Can you bring (and use) your iPad or iPhone at work? Some companies are embracing the bring-your-own-device (BYOD) trend. But doing so brings risk. What if a device gets lost or stolen?
Some companies, including Toronto-based Hill & Knowlton Strategies Canada, allow employees to use their own devices but keep a close eye on mobile security. Its IT department sets the devices up so there is a degree of control.
"The number of Canadians who are mobile in their work in some capacity is huge, and it's growing," says Krista Napier, Toronto-based senior analyst and tracker team lead, mobile devices, with market intelligence firm IDC Canada.
IDC surveys show that two thirds of Canadian workers fit this description – a number expected to reach three quarters by 2015.
Ms. Napier joined us earlier to talk about the subject.
Dave Michaels, The Globe and Mail:
Hi everyone. We'll begin in just a moment. Please submit your questions in the box below.
We are expecting Krista to join us in just a minute.
Comment From Krista Napier
Happy to be here. Looking forward to answering your questions!
Comment From Bob
Are you using your iPhone or iPad for this online meeting?
Comment From Krista Napier
Great first question! I do have my iPad beside me, with some of my research and articles on there for reference during this call.
Here's a question from JJ.
Comment From JJ
Using an app-centric data security system, isn't it pretty easy to protect corporate info while being non-intrusive to the UX?
Corporate info can be protected while not compromising the user experience. That is correct. There are more solutions coming out now that will allow for that security, while distinguishing between "business" apps and "personal" ones. Personal apps could be kept in a personal perimeter, while business ones in the corporate perimeter.
One example would be BlackBerry Mobile Fusion, which will allow for that type of division.
Krista, can you give us an idea of to what extent personal phones and tablets are being used in the workplace?
The trend toward BYOD (bring your own device) is still early but growing. In one survey we did at IDC with Canadian businesses last year, we found that around 28% of respondents were supporting BYOD for media tablets in their company, and 42% were supporting BYOD for smartphones.
It is interesting to note that in that survey, when we asked businesses if they plan to support BYOD for media tablets and smartphones in the next 12 months, more of them stated they were planning to support media tablets. So while people having been bringing their phones to work for a while now it's media tablets that are really helping to drive this trend forward.
Comment From Dave Smyth
As employees become more tech-savvy, they are less likely to accept one-sided policies that force them to relinquish control of their own personal device for heavy handed solutions like mobile device management. What do you think the future holds for more elegant solutions?
That is a good point. We have asked Canadian consumers in past surveys if they have concerns about brining their devices into the work place...almost 70% of respondents said there were not concerned. However, we also find that today, it's early days in terms of how businesses are managing these devices. Many companies are still using just a policy and user passwords. So more will need to be done to ensure the security of the devices, without impeding the value they deliver.
Comment From BD
An employer controlling aspects of a personal device sounds like a slippery slope. Are there legal implications? Sample scenario: If an organization integrates a personal Blackberry to a work BES server, and then applies work policies, monitoring, even the potential to reset the device...
Comment From Randy
Bottom line...if you are an Iphone or Ipad user...it isn't secure on a corporate network without a product like RIMs BlackBerry Mobile Fusion.
That is where creating some balance between corporate and personal is important. You are right to say that if an employer is controlling all aspects of a personal device, that probably won't fly with the employee. But you need to exercise security measures as a company to control the "work" content and activities taking place on the device.
Comment From N&L
Krista, can you provide information on the percentage of companies currently investing in Mobile Device Management (third party provided) so that their IT departments have some control?
Sure. Last year, IDC Canada did a study on MDM adoption and plans among Canadian businesses. I can share some of those results.
Basic security like password policy and enforcement is the most deployed MDM feature. On average, over 60% of companies are doing this basic security. The percentage is higher for large businesses.
Where there is opportunity is for advanced MDM security, especially among small businesses.
Comment From Wayne Brooks
Seems to me that CoIT is really leveraged by using in-house apps. What is the best way to deploy corporate mobile apps in your opinion?
I think a lot of companies are still trying to figure out what apps they even need, and whether they already exist or if they need to have them built. However, once they figure out what they need, I think one approach will be for companies to use enterprise app stores, that will have "approved" apps in them for employees. These apps can include productivity apps for work as well as other approved apps, like games.
Comment From Jon L
Disagree with Randy. It's important to secure the corporate data, not lock down the entire device.
Comment From Brad
Is the BYOD trend going to eventually eliminate various corporate devices (eg, the corporate smartphones)? if so, how would a company force their controls on an employee's personal device?
Different companies will take different approaches to BYOD. For now, I don't think it will eliminate corporate owned devices, because there are some industries that are very concered about security and customer privacy, and hence, will still use corporate devices in some cases. Others may provide an "allownce" for employees and managers to buy devices, so the cost is shared, and in the opposite extreme case, employees will buy the devices themselves, which would in that case decrease corporate owned devices.
Comment From Randy
Reading along, one thing becomes VERY clear....there is a HUGE difference between the person who signs the front of the paycheque and the one who signs the back. Do you really think you can dictate or "negotiate" what employers will and won't allow on their network infrastructure?
A thin client access solution may be the most elegant solution. If it could be configured to prevent users from saving locally, there would be no need for a remote wipe.
That is a good point. One of the big concerns is that employees will save content on their media tablets or other devices and walk out of the office with it, creating a liability. So a thin client solution can help provide a preventative solution to that versus a reactive remote wipe.
Comment From Patrick
What is the one thing that can or should be done to assess the risk and determine what level of security is needed or required when employees bring their own devices?
It will depend on the business, and the industry, but thinking through a policy is a good first step. Taking inventory of what your employees are using and what corporate owned devices are being used is important to understand what you are working with. That may seem simple in a small company but is more complex in a large one. Then, there are many companies offering services around this now who can help with strategies and solutions to get you started. The big carriers in Canada are now offering solutions around this, as are other large and small service providers, and vendors like RIM.
Comment From Randal
At some point, organizations need to evaluate the liability that goes along with the overtime, out of office work hours that they are implicitly encouraging employees to incur. @ Randy, I'm currently rolling IBM traveller, which also encrypts and can lock down devices including iPhones and iPads, amongst others, so the Blackberry server is not the only solution.
Krista, thanks very much for taking time out of your day for us. We do appreciate it.
No problem. Thank you for the great discussion today.