Where employees once enquired about private medical cover and company cars, now they may ask to work on their own iPhone or Android. It's a perk of the job that can boost productivity, but implement your 'Bring Your Own Device' policy incorrectly (or even pretend it's not happening) and it could cost you dear, say our experts.
Waking early one morning Cesare Garlati, vice president of mobile security at Trend Micro, reached for his iPad to check his email. It wouldn't turn on; the tablet was dead. Garlati later discovered his young son had tried one too many times to guess his password to play Angry Birds. Faced with an unauthorised access attempt the corporate security policy flung into action preventing sensitive data from reaching the wrong hands and deactivating Garlati's personal iPad in the process.
From an enterprise point of view the IT security systems held up and kept important information safe. The device too could be brought back to life and the corporate data restored. But as for Garlati's personal photographs, videos and music collection – they were gone.
It's Garlati's job to raise awareness of Trend Micro's security solutions but he offers the anecdote as proof of the security levels an organisation and its employees must be prepared to agree upon when implementing a Bring Your Own Device (BYOD) policy.
The appetite among employees to use their personal devices for work is growing. Of 100 business leaders surveyed at the Unified Communications Expo in London earlier this year 64 per cent said their employees wanted to use their own personal devices.
Driving this hunger is consumerisation – in other words the trend of new information technology being launched into and adopted by the consumer market before spreading to business. The iPhone, iPad, Galaxy Tab, Windows Phone and Android are all prime examples, and they risk making corporate-procured PCs and mobile phones look ancient.
There's no point trying to stop this drive towards BYOD, says Garlati. "Consumerisation is unstoppable and BYOD brings real business value but a lack of a strategic approach can create security risks, financial exposure and a management nightmare for IT departments."
Adrian Simpson, UK chief technology officer of software corporation SAP, believes employees want to match the personal device that suits their lifestyle to their work environment. BYOD allows employees to work at different times than they might normally, he says.
"They will work longer hours because they are able to interact with the systems that they need to at odd times of the day, and action workflow there and then rather waiting until the following day when they are in the office."
So how did we get to this stage? Three things are driving BYOD, says Garlati: the low cost of mobile devices, the simplicity of use and the availability of content. "There is no need to send your staff on training courses to operate smartphones."
Generation Y – those born after 1982 and perceived to be technology literate – has certainly made an impact. Garlati argues that young people coming into the workplace expect simplicity. They associate themselves with a certain device and feel embarrassed using ones that don't suit their lifestyle.
"Young people don't want to work for a company with a traditional IT department that says no to everything," says Garlati. "Being told to use a company-procured device is like being forced to wear corporate underwear. [Their argument is] the corporate doesn't tell me what underwear I put on and they don't tell me which device I use either."
Ian Foddering, chief technology officer and technical director for Cisco UK and Ireland, points to his own company's research which shows that offering a choice of device was an important consideration to potential employees.
"We found globally that 40 per cent of college students and 45 per cent of employees would accept a lower-paying job with a choice of device, than a higher- paying job with less flexibility," he says.
That is not to say older executives are ignoring the trend either. "The demand for BYOD is just as likely to be coming from your own executives and your own CEO returning from a trade fair in Hong Kong with a shiny new, super-cool gadget they want to use," says Garlati.
The changing role of IT
The employee demand for BYOD means IT departments are having to create a user- focused network. Huge demands are being placed on IT managers allowing access for a multitude of devices while maintaining a high level of security, performance and control, says Foddering. "The BYOD model will inevitably demand new support and operational structuring requiring businesses to plan and budget accordingly."
No longer the provider of technological services, says Garlati, IT will become a broker between your internal user base and external organisations offering the same services to your company that IT used to provide but at a much lower cost and a much higher scalability.
"They are no longer driving this innovation, they are coping with it. This innovation is not happening in the realm of corporate IT, the companies behind this explosion are not IBM, HP or Oracle, they're Google, Apple, HTC, Samsung, Amazon – and these are consumer brands," he argues.
Instead of being the gatekeeper IT should enable the internal demand. "The generation of CIOs who say no to everything in the name of corporate security are getting fired or retiring. They are like dinosaurs heading to extinction," he adds. "When I meet corporate clients I pay attention to where the CIO sits in the conference room. If the CIO sits on the same side as the business owner they don't ask how do I stop it, they ask how can you help me make it happen."
Sitting on the other side of the table, Garlati says, and pretending BYOD isn't happening only drives the practice underground. And it could be executives driving it. A Cisco survey of 1,500 IT managers and executives in the US, Canada, UK, France, Germany and Spain showed that while 48% of respondents said their company would never authorise employees to bring their own devices, 57% agreed some employees use personal devices without consent.
That could mean the choice of knowing BYOD is happening within your company while pretending it isn't, and giving the green light to a BYOD policy but putting strict security protocols in place. After all, says Garlati, corporates need to understand that consumer technology is not as secure and manageable as enterprise might expect.
"BlackBerry is a corporate platform for mobile. It ranks very high in terms of security. [Apple's mobile operating system] iOS, Android and Windows Phone rank further down," he says, referencing Trend Micro's research into the enterprise readiness of consumer mobile platforms.
He recommends IT departments map technologies and user profiles, keeping an up-to-date list of innovations happening in the consumer space, such as Android, tablets and file-sharing service Dropbox.
"You have to go out to your end users, look at the consumer space and figure out what is happening there. What's hot, what's new, what will hit your network in the next few months."
Garlati suggests defining user groups [of employees] based on roles, responsibilities and locations, and assigning each a security posture. "IT must do away with the single standard – procuring only the Windows laptop or BlackBerry mobile, for example – and adopt a flexible standard," he says. "Figure out the possible options for each category of user wanting to bring their own device. You're not saying no, but you're not saying yes to everything.
"A corporate may recommend, procure, pay for and provide desk support for BlackBerry but set limitations for using personal devices – reading email but not opening attachments, for example."
The trend witnessed by Simpson is of organisations wanting to assess what can be performed by devices. "It might be about you only allowing access to certain systems, information and apps you've put on to those devices rather than exposing everything from an organisation," he says.
Another approach is to lock down the choices of personal devices allowed under the BYOD policy. "The danger is having to make sure you are up with the trends in the marketplace and what people are expecting to use rather than what's convenient for your IT organisation."
This article originally appeared on our sister site BusinessZone, the UK's leading resource for SMEs and entrepreneurs
