The smartphone has erased all boundaries between our professional and personal lives. BYOD (bring your own device) began as a rare workplace perk, but it has evolved into a must-have way of working. Ninety-percent of workers in the United States use their personal smartphone for work purposes, according to a Cisco study. In a 2014 TripAdvisor study, 77% of U.S. respondents reported that they did work while on vacation. And up to 70% of employees regularly check their emails outside of normal working hours on their own devices.
While companies do benefit from employees getting more done outside of the office, most organizations are not ready nor equipped for mobile to become the central way employees work. Audit and IT departments are struggling to keep up with the SaaS world. Rather than creating a thoughtful, mature strategy, they are addressing mobile as an afterthought, scrambling to deal with privacy, security, and data assets after employees start accessing corporate information on their personal smartphone.
How Enterprises Can Handle BYOD's Growth
Companies can no longer afford to address mobile usage as a tag-along or second thought. They must address this trend head-on, as it will only increase. In fact, by 2017, 90% of organizations will support some aspect of BYOD, according to a 2014 Gartner study. These programs will vary in different degrees of maturity, but Gartner predicts that by 2018, there will be twice as many employee-owned devices used for work than enterprise-owned devices.
So, how can companies handle this impending growth?
I think there are three key things companies will need to consider:
1. Organizations Need to Model Risk for Applications While Considering Mobile Devices
Many companies are not evaluating the risks of BYOD, nor do they always have clarity of the risk model. Organizations often forget the most important aspect of mobile devices, their mobility. When mobile devices leave the network, the controls they’ve put in place to mitigate data loss no longer apply and the threat model looks completely different.
Companies must model the risk on a per application and per device type basis, but the process can be time-intensive and challenging to get right. Compounding the problem, most organizations don’t have the expertise in-house to pull it off. So, in addition to the growing need for understanding BYOD’s risk potential, there will also be a premium for individuals who can perform risk-based analysis across device types.
2. Asset Protection Will Shift from IT-Delivered Controls to a Partnership Model
There has to be a shift in thinking of how IT departments protect their assets and data to match modern realities where network edges no longer define a boundary. In the long term, I believe that we will shift away from controls deployed at the perimeter (IT controlling) and toward a partnership between the service provider and IT. Corporate IT will drive policy, but the security controls will be resident in the application and driven by IT policy.
3. Device Characteristics Coupled with User Credentials Will Determine Access
With BYOD on the rise and worker mobility a part of the new paradigm, access to corporate assets will be determined not just by user credentials, but also by the device the user is connecting from. This additional dimension in the authorization model is already possible in existing technology, but will need to be extended to service providers who offer enterprise applications.
Once the model of device+user credentials becomes widespread, implementation in IT is straightforward. Corporate security policy might mandate that employees register their devices so that IT can make access decisions but won’t need to require users to place invasive software on their personal devices in order to manage application access, and in turn, corporate asset access.
Protect Assets and Boost Productivity
Companies who don’t adapt their security models to the modern world of BYOD, BYOA and mobile work face numerous potential risks, including data and intellectual property loss, regulatory risk, competitive disadvantage, and productivity loss due to an inability to rapidly adopt new productivity-enhancing applications.
Recognition of the new archetype and action to ensure that assets remain protected while allowing users to find great applications are near-future table stakes. Corporate IT will be wise to act decisively to model their risk on emerging paradigms and shed outdated IT-centric application procurement mindsets.