The proliferation of smartphones, tablets and other smart devices has changed the way mobile phones are being utilised for personal as well as corporate purposes. The need to access corporate services from any location at any time first led to users migrating from office PCs to laptops, and then to smartphones. Many employees now access and store critical company data on their mobile devices, which are equipped with several unsecured and unauthenticated third-party applications that pose security risks. To address data theft and data leak concerns, many companies implemented a bring-your-own-device (BYOD) policy so as to ensure compliance with security norms and prevent the loss of company data. However, several issues like restricted access and loss of privacy have emerged as key concerns for employees. This has led to the emergence of new policies and solutions that retain some benefits of the BYOD policy while enabling enterprises to have greater control over employee devices.
Slowdown after high rate of adoption
Earlier, enterprises did not allow most employees to access company information on their mobile devices. They provided mobile handsets only to key employees, primarily the senior management, to access and use enterprise services like email. These handsets were mostly BlackBerry phones as the platform was designed to cater to corporate customers. Given BlackBerry’s corporate suite and security features, enterprises were not concerned about the external risks to the company’s network and data. However, unlike the popular smartphones based on the Android and iOS platforms, company-owned devices had limited features and an underdeveloped applications ecosystem, as a result of which employees still preferred using their personal devices.
Given this scenario, enterprises started allowing employees to bring their own devices to work due to associated benefits such as enhanced productivity and a reduction in the capital costs earmarked for purchasing mobile handsets. However, the use of personal devices for storing and accessing corporate data resulted in security threats, not only to a company’s central database but also its information and communications technology (ICT) network.
While enterprises are addressing this concern by installing security software and implementing mobile device management (MDM) solutions on employee smartphones, managing these devices has become a complex task given the wide variety of device platforms used by employees. In addition, MDM solutions are implemented over the entire device, covering all the data and applications stored on the mobile phone. This essentially results in the loss of device control from the employee’s perspective and gives the employer access to personal data, thereby increasing concerns over privacy.
Meanwhile, enterprises that have implemented a BYOD policy are facing the issue of having to develop software platforms and network configurations for different kinds of mobile devices. This has resulted in considerable complexities in managing the company’s ICT network and devices and enforcing a BYOD policy, while also increasing the costs for making these devices secure. Another problem is that enterprises could have to reimburse the entire bill of the employee rather than only the amount used for corporate purposes.
Exploring other options
To address the problem of testing multiple mobile device platforms as seen in the BYOD policy, a few companies have adopted the policy of choose-your-own-device (CYOD), wherein employees can choose from a set of company-approved devices. The CYOD policy allows for easy testing and gives enterprises more management control of mobile devices while retaining the benefits of BYOD by allowing employees to install third-party applications and store personal data. CYOD also allows information to be secured on devices in a more effective manner. If a personal device is lost or stolen, the enterprise may not be able to prevent data theft, but if the device is company owned, the data stored on the device can be deleted remotely so that it isn’t leaked.
Another policy similar to CYOD is company-owned personally enabled (COPE), wherein the only difference is that the device is owned by the employer rather than the employee. But the challenge in adopting a CYOD or COPE policy is that the limited number of device platforms supported by the company’s ICT network could limit the user experience as compared to BYOD, and this could have an impact on employee productivity.
Enterprises that are continuing with a BYOD policy and are also keen on gaining more control over the corporate data and services used by employees are implementing a new solution known as containerisation. Under this, enterprises set up an encrypted storage space on the mobile device where corporate applications and data are stored, while the remaining space can be used for storing personal data and applications. With this segregation of corporate and personal data, enterprises retain control over the use of corporate data and services, but have no access to the user’s personal data, thereby addressing the privacy concerns of employees. From an enterprise perspective, containerisation also provides control over applications that can access and share corporate data, thus providing an additional layer of security. However, a few firms have received employee feedback that says the concept of containerisation is just another version of the earlier policy of giving them BlackBerry phones with permission for installing third-party applications.
Dual-persona devices are a more evolved version of containerisation. These devices have a rigid separation between a company-managed secure storage space and an unmanaged personal storage space, resulting in two different devices within the same smartphone.
Another policy being considered by BYOD policy adopters is managed BYOD, under which enterprises build a tiered access system to their ICT networks for different sets of mobile devices. This requires enterprises to publish and regularly update the list of devices, which are offered different levels of access. As a result, an employee’s access to the company’s ICT network, applications and data depends on the user device. In this way, an enterprise can secure information as well as its internal network while meeting the demands of its employees.
Combination of enterprise mobility models
With smartphones being increasingly used by employees to access and use corporate services, applications and data, enterprise mobility is gaining acceptance. However, the enterprise mobility model that is adopted will vary across firms in accordance with their needs. While many firms have already implemented BYOD policies given the rising use of smartphones by the workforce, in-house IT teams remain highly concerned by the malware threats posed by unsecured and unmanaged third-party applications and the different kinds of software installed on devices.
However, it is expected that most enterprises will primarily opt for a BYOD policy along with a complementary policy to prevent threats from external networks and data. According to research firm Gartner, half the global enterprises will adopt a mandatory BYOD policy by 2017 while gradually decreasing the provisioning of workplace devices. Industry experts are also of the view that enterprises are expected to adopt a combination of policies while customising them in accordance with overall security requirements and their workforce’s demands. The choice of policy will depend on the agility of the workforce and their real-time communication needs. In this regard, containerisation, together with BYOD, is being seen as the preferred option for most enterprises due to the associated benefits. However, enterprises have realised that there is a long way to go before they can enforce a satisfactory level of security on mobile devices while simultaneously giving employees the same kind of freedom they can enjoy with personal mobile devices.