The Need for IT Get in Front BYOD Problem

7/28/2019 The Need for IT Get in Front BYOD Problem

1/12


2/12

2012 Osterman Research, Inc. 1

The Need for IT to Get in Front of the BYOD Problem

EXECUTIVE SUMMARY Wikipedia defines Bring Your Own Device (BYOD) as the recent trend of employeesbringing personally-owned mobile devices to their place of work, and using thosedevices to access privileged company resources such as email, file servers anddatabases as well as their personal applications and data. i

Hidden within and implied by that seemingly innocuous definition are a number of quite serious problems for corporate IT departments and organizations in general:

Separate ownership of the platform used to create and store data and the dataitself. This separation of ownership can make it more difficult for IT to accesscontent on mobile devices in a timely way, if at all.

The reduced control that IT has over devices and data with regard to encryptingcontent, retaining it in corporate archiving systems, deleting it in the event amobile device is lost, and otherwise managing content and devices in accordancewith compliance and other obligations.

The potential for personal applications to create security risks, such as throughloss of sensitive data or by the introduction of malware into the corporatenetwork.

THE PROBLEM IS SERIOUS As shown in the following figure, nearly three out of five organizations believe thatBYOD represents a problem for their organizations we anticipate that as the trendbuilds over the next 24 months, the problem will become much more serious.

Perceived Seriousness of the BYOD Problem

KEY TAKEAWAYS BYOD is pervasive employees in 82% of organizations are using personally

owned smartphones and/or tablets to access corporate systems like email,databases and various applications.

Nearly three out of fiveorganizationsbelieve that

BYOD representsa problem for their organ-izations weanticipate that asthe trend buildsover the next 24

months, the problem will become muchmore serious.


3/12



BYOD offers some benefits as a means of potentially reducing corporate costsand improving employee morale and job satisfaction.

However, there is substantially more downside risk from unmanaged BYOD in anumber of areas: support for these devices is more difficult than it is forcompany-supplied devices, the cost of managing mobile devices can actually goup, content management becomes more difficult, network and applicationsecurity are placed at higher risk, and corporate governance can become verydifficult to manage.

All organizations should develop a BYOD strategy, implement the appropriatepolicies to manage personally owned devices, and deploy the technologies thatwill enable enforcement of these policies.

ABOUT THIS WHITE PAPER This white paper discusses the results of an in-depth survey conducted for QuestSoftware (now a part of Dell) the sponsor of this white paper. This paper alsoprovides an analysis of the BYOD problem and what organizations should considerdoing to mitigate the risks and realize the benefits associated with it.

The survey for this white paper was conducted during July 2012 with members of theOsterman Research survey panel. A total of 162 surveys were completed across a

wide range of industries. The organizations surveyed have a mean of 13,135employees and 11,463 email users (the medians are 1,500 and 1,200, respectively).Smartphones are employed by a mean of 46% of the email users in the organizationssurveyed; iPads and other tablets are used by 14%.

BYOD IS BECOMING A SERIOUS ISSUE

WHAT DO WE MEAN BY BYOD?The Bring Your Own Device (BYOD) phenomenon is the increasingly common practicefor employees to use their own smartphones, tablets, laptops and other computingplatforms and applications to access corporate systems like email and databases; andto create, store and manage corporate data using these devices. For example,Osterman Research has found that business email and Web browsing are the most

commonly used tasks for which mobile platforms are used (employed by 99% and93% of users, respectively). However, use of personal social media, corporate socialmedia and the storage of business-related documents are also commonly used.

PERSONAL DEVICES ARE INFILTRATING CORPORATIONS As shown in the figure below, company-owned devices of various types are widelyused for work-related purposes not surprisingly, our research showed that 100% of organizations supply one or more computing platforms to their employees. However,our research also found that in 82% of the companies surveyed, personally owneddevices are used alongside company-supplied devices. While a majority of employeesare not yet using personal devices to access corporate systems, four out of fivecompanies are part of the BYOD trend to varying degrees.

There issubstantiallymore downsiderisk fromunmanaged

BYOD in anumber of areas:supportcostcontent manage-mentsecurityand corporate

governance


4/12



Percentage of Employees Using Various Platforms for Work-RelatedPurposes

WHY IS BYOD GROWING SO QUICKLY?The BYOD phenomenon is being fueled primarily by four trends:

Employees want the latest and greatestEmployees often want the latest and highest performance hardware better andnewer devices than their employer provides for them across a variety of platforms: desktop PCs, smartphones, tablets, etc. This is due in part to the factthat decisions about personal devices are not constrained by the return-on-investment and limited budget considerations that often limit IT decision-making.Moreover, individuals are generally freer to make impulse purchases in responseto the latest and greatest hardware announcements IT departments typicallymake more well-informed and more thoughtful decisions about purchasingcapital equipment and do so during normal hardware and less frequent refresh cycles. In short, individuals who buy new hardware for themselves arenot constrained by the need to make a business case for their purchases.

Telework A growing number of employees work at home as part of telework programs andso are not as constrained by their IT department about downloading andinstalling applications that may or may not have been vetted for use on thecorporate network. In other words, the distance between an employee and acorporate IT department is inversely proportional to the control that IT can exerton that employee.

IT is strapped for cashMany IT departments often cannot afford all the tools that users need; thevetting process for these applications is too slow to meet users expectations; orthe IT department simply does not allow certain tools to be used because of concerns over corporate security, the potential for data breaches, etc.

The blurring of work and personal life Many employees are happy to enable or are at least willing to accept ablurring of the distinction between their work and personal lives. This has beenborne out by Osterman Research surveys that demonstrate that the vast majority

Individuals whobuy newhardware for themselves arenot constrained by the need tomake a businesscase for their

purchases.


5/12



of employees bring work home with them, access corporate email after hoursand on vacation, and so on.

WHY BYOD CAN BE A GOOD THINGThere are three basic benefits that BYOD can provide:

Corporate costs can be reduced (maybe) At least in the short term, corporate costs can be lowered by employees fundingsome or all of their mobile device and cloud-based application requirements. Forexample, while many employers will pay for employees mobile devices outright,some provide only partial reimbursement, if that. For example, an AberdeenGroup study found that carrier costs for employee-owned devices are $10 permonth per device lower than if the company owns the device ii. Moreover, acomScore MobiLens study of BlackBerry users in late 2011 found that 22% of employers provide only partial reimbursement for users devices iii.

Employee morale can be improved There is some evidence to suggest that when employees are permitted to choosetheir own mobile device their job satisfaction can be higher. For example, an

Aberdeen Group study found that 61% of companies that permit employees touse their own mobile device experience higher employee satisfaction iv.

Organizations can keep up with the latest and greatest Many IT departments have been subjected to frozen or declining budgets overthe past few years, particularly since late 2008. The result is that many have nothad the funds available to supply their employees with more advancedsmartphones and tablets. Because many employees are willing to supply thesedevices themselves, IT departments are often spared the expense of supplyingemployees with cutting-edge tools that can make them more efficient.

WHY BYOD CAN BE A BAD THINGCOSTS CAN INCREASE WITH BYOD

An analysis conducted by the Aberdeen Group found that a 1,000-seat organizationcan spend an additional $170 per user per year when using BYOD compared toproviding smartphones themselves v. However, BYOD can lead to other, potentiallyenormous costs. For example if a company-owned smartphone that containscustomer data is lost and it cannot be remotely wiped, in most cases an organizationwill be obligated to report this data breach to all of the affected parties. If weassume, as Osterman Research discovered in another survey, that 69% of company-owned devices can be remotely wiped compared to only 24% of personally owneddevices, then the likelihood of losing data for the latter and the cost of the databreach will be 2.9 times greater.

SUPPORT BECOMES MORE DIFFICULT WITH BYODOur research found that most organizations do not fully support their mobile users.

As shown in the following figure, only one-third of organizations support mobile usersas they do users of more traditional parts of the IT infrastructure like desktop PCs orlaptops.

Moreover, as shown in the next figure, support from IT and help desk is more difficultand more onerous for employee-owned than it is for company-owned devices. This isdue to a variety of factors, not least of which are the wide variety of smartphonesand tablets that users will employ, the different operating systems in use, differentfirmware versions in use, and the wide range of personal applications that areinstalled on the devices some of which may represent a security threat.

Support from IT and help desk ismore difficult and moreonerous for employee-owned than it is for company-owned devices. This isdue to a varietyof factors, not least of which is

the wide varietyof smartphonesand tablets that users will employ.


6/12



What is your current practice or near-term plan for supporting mobiledevices and applications?

Ease/Difficulty of Managing Company- and Employee-Owned Devices% Responding Difficult or a Real Pain for Us

43% of organizations put executives on theA list for mobile deviceand applicationsupport, but

provide onlybest effort for everyone else.


7/12



CONTENT MANAGEMENT BECOMES MORE DIFFICULTMobile devices contain a growing proportion of corporate data. For example,Osterman Research has found that more than 5% of corporate data is stored just onusers smartphones and tablets vi we expect this figure to increase dramaticallyduring the next 24 months as iPads and other tablets are employed in much largernumbers than they are today. Employee-owned devices make access to this data bycorporate IT or compliance departments much more difficult, such as when datamust be gathered during an eDiscovery exercise. This is not only because of the

difficulty that might be encountered in physically accessing these devices, but alsobecause of the potential privacy and other legal issues that are raised by companiesaccessing their employees personal property. This is particularly true in those

jurisdictions that place a heavy emphasis on employee privacy.

However, for IT to know what data exists on mobile devices is much more difficult foremployee-owned devices than it is for those devices under ITs control. This isparticularly difficult for legal counsel and others that must assess the information thatthe organization has available to it during eDiscovery, early case assessments, legalholds and similar types of litigation-related activities. Moreover, the probability of spoliation of content when stored on personally owned devices is much greatersimply because it is not controlled by an IT or compliance department.

Legal holds can be particularly problematic in a BYOD environment. When data that

might be required in a legal action must set aside from the normal deletion cycle orfrom users manual deletion, it is critical that an organization immediately be able topreserve all relevant data, such as emails that might need to be produced during trialor pre-trial activities. Placing a hold on mobile data may be more difficult than it is fortraditional systems and much more difficult when it is located on devices that areunder the control and ownership of individual employees.

NETWORK AND APPLICATION SECURITY BECOME RISKIER Another threat introduced by BYOD is that personal devices used to create, accessand store corporate data will normally bypass inbound content filtering systems thatIT has deployed in the corporate network. One result of this is a potentially greaterlikelihood for malware intrusion, particularly for Android devices. For example, F-Secure found that for the 12-month period ending in the first quarter of 2012, thenumber of new Android-focused malware families and variants had increased from 10

to 37, and the number of malicious Android-focused application package files hadincreased from 139 to 3,063 vii.

Further, personally owned devices will normally bypass DLP and related systems,possibly resulting in more violations of corporate and regulatory policies focused onencrypting content or preventing disclosure of sensitive information. For example,researchers in a UK-based study acquired 49 mobile devices that had been resoldthrough secondary markets; forensic examination of the devices resulted in thediscovery of information on every device and a total of more than 11,000 pieces of information collectively from all of the devices viii.

As evidence of the security threat that BYOD creates in most organizations is otherresearch that Osterman Research conducted during 2012. For example, we foundthat in organizations with at least 100 employees:

44% of company-owned smartphones and 38% of company-owned tablets canbe scanned for malware. However, only 10% of smartphones and 9% of tabletscan be similarly scanned.

69% of company-owned smartphones can be remotely wiped if they are lost, butonly 24% of personal smartphones can be wiped. Similarly, 54% of company-owned tablets can be remotely wiped versus only 21% of personally ownedtablets.

More than 5% of corporate data is

stored just onusers smart-

phones and tablets weexpect this figureto increasedramaticallyduring the next 24 months asiPads and other tablets areemployed inmuch larger numbers thanthey are today.


8/12



GOVERNANCE CAN BECOME A SERIOUS PROBLEMJust about every organization must comply with a variety of obligations to protect,retain and manage their business records wherever they may be found oncorporate systems managed by IT, or on personal devices owned by employees.These obligations, which are focused primarily on the archiving, encryption andmonitoring of certain types of content, include the following:

The Health Insurance Portability and Accountability Act (HIPAA)

requires healthcare and other organizations to protect sensitive health records of patients and others. However, the new HIPAA that took effect during the firstquarter of 2010 greatly expands the impact of the law. For example, while HIPAA previously applied mostly to physicians, medical practices, hospitals and the like,now the business associates of these entities will be required to comply withHIPAAs rules about the security and privacy of protected health information(PHI). That means that accountants, benefits providers, attorneys and othersthat are given access to PHI will now be fully obligated to comply with HIPAA.

The Federal Rules of Civil Procedure obligate organizations to manage theirdata in such a way that it can be produced in a timely and complete mannerwhen necessary, such as during legal discovery proceedings.

Electronic recordkeeping rules established by the SEC, FINRA, FSA and other

regulatory bodies are focused on financial services organizations obligations tomonitor and archive communications between registered firms and theircustomers.

It is also important to note that firms registered with FINRA and the SEC arerequired to archive and monitor communications made using smartphones,whether company or personally owned. For example, FINRA Regulatory Notice07-59 ix states a firm should consider, prior to implementing new or differentmethods of communication, the impact on the firms supervisory system,particularly any updates or changes to the firms supervisory policies andprocedures that might be necessary. In this way, firms can identify and timelyaddress any issues that may accompany the adoption of new electroniccommunications technologies.

The Payment Card Industry Data Security Standard is a set of requirements for protecting the security of consumers and others paymentaccount information. It includes requirements for building and maintaining asecure network, encrypting cardholder data when it is sent over public networksand assigning unique IDs to each individual that has access to cardholderinformation.

The Sarbanes-Oxley Act of 2002 obligates all public companies and theirauditors to retain relevant records like audit workpapers, memoranda,correspondence and electronic records including email for a period of sevenyears.

The Gramm-Leach-Bliley Act requires financial institutions to protect sensitiveinformation about individuals, including their names, addresses, and phonenumbers; bank and credit card account numbers; income and credit histories;and Social Security numbers.

Federal Energy Regulatory Commission Order No. 717 imposes variousrules on regulated and vertically integrated utilities so that transmission providersdo not give preferential treatment to their affiliated customers. The purpose of this order is to create an ethical wall between the marketing and transmissionfunctions of vertically integrated companies that distribute electricity and naturalgas between states.

Just about everyorganization

must comply witha variety of obligations to

protect, retainand manage their business recordswherever theymay be found on corporatesystems managed by IT, or on

personal devicesowned byemployees.


9/12



Fundamentally, BYOD makes compliance with these and other obligations much moreonerous because of the greater difficulty associated with finding, retaining,encrypting, wiping and otherwise securing corporate data.

WHAT SHOULD YOU DO ABOUT BYOD?FIRST OF ALL, REALIZE WHATS GOING ONBefore the BYOD problem can be brought under control, decision makers mustunderstand just how pervasive it is in most organizations. While most seniormanagers will surmise that some of their employees are using personally ownedsmartphones and tablets (given that senior managers often were the catalyst of thetrend after the introduction of the iPhone in 2007), they may not appreciate just howwidespread this use has become. Senior managers need to understand howpersonally-owned smartphones and tablets, as well as tools like personal file syncservices or Skype, are used throughout the organization, what types of data they areused to access and store, and the reasons for their use.

DEVELOP BYOD POLICIESNext, decision makers faced with controlling BYOD should implement policies aboutacceptable use of devices and applications, perhaps creating a list of approveddevices, operating systems, applications and other personally owned or managed

solutions. These policies should be detailed and thorough, and should be included aspart of an organizations overall acceptable use policies that are focused on use of corporate computing resources. However, as shown in the following figure, morethan two in five organizations has yet to develop a formal, documented strategy forBYOD.

Which of the following best describes your BYOD strategy?

One of the most important corporate policies for mobile devices should be that anymobile device can be wiped by the IT department in the event of its loss, and that all

Decision makers faced withcontrolling

BYOD should implement

policies about acceptable use of devices and applications,

perhaps creating a list of approved devices, oper-ating systems,applications and other personallyowned or managed solutions.


10/12



devices that contain corporate content should be encrypted to prevent the loss of sensitive data or intellectual property.

Faced with a requirement to eliminate use of personal devices or applications, manyemployees will continue to use them secretly anyway, particularly those employeeswho work from home at least one day per week.

EMPLOY YOUR USERS AS YOUR FIRST LINE OF DEFENSE

Users should be educated about best practices about accessing and managingcorporate data on personally owned devices or when using specific applications. Animportant reason for doing so is not only to make employees aware of the dangersthat can result if corporate data is not adequately protected, but also to achieveemployee buy-in and cooperation with corporate policies.

DEPLOY TECHNOLOGIES THAT WILL ENABLE YOUR POLICIESIt is imperative that organizations deploy the appropriate technologies, such asmobile device management solutions, that will enable their policies to be enforcedand for overall corporate risk to be managed at an appropriate level. For example, anorganization that allows employees to use their own tablets should deploy a solutionthat enables full disk encryption, under ITs control, that will protect sensitive data if the device is lost. Other technologies that should be on the short list of thosedeployed include anti-virus, malware detection and remediation, role-based access,

content inspection and archiving these apply to both personally owned devices, aswell as to employee-managed applications.

ABOUT DELL Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovativetechnology, business solutions and services they trust and value. For moreinformation, visit www.dell.com.

MESSAGESTATSIt is critical to know the extent of personally owned device usage in your corporateenvironment; ignoring it means that your sensitive data may be living in thousands of different places and devices, all of them outside of the control of your IT departmentand your carefully designed security.

The mere thought of inventorying and assessing all of the personally owned devicesin your environment may seem overwhelming. MessageStats from Dell can help.MessageStats gathers intelligence about your entire messaging infrastructure including Exchange, BlackBerry, OCS/Lync Server, OWA, Windows Mobile/Active Syncand more with one solution, visible from a single console (i.e., "a single pane of glass").

It is not uncommon for users to have multiple devices that are being used forbusiness purposes. MessageStats lets you know when new devices are activated, aswell as who is using them. You will also be able to identify the number of devices inuse by each user, as well as the carrier. MessageStats identifies all users and theirdevices, as well as reports on active use and if policy updates have been applied.

Learn more at www.quest.com/messagestats

MOBILE IT After your BYOD strategy is in place, consider enabling IT staff and users to accessimportant applications on their mobile devices. Use Mobile IT to administer Dellsolutions or enhance the value of other third-party applications such as your helpdesk management software, HR processing system, internal change managementsystem, etc. By enabling secure access critical applications from a mobile device,Mobile IT delivers the mobile administration and remote management that

It is imperativethat organ-izations deploythe appropriatetechnologies that will enable their

policies to beenforced and for overall corporaterisk to bemanaged.


11/12



organizations need today. With IT applications at the heart of business operations, ITshouldnt be tied to desktop applications; instead they need a way to handle issues asthey arise, whether or not theyre in the office.

Mobile IT delivers the mobile admin functionality IT administrators need to do their jobs, no matter where they happen to be. With Mobile IT, you can:

Get alertsBe alerted about events and issues via proactive notifications on mobile devices.

You can stay connected and assess issues even while youre not on site.

Take actionInitiate actions within your applications from your mobile device. You canrespond faster to business requests and execute tasks while mobile, whichreduces costly delays.

Run reportsRun reports that put your alerts into context, enabling you to make informeddecisions while mobile. For example, you can see what recent changes mighthave caused users to lose access to data they need.

Learn more at www.Quest.com/Mobile-IT


12/12



2012 Osterman Research, Inc. All rights reserved.

No part of this document may be reproduced in any form by any means, nor may it bedistributed without the permission of Osterman Research, Inc., nor may it be resold ordistributed by any entity other than Osterman Research, Inc., without prior written authorizationof Osterman Research, Inc.

Osterman Research, Inc. does not provide legal advice. Nothing in this document constituteslegal advice, nor shall this document or any software product or other offering referenced hereinserve as a substitute for the readers compliance with any laws (including but not limited to anyact, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively,

Laws)) referenced in this document. If necessary, the reader should consult with competentlegal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes norepresentation or warranty regarding the completeness or accuracy of the information containedin this document.

THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIEDWARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, AREDISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BEILLEGAL.

i http://en.wikipedia.org/wiki/Bring_your_own_device#cite_note-0ii http://www.xigo.com/byod/iii http://www.bgr.com/2012/01/27/blackberry-users-are-older-and-wealthier-than-

average-smartphone-users-study-suggests/iv http://www.xigo.com/byod/v http://www.vcinsight.com/116/ExecutiveIntervierws/807/

ToBYODornottoBYODthatisthequestion!vi Unpublished Osterman Research survey data, October 2012vii Source: Mobile Threat Report Q1/2012 , F-Secureviii Electronic Retention: What Does Your Mobile Phone Reveal About You?

http://EzineArticles.com/7068075ix http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/

p037553.pdf

The Need for IT Get in Front BYOD Problem

Documents

Transcript of The Need for IT Get in Front BYOD Problem