BYOD Security and Costs
A survey finds cause for concern over breaches and best practices, while enterprise execs see good news in terms of cost.
I've been bashing BYOD lately, so I thought I should share the results of some recent research that paints a somewhat mixed picture of the attitudes toward BYOD on the part of IT managers and CIOs. The data comes from a report by researchers at Decisive Analytics, commissioned by Trend Micro.
The bottom line is that the report shows these decision-makers to be pretty open to and positive about BYOD--even though many acknowledge the potential drawbacks of BYOD.
Decisive Analytics surveyed two groups of CIOs and IT execs, each made up of 436 enterprise decision-makers, primarily senior-level IT execs, with about a couple dozen CIOs in each group. One group was surveyed last January, the other in April. The respondents were located in three countries: The U.S., UK, and Germany.
The survey found that 80% of the U.S. executives said their companies allow BYOD, while the UK and Germany numbers were slightly lower. One noteworthy finding: 80% of the respondents' companies have implemented Virtual Desktop Infrastructure (VDI), i.e., thin clients, to serve BYOD.
The most problematic findings centered around security. Almost 90% of the respondents' companies "apply an IT security policy to employee owned devices that access the company network," and more than 80% require employees to deploy security software to reside on their personal devices. That's the good news. The bad news is, it's not clear that this focus on security is translating to more-secure BYOD-enabled networks.
In the survey, "Nearly half of companies that permit BYOD reported experiencing a data or security breach as a result of an employee-owned device accessing the corporate network (46.5%)," according to Decisive Analytics. There seems to be some suggestion in the report that deployment of security software has been in response to security breaches, meaning that in theory such breaches might start to decline as security is hardened. But there's no guarantee of that, and the 46.5% number is pretty sobering.
There was also an odd and troubling data point in the next paragraph of the report: "Companies did say that they have a policy of remotely wiping a mobile device both when it is lost and upon employee separation (35.5%), while some do so only in the case of a lost device (23.3%)." So in other words, more than three-quarters of enterprises don't do a remote-wipe when an employee leaves their company, and almost two-thirds don't do it when the device is lost? That seems like a serious lapse.
The reason I characterized this report as "mixed" in its picture of BYOD is that, in addition to the large numbers allowing BYOD, the report is fairly upbeat about the cost element. The biggest development in the recent BYOD backlash was the claim by IBM's CIO that BYOD actually cost the company money to implement and harden. However, the Decisive Analytics survey found IT executives believing that BYOD was either a cost saver or cost-neutral; 39.3% said costs decreased with BYOD, and another 23.3% said costs stayed the same.
Reasons cited for the cost decrease were lower capex (since users provided their own devices), "lower desktop tech support costs (31.3%), and higher employee productivity (29.6%)." Those who saw higher costs cited tech support as a factor driving costs up, along with the need to purchase VDI infrastructure and other software.
I think this study indicates how much uncertainty remains in the BYOD world. There are clearly more security breaches than we should be comfortable with, despite some efforts to prevent them. And costs may be lower, though I think it's still too early to tell whether this will continue to be the case as the cost of wireless data plans rises for end users, who may be inclined to push for reimbursement of the newer, higher rates.