How to calculate BYOD risk

It sounds like a polarising election-year issue – the tension between:

– Right to choose:enterprise end-users who want to use their own smartphones and tablets to access enterprise resources – Right to wipe: enterprise IT departments who want to ensure that they can centrally lock, erase or wipe enterprise data if the employee-owned device is lost or stolen

The qualitative arguments can run hot on both sides.

Employees increasingly view both the freedom to use the latest mobile devices and their own bubble of personal privacy as an inalienable right.

IT and IT Security professionals seek to maximise employee productivity and job satisfaction while managing enterprise risk and cost.

But can any of these arguments be quantified? Aberdeen’s recent research in Enterprise Mobility Management provides some interesting insights.

Balancing Employee Choice and Enterprise Risk Figure 1 breaks down the number of companies permitting employees to use their own smartphones or tablets for business purposes, along with the number of companies currently supporting the capability to remotely lock and wipe mobile devices, in the event they are lost or stolen.

One way to view these findings is that the most conservative policies, which provide support only for enterprise-owned devices and support for enterprise remote wipe are in the lower-left.

The most liberal policies, such as support for BYOD, with no support for enterprise remote wipe, are in the upper-right.

We can also see that companies supporting the most liberal policies outnumber those supporting the most conservative policies by a factor of three-to-one.

The right to choose comes at a price, as seen in the average percentage of lost or stolen mobile devices in the last 12 months that were not successfully recovered or decommissioned (see Figure 2).

In other words, these lost or stolen devices also meant the loss or exposure of enterprise data, as well as employee personal data.

Based on the 436 respondents in Aberdeen’s analysis, the most liberal policies resulted in nearly 4-times the frequency of data loss or exposure in comparison to the most conservative policies.

CIOs can use their own values for the number of mobile devices and estimates for average cost-per-incident to do a quick back-of-the-envelope calculation and to get an idea of an important and potentially overlooked hidden cost of BYOD:

– Establish the number of mobile devices used to access enterprise resources – Multiply this by – The difference between the most liberal policies and the most conservative policies in terms of devices lost or stolen and not successfully recovered or decommissioned = 9.4 per cent minus 2.5 per cent = 6.9 per cent – Multiply this figure by – The average cost per incident – Equals – The annual exposure of your BYOD policies

Correlation of Policies with Productivity and Satisfaction

At this point, proponents of liberal policies may be thinking that they support BYOD because it makes employees happier and more productive. Reducing the risk by prohibiting smartphone and tablet use altogether, would impact productivity and drive an employee exodus.

Aberdeen’s data indicate that this isn’t quite true.

As seen in Figures 3 and 4, the most liberal policies correlated with virtually the same employee satisfaction, as measured by annual turnover, as the most conservative policies, and with slightly lower productivity.

Reconciling the Findings: Freedoms, Within Boundaries It turns out that employees are happiest and most productive when they are free to use their own smartphones or tablets to access corporate resources. At the same time the enterprise has the ability to protect its applications and data should the device be lost or stolen.

In other words, the findings indicate that enterprise end-users are most productive and most satisfied when they have freedoms, within certain boundaries and protections.

Your end-users want the freedoms made possible by current megatrends in mobility and consumerisation, but they also want the protections provided by sound and well-executed corporate policies.

The capability for remote wipe and centralised mobile device management is one such protection.

Innovative solution providers are rapidly introducing alternative approaches, including desktop virtualisation, secure browsing, containerisation and cryptographic wrapping.

They focus on the enterprise exercising greater control over its applications and data rather than on managing an ever-changing mix of mobile devices.

“Trying to transform our tablets and smartphones into BlackBerries and managing them the way we did in the past is simply the wrong strategy for going forward,” noted one UK-based CISO. “As soon as you realise that you’re on insecure networks, you can make policy decisions about what data can be accessed or not accessed. The devices don’t matter.”

Derek Brink is Vice President and Research Fellow, IT Security, Aberdeen Group