Bring your own device
Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own personal computer (BYOPC)—refers to the policy of permitting employees to bring personally owned devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The phenomenon is commonly referred to as IT consumerization.
BYOD is making significant inroads in the business world, with about 75% of employees in high-growth markets such as Brazil and Russia and 44% in developed markets already using their own technology at work. Surveys have indicated that businesses are unable to stop employees from bringing personal devices into the workplace. Research is divided on benefits. One survey shows around 95% of employees stating they use at least one personal device for work.
The term was initially used by a VoIP service provider BroadVoice in 2004 (initially for AstriCon, but then continued as a core part of the business model) with a service allowing businesses to bring their own device for a more open service provider model. The term BYOD then entered common use in 2009, courtesy of Intel when it recognized an increasing tendency among its employees to bring their own smartphones, tablets and laptop computers to work and connect them to the corporate network. However, it took until early 2011 before the term achieved prominence, when IT services provider Unisys and software vendor Citrix Systems started to share their perceptions of this emergent trend. BYOD has been characterized as a feature of the "consumer enterprise" in which enterprises blend with consumers. This is a role reversal in that businesses used to be the driving force behind consumer technology innovations and trends.
In 2012, the U.S. Equal Employment Opportunity Commission adopted a BYOD policy, but many employees continued to use their government-issued BlackBerrys because of concerns about billing, and the lack of alternative devices.
The proliferation of devices such as tablets and smartphones, now used by many people in their daily lives, has led to a number of companies, such as IBM, to allow employees to bring their own devices to work, due to perceived productivity gains and cost savings. The idea was initially rejected because of security concerns but more and more companies are now looking to incorporate BYOD policies; 95% of respondents to a survey by Cisco said they either already supported BYOD or were considering it.
This new trend also frees IT departments from having to keep up with new technology available on the market, which in recent years has become a complex and constantly growing challenge.
According to research by Logicalis, high-growth markets (including Brazil, Russia, India, UAE, and Malaysia) demonstrate a much higher propensity to use their own device at work. Almost 75% of users in these countries did so, compared to 44% in the more mature developed markets.
In the UK, the CIPD Employee Outlook Survey 2013 revealed substantial variations by industry in the prevalence of BYOD.
Some reports have indicated productivity gains by employees. Companies such as Workspot believe that BYOD may help employees be more productive. Others say that using their own devices increases employee morale and convenience and makes the company look like a flexible and attractive employer. Many feel that BYOD can even be a means to attract new hires, pointing to a survey that indicating that 44% of job seekers view an organization more positively if it supports their device.
Some industries are adopting BYOD more quickly than others. A recent study by Cisco partners of BYOD practices found that the education industry has the highest percentage of people using BYOD for work, at 95.25%.
A study by IBM says that 82% of employees think that smartphones play a critical role in business. The study also suggests that the benefits of BYOD include increased productivity, employee satisfaction, and cost savings for the company. Increased productivity comes from a user being more comfortable with their personal device; being an expert user makes navigating the device easier, increasing productivity. Additionally, personal devices are often more up-to-date, as the devices may be renewed more frequently. BYOD increases employee satisfaction and job satisfaction, as the user can use the device they have selected as their own rather than one selected by the IT team. It also allows them to carry one device rather than one for work and one for personal use. The company can save money as they are not responsible for furnishing the employee with a device, though this is not guaranteed.
Although the ability of staff to work at any time from anywhere and on any device provides real business benefits, it also brings significant risks. Companies must deploy security measures to prevent information ending up in the wrong hands. According to an IDG survey, more than half of 1,600 senior IT security and technology purchase decision-makers reported serious violations of personal mobile device use.
BYOD security relates strongly to the end node problem, whereby a device is used to access both sensitive and risky networks and services; risk-averse organizations issue devices specifically for Internet use (termed Inverse-BYOD).
BYOD has resulted in data breaches. For example, if an employee uses a smartphone to access the company network and then loses that phone, untrusted parties could retrieve any unsecured data on the phone. Another type of security breach occurs when an employee leaves the company; they do not have to give back the device, so company applications and other data may still be present on their device.
Furthermore, people may sell their devices and forget to wipe sensitive information before the handover. Family members may share devices such as tablets; a child could play games on a parent's tablet and accidentally share sensitive content via email or other means such as Dropbox.
IT security departments wishing to monitor usage of personal devices must ensure that they monitor only activities that are work-related or access company data or information.
Organizations adopting a BYOD policy must also consider how they will ensure that the devices which connect to the organisation's network infrastructure to access sensitive information will be protected from malware. Traditionally if the device was owned by the organisation, the organisation can dictate for what purposes the device may be used or what public sites may be accessed from the device. An organisation can typically expect users to use their own devices to connect to the Internet from private or public locations. The users could be susceptible from attacks originating from untethered browsing or could potentially access less secure or compromised sites that may contain harmful material and compromise the security of the device.
Software developers and device manufacturers constantly release security patches to counteract threats from malware. IT departments that support organisations with a BYOD policy must have systems and processes to apply patches protecting systems against known vulnerabilities of the devices that users may use. Ideally, such departments should have agile systems that can quickly adopt the support necessary for new devices. Supporting a broad range of devices obviously carries a large administrative overhead. Organisations without a BYOD policy have the benefit of selecting a small number of devices to support, while organisations with a BYOD policy could also limit the number of supported devices, though this could defeat the objective of allowing users the freedom to choose their preferred device freely.
Several market and policies have emerged to address BYOD security concerns, including mobile device management (MDM), containerization and app virtualization. While MDM allows organizations to control applications and content on the device, research has revealed controversy related to employee privacy and usability issues that lead to resistance in some organizations. Corporate liability issues have also emerged when businesses wipe devices after employees leave the organization.
A key issue of BYOD which is often overlooked is BYOD's phone number problem, which raises the question of the ownership of the phone number. The issue becomes apparent when employees in sales or other customer-facing roles leave the company and take their phone number with them. Customers calling the number will then potentially be calling competitors, which can lead to loss of business for BYOD enterprises.
International research reveals that only 20% of employees have signed a BYOD policy.
It is more difficult for the firm to manage and control the consumer technologies and make sure they serve the needs of the business. Firms need an efficient inventory management system that keeps track of the devices employees are using, where the device is located, whether it is being used, and what software it is equipped with. If sensitive, classified, or criminal data lands on a U.S. government employee's device, the device is subject to confiscation.
Another important issue with BYOD is of scalability and capability. Many organisations lack proper network infrastructure to handle the large traffic generated when employees use different devices at the same time. Nowadays, employees use mobile devices as their primary devices and they demand performance which they are accustomed to. Earlier smartphones used modest amounts of data that were easily handled by wireless LANs, but modern smartphones can access webpages as quickly as most PCs do and may use radio and voice at high bandwidths, increasing demand on WLAN infrastructure.
Finally, there is confusion regarding the reimbursement for the use of a personal device. A recent court ruling in California indicates the need of reimbursement if an employee is required to use their personal device for work. In other cases, companies can have trouble navigating the tax implications of reimbursement and the best practices surrounding reimbursement for personal device use.
Personally owned, company enabled (POCE)
A personally owned device is any technology device that was purchased by an individual and was not issued by the agency. A personal device includes any portable technology such as cameras, USB flash drives, mobile wireless devices, tablets, laptops or personal desktop computers.
Corporate-owned, personally enabled (COPE)
As part of enterprise mobility, an alternative approach are corporate-owned, personally enabled devices (COPE). Under such policies, the company purchases and provides devices to their employees, but the functionality of a private device is enabled to allow personal usage. The company maintains all of these devices similarly to simplify its IT management; the organization will have permission to delete all data on the device remotely without incurring penalties and without violating the privacy of its employees.
A BYOD policy must be created based on the company’s requirements. BYOD can be dangerous to organizations, as mobile devices may carry malware. If an infected device connects to the company network, data breaches may occur. If a mobile device has access to business computing systems, the company's IT administrator should have control over it. A BYOD policy helps eliminate the risk of having malware in the network, as the management team can monitor all contents of the device and erase data if any suspicious event is captured. BYOD policies may specify that the company is responsible for any devices connected to a company network.
Other policy considerations
BYOD policies can vary greatly from organization to organization depending on the concerns, risks, threats, and culture, so differ in the level of flexibility given to employees to select device types. Some policies dictate a narrow range of devices; others allow a broader range of devices. Related to this, policies can be structured to prevent IT from having an unmanageable number of different device types to support. It is also important to state clearly which areas of service and support are the employees' responsibilities versus the company's responsibility.
BYOD users may get help paying for their data plans with a stipend from their company. The policy may also specify whether an employee is paid overtime for answering phone calls or checking email after hours or on weekends. Additional policy aspects may include how to authorize use, prohibited use, perform systems management, handle policy violations, and handle liability issues.
For consistency and clarity, BYOD policy should be integrated with the overall security policy and the acceptable use policy. To help ensure policy compliance and understanding, a user communication and training process should be in place and ongoing.
- Bring your own encryption
- Bring your own operating system
- Mobile security
- One to one computing
- Remote mobile virtualization
- It interrupts the class BYOD on pcworld.com
- "Enterprise & Gateway Suites - Trend Micro". Trend Micro.
- "BYOD – Research findings". Logicalis. Retrieved 12 February 2013.
- Rene Millman, ITPro. "Surge in BYOD sees 7/10 employees using their own devices." Aug 12, 2012. Retrieved Jun 5, 2013.
- "Broadvoice". 21 March 2004.
- "Mobile: Learn from Intel's CISO on Securing Employee-Owned Devices". Gov Info Security. Retrieved 10 January 2013.
- "Rise of the 'consumer enterprise'". 24 June 2013.
- Lisa Ellis; Jeffrey Saret; Peter Weed (2012). "BYOD: From company-issued to employee-owned devices".
- "BlackBerry Strategizes For More U.S. Government Clients". 2013-01-07.
- "Support BYOD and a smarter workforce". Archived from the original on 2015-02-07. Retrieved 2014-12-29.
- "Cisco Study: IT Saying Yes To BYOD". Cisco. 16 May 2012. Retrieved 19 March 2019.
- El Ajou, Nadeen (24 September 2012). "Bring Your Own Device trend is ICT industry's hottest talking point at GITEX Technology Week". Forward-edge.net. Retrieved 26 September 2012.
- "BYOD research findings". Logicalis. Retrieved 12 February 2013.
- UC Strategies (May 1, 2013). "BYOD's Productivity Gains Are "Hard to Calculate" – Study Says". Retrieved July 11, 2014.
- Gina Smith (February 16, 2012). "10 myths of BYOD in the enterprise". TechRepublic.
- "Cisco ASA + Workspot = BYOD". Workspot. Archived from the original on 2014-07-14.
- Bernice Hurst (August 6, 2012). "Happiness Is ... Bringing Your Own Computer Devices to Work". RetailWire.
- Kevin Casey (November 19, 2012). "Risks Your BYOD Policy Must Address". InformationWeek. Retrieved June 19, 2013.
- "90% American workers use their own smartphones for work". Archived from the original on 2013-12-03. Retrieved 2013-11-23.
- "What is bring your own device?".
- "Threat, Violation and Consumerization Impact" (PDF). forescout.com.
- "Bring your own device (BYOD) policies" (PDF). Fraud Advisory Panel. 23 June 2014. Retrieved 23 June 2014.[permanent dead link]
- "The Rise and Risk of BYOD - Druva". 22 September 2014.
- The U.S. Air Force Research Lab's (AFRL) Leader iPad Pilot used this method to provide its researchers unfiltered access to the Internet, reserving its filtered, sensitive network for other use.
- "Nearly half of firms supporting BYOD report data breaches".
- 4 Steps to Securing Mobile Devices and Apps in the Workplace - eSecurityPlanet.com
- Wiech, Dean. "The Benefits And Risks Of BYOD". Manufacturing Business Technology. Retrieved 28 January 2013.
- "Greatest Threat to Enterprise Mobility: Employee's Children". 2013-05-17. Archived from the original on 2013-08-22.
- "Bring your own device: Security and risk considerations for your mobile device program" (PDF). September 2013.
- "Enterprise & Gateway Suites - Trend Micro". Trend Micro.
- "Implementing BYOD Plans: Are You Letting Malware In?" (PDF). Retrieved August 26, 2017.
- David Weldon, FierceMobileIT. "No one-size-fits-all solution for BYOD policies, panel reveals." May 13, 2014. Retrieved Jul 11, 2014.
- Tom Kaneshige, CIO. "Attack of the BYOD-Killing MDM Software." February 4, 2014. Retrieved Jul 15, 2014.
- Lauren Weber, Wall Street Journal. "BYOD? Leaving a Job Can Mean Losing Pictures of Grandma." January 21, 2014. Retrieved Jul 15, 2014.
- Kaneshige, Tom. "BYOD's Phone Number Problem".
- "BYOD Policy". Logicalis. Retrieved 12 February 2013.
- Kenneth C. Laudon, Jane P. Laudon, "Management of Information Systems"
- Jarrett, Marshall. "Searching and Seizing Computers and Obtaining Electronic Evidence in Criminal Investigations" (PDF). Office of Legal Education. Retrieved 15 May 2013.
- Cassidy, Steve (Jan 2015). "Mobile device management". PC Pro. London: Dennis Publishing Ltd. ISSN 1355-4603 – via ProQuest Central.
- "As Mobile Devices Catch On with Businesses, Data Breach Risks Grow | PropertyCasualty360". PropertyCasualty360. Retrieved 2018-12-03.
- Hassell, Jonathan. "7 Tips for Establishing a Successful BYOD Policy". CIO. Retrieved 2017-02-25.
- Emery, Scott (2012). "Factors for Consideration when Developing a Bring Your Own Device (BYOD)" (PDF). University of Oregon Interdisciplinary Studies Program presentation.