss of control, security breaches, and compliance and compatibility nightmares.
It's not contentious or controversial for most users. Users simply want IT to get out of the way of them doing their jobs, and smartphones and tablets are now part of how many people do their jobs. Just as they have long checked email on their home computers and done personal email and Web activities on their office PCs, they now use smartphones and tablets for the same tasks.
Many companies actually steer users to BYOD, because they're too cheap to issue smartphones and tablets themselves but expect employees to be connected and accessible 24/7. Guess where that leads?
The official line versus the operational reality
Many IT organizations don't like BYOD, so they don't support it. That shows up as the official line in many IT surveys on BYOD. But the official line isn't reality.
At many organizations, IT turns a blind eye to user practices as long as they cause no harm. For example, the policy says you can't use your home PC to check email, but of course you can. Or you can't copy files to a personal device from your office PC, but of course you can.
IT can't control and monitor everything, so it focuses its resources where they actually matter. That's supremely rational. But to satisfy compliance requirements or policies driven by HR or legal, IT will report the official truth: No, we don't support home use or BYOD or data copying or whatever. The fact that IT doesn't support it doesn't mean it doesn't happen (wink, wink).
Let's be honest: IT often doesn't know what users really do. IT is not all-seeing and all-knowing. In benign organizations, IT will practice benign neglect on elements that aren't problems and unlikely to be. In dystopian organizations, users will go underground to avoid IT, HR, and so on.
Even when IT does know, it can't always admit it. There may be corporate policies, industry compliance standards, or legal requirements that aren't practical to enforce. Since no one can fix the requirements and they'll get fired if they don't do them, they pretend to do them. That false truth shows up in surveys.
Either way, IT surveys aren't likely to show the reality. Don't put too much stock in what they say about broader user trends or practices,
BYOD hasn't been the claimed security and compliance risk
The CompTIA survey is a great example of confusing official policies with reality. It claims BYOD is fading because fewer companies are putting together BYOD policies, Somehow, that means BYOD is lessening. No, it means the risks of BYOD aren't high enough for an increasing number of companies to spend resources on policy creation, management, and enforcement.
I get pitches all the time from vendors claiming poor adoption of mobile management tools and saying that BYOD policies threaten the very existence of companies today. That's baloney. After five years of broad BYOD, we would have encountered such fails -- but we haven't. The Chicken Littles need to return to their roosts.
If you check the public breach reports, you'll see that smartphones and tablets, as well as personal cloud services like iCloud, Google Drive, Box, Dropbox, and Microsoft OneDrive, are extremely rare as the breach vector -- a handful of incidents out of thousands. As I've said many times, the big risks are PCs (especially laptops) and thumb drives.
Ban those and you'll be safe from all but the NSA, GCHQ, Chinese government, and Russian mob. (Well, encrypt those and you'll be safe.) It's even better to use a secured cloud service so that people don't need to copy data to thumb drives or lug their laptops between home and work every day. (Laptops left in a car or café are the most common PC-oriented breach vectors).
It's quite easy for companies to protect themselves from the actual BYOD risks:
First, implement the basic Exchange ActiveSync policies on your email. You should require encryption (which iOS devices have turned on by default, and it can't be turned off) and reasonable passwords. I recommend that you use a real mobile management tool; there are plenty of good ones to choose from.
By the way, you should manage BYOD devices the same as you manage corporate-issued units. After all, it's the same data and access either way.
Second, have at least a simple BYOD policy. It should remind users that any corporate data stored on personal devices are subject to inspection and deletion, personal information that travels through corporate systems are not private and may be read by the company, and using personal devices for corporate work when not required is at the employee's discretion and risk. I also recommend that you have a more complete BYOD policy, but at least do the basics.
By the way, your policies on use of and access to corporate resources should be the same for BYOD and corporate-issued mechanisms. After all, it's the same stuff you're trying to protect and assure compliance for.
Third, pay for devices used by employees that are necessary for their jobs. For those who use the devices in their core, ongoing work, issue them smartphones and tablets as you do PCs. That's not only fair, it makes it clear who owns the equipment and the data on it should there be an issue, such as with departing execs. (If it's really only an employee convenience, that's what BYOD is for.)
At the very least, pay for a reasonable portion of their access costs if they (or you) insist on using only one device for personal and work needs. Again, it formalizes your claim to the data on those devices and the applicability of your corporate policies to them.
Forget the surveys, and simply do what's right for your organization.