Wrestling back control from BYOD

Enterprise adoption of BYOD (Bring Your Own Device) policies are increasing. According to a survey by market research company Gartner, approximately 40 per cent of US consumers who work for large enterprises now use their own personal devices for work purposes

But all is not rosy: as smartphones are increasingly under threat from hackers and cybercriminals, many enterprises are beginning to wonder if BYOD is leaving them open to unnecessary security risks.

An alternative approach is emerging: corporately-owned, personally-enabled.

COPE takes the concept of BYOD and aims to fix some of the challenges. COPE aims to offer the same user experience, privacy and autonomy of personal devices, but provide them on corporate-owned devices.  In essence, employees can use corporate owned devices for personal tasks.  This means enterprises retain all the benefits of BYOD, whilst cutting back on risk.

BYOD Has Its Thorns
Every enterprise under the sun was talking BYOD last year.  But it is it just another technology fad? According to a study by COMPTIA into building digital organizations, enterprises are starting to turn their back on BYOD.

"There is a clear move towards a policy of no BYOD," the report said. Companies find they can pursue mobility initiatives just as well by providing mobile devices to workers "who are often happy to take a corporate device if it is the same thing they would choose on their own."

The main reason for this is that enterprises are realizing the legal and financial complexities that need working out of a successful BYOD program to run.  There is a blurring between work and non-work time, for example, which raises issues on what hours employees are compensated for and how the usage bill is paid.  Also what rights the employer has over the device if the employee owns it? There is a fine line between employer rights and employee privacy.

COPE enables enterprises to retain full control of the device.  This is an attractive model to enterprises as it enables the enterprise to keep data secure and wipe the device if it is lost or stolen, for example.

But COPE isn’t without its downside.  If enterprises don’t provide employees with the latest devices and the ones they want to use – they will use their own anyway.  This brings the dark side of shadow IT into play.

The Big Issue of Security
Enterprises have found it is almost impossible to keep a BYOD policy watertight and many employees have little concern with security when it comes to BYOD devices.  Educating employees in BYOD policies is a difficult business, and many are almost impossible to comprehend. The result is they don’t get read.

In a BYOD survey by Gartner, data suggested that nearly 50% of respondents who use private devices for work purposes use them regularly for social as well as productivity tasks.  This may highlight that users think their devices essential for their jobs.  But worryingly, it points to work-related documents regularly being transferred to private devices, outside the secure network. 

COPE flips the whole BYOD concept on its head.  Rather than create a space on an employee’s personal device for secure data and management, COPE enables the IT department to make space on a fully-managed mobile device for personal use. This sounds great in theory.

COPE can help to mitigate security risks at a network level.  But mobile security breaches often happen due to a type of malware being downloaded off the corporate network, with users unaware they have downloaded it. This leaves sensitive data vulnerable and raises the possibility of malicious software being brought back onto the corporate network. In this case enterprises must be able to recognise and stop suspicious outbound traffic fast or end up with a major security breach on their hands.

No Two Cases Are Ever The Same
The simple truth is that no two BYOD or COPE programs are the same. They both have their pros and cons. Enterprises need to find out what works for them and implement a strategy on a case-by-case business basis. Most importantly they must be able to demonstrate that they can safely and securely address the unique privacy and security issues that apply to their enterprise.