Bring-your-own-device programs are everywhere now and that is giving execs plenty to crow -- and cringe -- about. The greatest gain: productivity. The most important concern: data security.
Moving data across a variety of devices and networks puts corporate data at increased risk of leaks or attacks. Several recent studies have shown nearly half those organizations that allow employees to connect to the corporate network via BYOD programs have encountered data breaches.
What employees are doing with their devices outside the office may be the biggest threat, whether it involves downloading virus-ridden games, visiting contaminated websites, or backing up sensitive corporate data to a public cloud. Organizations that don't have visibility into employee activities can't assess how, when, and where their data may have been exposed.
But managing a BYOD program is not a device problem, it is an education problem, according to Stephen Orban, CIO and global head of technology at Dow Jones & Co., a news and media company. "We heavily rely on people being good corporate citizens," he told me.
Dow Jones is in the business of creating and distributing information, and it is critical that employees understand what data the company is trying to protect, Orban says. Toward that end, Dow Jones requires that in order for an employee to connect a personal device to the network, the company must be able to remotely manage, and -- if necessary -- wipe the device.
Like many organizations, Dow Jones has two networks available -- an open one for basic Internet access, and a restricted one that enables access to important corporate data. "The [restricted network] requires total knowledge of what's on your device," Orban says.
Dow Jones is part of the News Corp family, so BYOD policies initially came from that organization. But Dow Jones created its own Risk Council to investigate competitor experiences, best-practices, and business needs. The council is comprised of senior managers from each business unit to make sure all employee needs are represented.
The challenge with creating a BYOD environment is to effectively balance the rewards with the risks, Orban says. That includes taking into account your organization, its industry, the nature of your data, the regulations that impact such a program, and your employees' habits and needs. Communication and education will go a long way in these efforts.
Organizations also have plenty to crow about with BYOD, Orban believes. Obvious benefits include the reduced cost of buying as many company-owned devices or maintaining them. Countless other organizations report increased employee accessibility to the data they need to work with and improved overall productivity. These are significant benefits.
From the employee perspective, the desire to use one's personal devices -- any devices, anywhere, any time -- is becoming a given. You need to only open your eyes and look around your personal world to understand we have become married to our technology devices. The same is true at work.
More CIOs are cautiously pushing the "On" button for BYOD.
Employees report they feel more productive and are happier on the job when they can use their own smartphone or tablet to help take care of business. More employees take their work home now to some degree, further driving the BYOD movement. As further proof of how embedded BYOD has become, some companies are even flaunting their BYOD program as a recruiting and retention tool.
Ah, but here's the rub. The more employees that have access to your data via personal devices, the more types of devices are on your network, and the more non-company applications workers are trying to use, the deeper your security issues become. The main culprit, as IT sees it: loss of control.
Still, for some organizations, BYOD is more of a fluid reality than a formal policy. That is the case at Commercials Metals Co. in Dallas.
"Our BYOD program is more ad-hoc than a true BYOD program," explains Tracy Nolan, vice president and CIO. "We wrestle with this. Devices are out there that are a lot better or cooler than what you can get at work. When I started out here three years ago, execs were handing out devices like candy. I saw a need right away to get some security on that."
The first step was to obtain mobile device management (MDM) technology. As long as employees agree to download the MDM app on their device, they are eligible. The next step is communication -- lots of it -- about how BYOD will function and the risks to the organization. Nolan is working on an updated security plan now.
Approximately 20 percent of employees at Commercial Metals take advantage of the BYOD policy, Nolan estimates.
An effective BYOD policy should be simple and flexible, Nolan says. An organization should also ask what it wants to accomplish with the policy. Goals should include lower costs, better service, and increased productivity.
"Make sure the program has the right balance to accomplish all of these," Nolan says. "Make sure you have measures for them, and that you have the ability to change based on what you see."
— David Weldon is an experienced editor, writer, and research analyst, with over 30 years of experience in the communications and research fields.