About 60 percent of organisations acknowledged they either don’t have a policy that specifies how employees may use their own devices in the workplace (41 percent) or are just planning to write such a policy, a study released on Wednesday from Acronis and the Ponemon Institute has found.
“Even though we’re still in the early stages of BYOD [Bring Your Own Device], companies are playing catch-up to where their users are,” Anders Lofgren, director of Mobility Solutions for Acronis, told CSOonline.
Even as recently as three years ago, IT departments had an iron grip on the endpoints to their networks. “They could secure and provision a fixed device that was procured by the enterprise,” said Ben Gibson, chief marketing officer for Aruba Networks.
Now IT has to deal with many devices being brought to work by employees. “Enterprises and IT organisations are in the process of catching up with this trend,” Gibson said.
Slow adoption of BYOD policies by companies could be a sign of denial, said Steve Martino, vice president of information security and acting CISO of Cisco. “If a company doesn’t have a BYOD policy, it’s because they’re trying to pretend this isn’t happening in their organisation,” he said in an interview. “They think that if they don’t have a policy, BYOD isn’t happening in their organisation.”
Of the companies with BYOD policies, almost three quarters of them imposed highly restrictive policies on their workers by either requiring personal devices to be approved by the company before being allowed to access the firm’s networks (43 percent) or banning personal devices from company nets (31 percent).
Those numbers could be misleading because there are industries where launching BYOD programs is severely limited, such as banking, pharmaceuticals, health care and defence. “But those barriers are breaking down,” Acronis’ Lofgren said.
While it may be necessary to restrict BYOD in some industries dealing with highly sensitive data, it isn’t necessary for most rank-and-file office workers, said Cisco’s Martino.
“For the basic white-collar productivity worker, companies can see real benefits from a BYOD programme,” Martino said. “By forbidding BYOD, you encourage people to work around the policy.”
“Then, because you have controls that say you can’t use it, you think you’re protecting your data,” he said. “When actually you’re limiting your effectiveness to identify and control security incidents when they happen.”
“Forbidding BYOD is more trouble than having a controlled policy to adopt it,” Martino said.
Cross-country attitudes could also be affecting a company’s ability launch full-bore BYOD programmes. “Some countries have strict cultural policies about whether you can bring a personal device to work or not,” Aruba’s Gibson said.
Nevertheless, it will be increasingly difficult for any organisation anywhere in the world to ignore BYOD. “I believe all industries will be moving toward BYOD because the consumerisation of IT trend is one that will become prevalent,” Gibson maintained.
Nearly three-quarters of the companies with BYOD policies (73 percent) told surveyors that they applied their BYOD policies equally to everyone, although about a quarter of the businesses said they made exceptions to their policies for executives and privileged users.
Of the more than 4,300 IT practitioners participating in the survey, more than three quarters (77 percent) said their organisations had not trained their employees to understand BYOD privacy risks.
“What might happen is an employee may try to access their files with their smartphone or tablet and use unauthorised methods to do that,” Lofgren said.
“That will expose some of these organisations to risk, whether they know it or not,” he said.