BYOD: "The Inmates of the Asylum Have Control"
Mobile devices are multiplying and -- sanctioned or unsanctioned -- finding their way onto corporate networks. For IT pros, the influx of personal mobile devices to the corporate network is raising security concerns, creating management challenges, and swamping the help desk with support calls.
In a survey of 400 IT pros jointly conducted by Network World and SolarWinds, respondents shared a wide range of tactics for handling the mobile device management challenge.
For starters, the majority of survey respondents said their companies issue mobile devices that can access the corporate network, including laptops, tablets and smartphones. RIM BlackBerry devices, iPhones and Android devices are among the most common corporate-issued smartphones, cited by 48%, 45.7% and 38.4% of respondents, respectively (multiple responses allowed). Windows Mobile devices are issued by 14.4% of respondents.
[MOBILE WORK: 25 useful iPad business apps]
Just 15.1% said their companies don't issue mobile devices with network access. Tellingly, some of the respondents whose companies don't issue mobile devices said there's opportunity for end users to bring personal devices to work -- the bring-your-own-device, or BYOD, trend -- and receive support from corporate IT.
"We provide a monthly stipend where users can BYOD for smartphones. We support iPhone, RIM and Android devices," one respondent said.
"We don't issue mobile devices, but users who own their own mobile devices can access the corporate network once they have received IT permission," another respondent said.
The BYOD trend is not universally embraced, however.
In the pro-BYOD camp, 59.3% of respondents say there are no device restrictions when it comes to employee-owned devices that are allowed to access the corporate network. (Access is often limited to specific Web applications or segregated virtual networks, however.)
Among the remainder of respondents who restrict specific personal mobile devices from accessing corporate resources, there was no one device type that's universally banned. Respondents were nearly equally likely to not allow Android (26.6%), iOS (22.8%), RIM BlackBerry (22.3%) and Windows Mobile devices (24.5%)
When asked why companies decided not to allow specific personal mobile devices, responses varied. Many were absolute: "If it is not company-owned, it does not touch our network," one respondent stated. Another said there's "no need to have personal devices on the network when the company provides every resource necessary to do your job."
Respondents frequently expressed security concerns and IT support challenges. They cited the potential for loss of confidential information via personal devices; legal issues and regulatory compliance risks; the introduction of malware threats; and the management burden associated with supporting diverse device types. (See our sampling of BYOD user policies.)
If employees use personal devices to access the corporate network, "in our experience they expect the IT department to also support those devices, and we have a strict policy against supporting devices that we didn't issue," explained one respondent. "We've taken a lot of time and effort to become familiar with specific devices and software, and that's what we expect to be used."
"Most often these devices are using pirated software, have been infected from home, or are being utilized to do non-work-related stuff," another said. "We have not set up a method to segregate these from our production network, so for now they are not allowed."
Not surprisingly, permission is not always clear-cut. Some respondents said exceptions are made for certain job roles (and certain company executives) that are allowed to use personal devices to access the network.
Nor is it always clear exactly how often employees bring their own devices to work. When asked if they're confident they know about all the personal mobile devices with access to the corporate network, respondents expressed varying degrees of certainty. Sixteen percent said they are certain, 30.4% are very confident, and 26.3% are somewhat confident. Meanwhile, 23.3% said they are not at all confident, and 3.8% admitted they have no clue.
The BYOD effect
Despite myriad security concerns and manageability challenges, there are positive effects associated with the BYOD trend.
Among the respondents whose companies allow personal mobile devices to access the corporate network, 46.2% said the policy has increased productivity among end users. A nearly similar number (47.2%) said it has increased end users' ability to work from home.
"Team members are always able to receive and respond to emails, regardless of where they are," one respondent summed up.
In some cases, having a BYOD policy has positively impacted employee relations. BYOD has "improved employee attraction and retention," one respondent said. "We have seen a change in morale," another noted. The policy has "increased job satisfaction for the employee and satisfaction with central corporate IT's customer service," another concluded.
Next page: Additional survey results
Just 5.2% said allowing personal mobile devices to access the corporate network has decreased employee productivity, and 27.5% said they haven't seen any change in behavior.
On the security front, respondents were asked if a non-company-issued mobile device has been responsible for a security breach on the company network. Just 5.7% of respondents said yes, while 66.7% said no and 22.7% said they're unsure.
Among the respondents with anecdotes about BYOD-spawned security incidents, the most commonly cited culprits were personal laptops that introduced a virus on the company network.
On the support front, nearly two-thirds of survey respondents are in agreement on one particular BYOD issue: They need management help.
When asked if they have the necessary tools in place to manage non-company-issued mobile devices on the network, 65.3% said no, 27.5% said yes, and 7.3% said they're not sure.
With the increased use of mobile devices, 44% of respondents said they've experienced an increase in helpdesk requests, 40.7% said they've experienced an increase in network traffic, and 15.9% said they've experienced an increase in security issues. Just over 14% said they've seen an increase in all three of those areas. At the other extreme, 28.3% said they've experienced none of those upticks.
One respondent noted "an increase in workload due to a more diverse hardware and software infrastructure," and another said the management overhead is so significant "we needed to outsource mobile phone device management to keep up with demand."
Respondents said they're employing a wide range of vendor tools and security tactics in order to provide safe, productive mobile access to employees. Usage policies vary, and many are a work in progress as business priorities shift and access technologies mature. Determining security policies that can be reasonably enforced on personal mobile devices is tricky. In some cases, companies have found they need to rethink blanket bans on personal devices at work as the BYOD trend gains momentum. To ignore the trend could be a big gamble.
"Our current policy disallows all personal devices on the corporate network. However, we're not enforcing this. We are in the process of developing a useful/enforceable version of the policy," one respondent said.
Put another way, another survey respondent humorously noted the mobile device management challenge is constantly evolving "because the inmates of the asylum have control."
Read more about anti-malware in Network World's Anti-malware section.