One of the more important debates percolating within the trade secret community, as well as society at large, is what to do about the use of personal electronic devices. The colliding realities of today’s 24/7 workplace and the increasing security risks posed by the use of devices outside the protective sphere of a company’s infrastructure are bringing this issue into focus. IT managers and CIOs are not the only ones talking about this issue; national media, including Forbes, the New York Times and the Wall Street Journal, have noted the tension betwen these forces in many recent articles.
To give this topic the attention it deserves, I am going to divide it into two posts. Part I will address the data and issues that are driving this problem to the front of the desks of many in-house lawyers, HR managers, CIOs and IT managers; Part II will address the security issues and what companies are doing, and can do, to reduce or eliminate this security risk.
The Facts Driving the Debate: One thing is clear, and that is that employees want to be able to use their personal devices for work. According to a survey, 35% of IT managers say they are under increased pressure from employees to offer greater flexibility for the use of personal devices.
The reasons why employees want to use their personal devices for work are straightforward: (1) an individual employee is much more likely to keep up with ever-changing technology, as opposed to the employer, who as a matter of practical economic reality cannot match that pace (on average, companies upgrade their computers and other devices only once every three years); (2) employees, who are going to own their own devices regardless of their employer’s policy, don’t want to have to carry two smart phones, two laptops, etc.; (3) employees are expected to perform more work from home and many times after 5 p.m., so they do not want to be saddled with what they perceive as relatively “outdated” office technology while on (what was previously) their personal time; and (4) employees simply prefer working from a device with which they are comfortable and familiar, a fact reflected in their purchase of that device. These facts are unlikely to change anytime soon.
Those advocating the increased use of employee devices have coined the phrase “BYOD” (Bring Your Own Device) for those companies and firms that allow for greater use of employee devices. Proponents claim that BYOD benefits the employer as well because it saves the company money, increases employee morale, and allows their employees to be more available after hours. However, as one opponent of BYOD commented, after identifying the legal, security, and logistical problems that accompany employees’ use of personal devices: “BYOD, you say? Better follow it up with BYOB, because you’ll want something to dull the pain.” (See Erik Sherman’s recent take in the Wall Street Journal article, “Should Employees be Permitted to Use Their Own Devices for Work?” John Parkinson presents a nice defense of the BYOD position in the same article, some of which is incorporated above).
The Great Unknown: Now for the frightening part: recent research and surveys suggest that few companies and IT departments are adequately prepared – let alone adequately educated – to address the relevant issues head-on. According to a November 21, 2011 Citrix press release, a recent global survey by Citrix revealed that 62% of small and medium-sized businesses have no internal IT controls in place to manage employee-purchased smartphones, tablets, laptops, and other devices.
Even more alarming, the Citrix survey found that 45% of the IT managers surveyed were unaware of all the devices being used to access their servers. I am going to repeat that statistic — nearly half of those IT managers could not identify all of the devices that were accessing their servers. Probably for that very reason, 57% of IT managers polled are most concerned about the security implications of employees using personal devices to conduct business.
We’ve confronted the issue and the facts on the ground. Now, in next week’s Part II of this post, we will look at the practical consequences and what companies are doing, or can do, to protect themselves.