WHITE PAPER

ON
sponsored by

The Need for IT to Get in Front of the BYOD Problem

An Osterman Research White Paper

Published October 2012 SPONSORED BY

SPON

sponsored by Osterman Research, Inc. P.O. Box 1058 Black Diamond, Washington 98010-1058 USA Tel: +1 253 630 5839 Fax: +1 253 458 0934 info@ostermanresearch.com www.ostermanresearch.com twitter.com/mosterman

The Need for IT to Get in Front of the BYOD Problem

EXECUTIVE SUMMARY
Wikipedia defines Bring Your Own Device (BYOD) as the recent trend of employees bringing personally-owned mobile devices to their place of work, and using those devices to access privileged company resources such as email, file servers and databases as well as their personal applications and data.i Hidden within and implied by that seemingly innocuous definition are a number of quite serious problems for corporate IT departments and organizations in general: Separate ownership of the platform used to create and store data and the data itself. This separation of ownership can make it more difficult for IT to access content on mobile devices in a timely way, if at all. The reduced control that IT has over devices and data with regard to encrypting content, retaining it in corporate archiving systems, deleting it in the event a mobile device is lost, and otherwise managing content and devices in accordance with compliance and other obligations. The potential for personal applications to create security risks, such as through loss of sensitive data or by the introduction of malware into the corporate network.

THE PROBLEM IS SERIOUS

As shown in the following figure, nearly three out of five organizations believe that BYOD represents a problem for their organizations we anticipate that as the trend builds over the next 24 months, the problem will become much more serious. Perceived Seriousness of the BYOD Problem

Nearly three out of five organizations believe that BYOD represents a problem for their organizations we anticipate that as the trend builds over the next 24 months, the problem will become much more serious.

KEY TAKEAWAYS

BYOD is pervasive employees in 82% of organizations are using personally owned smartphones and/or tablets to access corporate systems like email, databases and various applications.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

BYOD offers some benefits as a means of potentially reducing corporate costs and improving employee morale and job satisfaction. However, there is substantially more downside risk from unmanaged BYOD in a number of areas: support for these devices is more difficult than it is for company-supplied devices, the cost of managing mobile devices can actually go up, content management becomes more difficult, network and application security are placed at higher risk, and corporate governance can become very difficult to manage. All organizations should develop a BYOD strategy, implement the appropriate policies to manage personally owned devices, and deploy the technologies that will enable enforcement of these policies.

ABOUT THIS WHITE PAPER

This white paper discusses the results of an in-depth survey conducted for Quest Software (now a part of Dell) the sponsor of this white paper. This paper also provides an analysis of the BYOD problem and what organizations should consider doing to mitigate the risks and realize the benefits associated with it. The survey for this white paper was conducted during July 2012 with members of the Osterman Research survey panel. A total of 162 surveys were completed across a wide range of industries. The organizations surveyed have a mean of 13,135 employees and 11,463 email users (the medians are 1,500 and 1,200, respectively). Smartphones are employed by a mean of 46% of the email users in the organizations surveyed; iPads and other tablets are used by 14%.

BYOD IS BECOMING A SERIOUS ISSUE

WHAT DO WE MEAN BY BYOD?
The Bring Your Own Device (BYOD) phenomenon is the increasingly common practice for employees to use their own smartphones, tablets, laptops and other computing platforms and applications to access corporate systems like email and databases; and to create, store and manage corporate data using these devices. For example, Osterman Research has found that business email and Web browsing are the most commonly used tasks for which mobile platforms are used (employed by 99% and 93% of users, respectively). However, use of personal social media, corporate social media and the storage of business-related documents are also commonly used.

There is substantially more downside risk from unmanaged BYOD in a number of areas: supportcost content managementsecurity and corporate governance

PERSONAL DEVICES ARE INFILTRATING CORPORATIONS

As shown in the figure below, company-owned devices of various types are widely used for work-related purposes not surprisingly, our research showed that 100% of organizations supply one or more computing platforms to their employees. However, our research also found that in 82% of the companies surveyed, personally owned devices are used alongside company-supplied devices. While a majority of employees are not yet using personal devices to access corporate systems, four out of five companies are part of the BYOD trend to varying degrees.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

Percentage of Employees Using Various Platforms for Work-Related Purposes

WHY IS BYOD GROWING SO QUICKLY?

The BYOD phenomenon is being fueled primarily by four trends: Employees want the latest and greatest Employees often want the latest and highest performance hardware better and newer devices than their employer provides for them across a variety of platforms: desktop PCs, smartphones, tablets, etc. This is due in part to the fact that decisions about personal devices are not constrained by the return-oninvestment and limited budget considerations that often limit IT decision-making. Moreover, individuals are generally freer to make impulse purchases in response to the latest and greatest hardware announcements IT departments typically make more well-informed and more thoughtful decisions about purchasing capital equipment and do so during normal hardware and less frequent refresh cycles. In short, individuals who buy new hardware for themselves are not constrained by the need to make a business case for their purchases. Telework A growing number of employees work at home as part of telework programs and so are not as constrained by their IT department about downloading and installing applications that may or may not have been vetted for use on the corporate network. In other words, the distance between an employee and a corporate IT department is inversely proportional to the control that IT can exert on that employee. IT is strapped for cash Many IT departments often cannot afford all the tools that users need; the vetting process for these applications is too slow to meet users expectations; or the IT department simply does not allow certain tools to be used because of concerns over corporate security, the potential for data breaches, etc. The blurring of work and personal life Many employees are happy to enable or are at least willing to accept a blurring of the distinction between their work and personal lives. This has been borne out by Osterman Research surveys that demonstrate that the vast majority

Individuals who buy new hardware for themselves are not constrained by the need to make a business case for their purchases.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

of employees bring work home with them, access corporate email after hours and on vacation, and so on.

WHY BYOD CAN BE A GOOD THING

There are three basic benefits that BYOD can provide: Corporate costs can be reduced (maybe) At least in the short term, corporate costs can be lowered by employees funding some or all of their mobile device and cloud-based application requirements. For example, while many employers will pay for employees mobile devices outright, some provide only partial reimbursement, if that. For example, an Aberdeen Group study found that carrier costs for employee-owned devices are $10 per month per device lower than if the company owns the deviceii. Moreover, a comScore MobiLens study of BlackBerry users in late 2011 found that 22% of employers provide only partial reimbursement for users devicesiii. Employee morale can be improved There is some evidence to suggest that when employees are permitted to choose their own mobile device their job satisfaction can be higher. For example, an Aberdeen Group study found that 61% of companies that permit employees to use their own mobile device experience higher employee satisfactioniv. Organizations can keep up with the latest and greatest Many IT departments have been subjected to frozen or declining budgets over the past few years, particularly since late 2008. The result is that many have not had the funds available to supply their employees with more advanced smartphones and tablets. Because many employees are willing to supply these devices themselves, IT departments are often spared the expense of supplying employees with cutting-edge tools that can make them more efficient.

WHY BYOD CAN BE A BAD THING

COSTS CAN INCREASE WITH BYOD
An analysis conducted by the Aberdeen Group found that a 1,000-seat organization can spend an additional $170 per user per year when using BYOD compared to providing smartphones themselvesv. However, BYOD can lead to other, potentially enormous costs. For example if a company-owned smartphone that contains customer data is lost and it cannot be remotely wiped, in most cases an organization will be obligated to report this data breach to all of the affected parties. If we assume, as Osterman Research discovered in another survey, that 69% of companyowned devices can be remotely wiped compared to only 24% of personally owned devices, then the likelihood of losing data for the latter and the cost of the data breach will be 2.9 times greater.

Support from IT and help desk is more difficult and more onerous for employee-owned than it is for company-owned devices. This is due to a variety of factors, not least of which is the wide variety of smartphones and tablets that users will employ.

SUPPORT BECOMES MORE DIFFICULT WITH BYOD

Our research found that most organizations do not fully support their mobile users. As shown in the following figure, only one-third of organizations support mobile users as they do users of more traditional parts of the IT infrastructure like desktop PCs or laptops. Moreover, as shown in the next figure, support from IT and help desk is more difficult and more onerous for employee-owned than it is for company-owned devices. This is due to a variety of factors, not least of which are the wide variety of smartphones and tablets that users will employ, the different operating systems in use, different firmware versions in use, and the wide range of personal applications that are installed on the devices some of which may represent a security threat.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

What is your current practice or near-term plan for supporting mobile devices and applications?

Ease/Difficulty of Managing Company- and Employee-Owned Devices % Responding Difficult or a Real Pain for Us

43% of organizations put executives on the A list for mobile device and application support, but provide only best effort for everyone else.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

CONTENT MANAGEMENT BECOMES MORE DIFFICULT

Mobile devices contain a growing proportion of corporate data. For example, Osterman Research has found that more than 5% of corporate data is stored just on users smartphones and tabletsvi we expect this figure to increase dramatically during the next 24 months as iPads and other tablets are employed in much larger numbers than they are today. Employee-owned devices make access to this data by corporate IT or compliance departments much more difficult, such as when data must be gathered during an eDiscovery exercise. This is not only because of the difficulty that might be encountered in physically accessing these devices, but also because of the potential privacy and other legal issues that are raised by companies accessing their employees personal property. This is particularly true in those jurisdictions that place a heavy emphasis on employee privacy. However, for IT to know what data exists on mobile devices is much more difficult for employee-owned devices than it is for those devices under ITs control. This is particularly difficult for legal counsel and others that must assess the information that the organization has available to it during eDiscovery, early case assessments, legal holds and similar types of litigation-related activities. Moreover, the probability of spoliation of content when stored on personally owned devices is much greater simply because it is not controlled by an IT or compliance department. Legal holds can be particularly problematic in a BYOD environment. When data that might be required in a legal action must set aside from the normal deletion cycle or from users manual deletion, it is critical that an organization immediately be able to preserve all relevant data, such as emails that might need to be produced during trial or pre-trial activities. Placing a hold on mobile data may be more difficult than it is for traditional systems and much more difficult when it is located on devices that are under the control and ownership of individual employees.

NETWORK AND APPLICATION SECURITY BECOME RISKIER

Another threat introduced by BYOD is that personal devices used to create, access and store corporate data will normally bypass inbound content filtering systems that IT has deployed in the corporate network. One result of this is a potentially greater likelihood for malware intrusion, particularly for Android devices. For example, FSecure found that for the 12-month period ending in the first quarter of 2012, the number of new Android-focused malware families and variants had increased from 10 to 37, and the number of malicious Android-focused application package files had increased from 139 to 3,063vii. Further, personally owned devices will normally bypass DLP and related systems, possibly resulting in more violations of corporate and regulatory policies focused on encrypting content or preventing disclosure of sensitive information. For example, researchers in a UK-based study acquired 49 mobile devices that had been resold through secondary markets; forensic examination of the devices resulted in the discovery of information on every device and a total of more than 11,000 pieces of information collectively from all of the devicesviii. As evidence of the security threat that BYOD creates in most organizations is other research that Osterman Research conducted during 2012. For example, we found that in organizations with at least 100 employees: 44% of company-owned smartphones and 38% of company-owned tablets can be scanned for malware. However, only 10% of smartphones and 9% of tablets can be similarly scanned. 69% of company-owned smartphones can be remotely wiped if they are lost, but only 24% of personal smartphones can be wiped. Similarly, 54% of companyowned tablets can be remotely wiped versus only 21% of personally owned tablets.

More than 5% of corporate data is stored just on users smartphones and tablets we expect this figure to increase dramatically during the next 24 months as iPads and other tablets are employed in much larger numbers than they are today.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

GOVERNANCE CAN BECOME A SERIOUS PROBLEM

Just about every organization must comply with a variety of obligations to protect, retain and manage their business records wherever they may be found on corporate systems managed by IT, or on personal devices owned by employees. These obligations, which are focused primarily on the archiving, encryption and monitoring of certain types of content, include the following: The Health Insurance Portability and Accountability Act (HIPAA) requires healthcare and other organizations to protect sensitive health records of patients and others. However, the new HIPAA that took effect during the first quarter of 2010 greatly expands the impact of the law. For example, while HIPAA previously applied mostly to physicians, medical practices, hospitals and the like, now the business associates of these entities will be required to comply with HIPAAs rules about the security and privacy of protected health information (PHI). That means that accountants, benefits providers, attorneys and others that are given access to PHI will now be fully obligated to comply with HIPAA. The Federal Rules of Civil Procedure obligate organizations to manage their data in such a way that it can be produced in a timely and complete manner when necessary, such as during legal discovery proceedings. Electronic recordkeeping rules established by the SEC, FINRA, FSA and other regulatory bodies are focused on financial services organizations obligations to monitor and archive communications between registered firms and their customers. It is also important to note that firms registered with FINRA and the SEC are required to archive and monitor communications made using smartphones, whether company or personally owned. For example, FINRA Regulatory Notice 07-59ix states a firm should consider, prior to implementing new or different methods of communication, the impact on the firms supervisory system, particularly any updates or changes to the firms supervisory policies and procedures that might be necessary. In this way, firms can identify and timely address any issues that may accompany the adoption of new electronic communications technologies. The Payment Card Industry Data Security Standard is a set of requirements for protecting the security of consumers and others payment account information. It includes requirements for building and maintaining a secure network, encrypting cardholder data when it is sent over public networks and assigning unique IDs to each individual that has access to cardholder information. The Sarbanes-Oxley Act of 2002 obligates all public companies and their auditors to retain relevant records like audit workpapers, memoranda, correspondence and electronic records including email for a period of seven years. The Gramm-Leach-Bliley Act requires financial institutions to protect sensitive information about individuals, including their names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. Federal Energy Regulatory Commission Order No. 717 imposes various rules on regulated and vertically integrated utilities so that transmission providers do not give preferential treatment to their affiliated customers. The purpose of this order is to create an ethical wall between the marketing and transmission functions of vertically integrated companies that distribute electricity and natural gas between states.

Just about every organization must comply with a variety of obligations to protect, retain and manage their business records wherever they may be found on corporate systems managed by IT, or on personal devices owned by employees.

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

Fundamentally, BYOD makes compliance with these and other obligations much more onerous because of the greater difficulty associated with finding, retaining, encrypting, wiping and otherwise securing corporate data.

WHAT SHOULD YOU DO ABOUT BYOD?

FIRST OF ALL, REALIZE WHATS GOING ON
Before the BYOD problem can be brought under control, decision makers must understand just how pervasive it is in most organizations. While most senior managers will surmise that some of their employees are using personally owned smartphones and tablets (given that senior managers often were the catalyst of the trend after the introduction of the iPhone in 2007), they may not appreciate just how widespread this use has become. Senior managers need to understand how personally-owned smartphones and tablets, as well as tools like personal file sync services or Skype, are used throughout the organization, what types of data they are used to access and store, and the reasons for their use.

DEVELOP BYOD POLICIES

Next, decision makers faced with controlling BYOD should implement policies about acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions. These policies should be detailed and thorough, and should be included as part of an organizations overall acceptable use policies that are focused on use of corporate computing resources. However, as shown in the following figure, more than two in five organizations has yet to develop a formal, documented strategy for BYOD. Which of the following best describes your BYOD strategy?

Decision makers faced with controlling BYOD should implement policies about acceptable use of devices and applications, perhaps creating a list of approved devices, operating systems, applications and other personally owned or managed solutions.

One of the most important corporate policies for mobile devices should be that any mobile device can be wiped by the IT department in the event of its loss, and that all

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

devices that contain corporate content should be encrypted to prevent the loss of sensitive data or intellectual property. Faced with a requirement to eliminate use of personal devices or applications, many employees will continue to use them secretly anyway, particularly those employees who work from home at least one day per week.

EMPLOY YOUR USERS AS YOUR FIRST LINE OF DEFENSE

Users should be educated about best practices about accessing and managing corporate data on personally owned devices or when using specific applications. An important reason for doing so is not only to make employees aware of the dangers that can result if corporate data is not adequately protected, but also to achieve employee buy-in and cooperation with corporate policies.

DEPLOY TECHNOLOGIES THAT WILL ENABLE YOUR POLICIES

It is imperative that organizations deploy the appropriate technologies, such as mobile device management solutions, that will enable their policies to be enforced and for overall corporate risk to be managed at an appropriate level. For example, an organization that allows employees to use their own tablets should deploy a solution that enables full disk encryption, under ITs control, that will protect sensitive data if the device is lost. Other technologies that should be on the short list of those deployed include anti-virus, malware detection and remediation, role-based access, content inspection and archiving these apply to both personally owned devices, as well as to employee-managed applications.

ABOUT DELL

Dell Inc. (NASDAQ: DELL) listens to customers and delivers worldwide innovative technology, business solutions and services they trust and value. For more information, visit www.dell.com.

MESSAGESTATS
It is critical to know the extent of personally owned device usage in your corporate environment; ignoring it means that your sensitive data may be living in thousands of different places and devices, all of them outside of the control of your IT department and your carefully designed security. The mere thought of inventorying and assessing all of the personally owned devices in your environment may seem overwhelming. MessageStats from Dell can help. MessageStats gathers intelligence about your entire messaging infrastructure including Exchange, BlackBerry, OCS/Lync Server, OWA, Windows Mobile/Active Sync and more with one solution, visible from a single console (i.e., "a single pane of glass"). It is not uncommon for users to have multiple devices that are being used for business purposes. MessageStats lets you know when new devices are activated, as well as who is using them. You will also be able to identify the number of devices in use by each user, as well as the carrier. MessageStats identifies all users and their devices, as well as reports on active use and if policy updates have been applied. Learn more at www.quest.com/messagestats

It is imperative that organizations deploy the appropriate technologies that will enable their policies to be enforced and for overall corporate risk to be managed.

MOBILE IT

After your BYOD strategy is in place, consider enabling IT staff and users to access important applications on their mobile devices. Use Mobile IT to administer Dell solutions or enhance the value of other third-party applications such as your help desk management software, HR processing system, internal change management system, etc. By enabling secure access critical applications from a mobile device, Mobile IT delivers the mobile administration and remote management that

2012 Osterman Research, Inc.

The Need for IT to Get in Front of the BYOD Problem

organizations need today. With IT applications at the heart of business operations, IT shouldnt be tied to desktop applications; instead they need a way to handle issues as they arise, whether or not theyre in the office. Mobile IT delivers the mobile admin functionality IT administrators need to do their jobs, no matter where they happen to be. With Mobile IT, you can: Get alerts Be alerted about events and issues via proactive notifications on mobile devices. You can stay connected and assess issues even while youre not on site. Take action Initiate actions within your applications from your mobile device. You can respond faster to business requests and execute tasks while mobile, which reduces costly delays. Run reports Run reports that put your alerts into context, enabling you to make informed decisions while mobile. For example, you can see what recent changes might have caused users to lose access to data they need.

Learn more at www.Quest.com/Mobile-IT

2012 Osterman Research, Inc.

10

The Need for IT to Get in Front of the BYOD Problem

2012 Osterman Research, Inc. All rights reserved. No part of this document may be reproduced in any form by any means, nor may it be distributed without the permission of Osterman Research, Inc., nor may it be resold or distributed by any entity other than Osterman Research, Inc., without prior written authorization of Osterman Research, Inc. Osterman Research, Inc. does not provide legal advice. Nothing in this document constitutes legal advice, nor shall this document or any software product or other offering referenced herein serve as a substitute for the readers compliance with any laws (including but not limited to any act, statue, regulation, rule, directive, administrative order, executive order, etc. (collectively, Laws)) referenced in this document. If necessary, the reader should consult with competent legal counsel regarding any Laws referenced herein. Osterman Research, Inc. makes no representation or warranty regarding the completeness or accuracy of the information contained in this document. THIS DOCUMENT IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND. ALL EXPRESS OR IMPLIED REPRESENTATIONS, CONDITIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE DETERMINED TO BE ILLEGAL.
i
ii iii

http://en.wikipedia.org/wiki/Bring_your_own_device#cite_note-0
http://www.xigo.com/byod/ http://www.bgr.com/2012/01/27/blackberry-users-are-older-and-wealthier-thanaverage-smartphone-users-study-suggests/ http://www.xigo.com/byod/ http://www.vcinsight.com/116/ExecutiveIntervierws/807/ ToBYODornottoBYODthatisthequestion! Unpublished Osterman Research survey data, October 2012 Source: Mobile Threat Report Q1/2012, F-Secure Electronic Retention: What Does Your Mobile Phone Reveal About You? http://EzineArticles.com/7068075 http://www.finra.org/web/groups/industry/@ip/@reg/@notice/documents/notices/ p037553.pdf

iv v

vi vii viii

ix

2012 Osterman Research, Inc.

11