I was reading Larry Dignan’s ZDNet article (link at the end) on the security implications of Bring Your Own Device (BYOD), and thought I’d take it a bit further. For a while now I’ve been thinking that BYOD has some serious issues in general, and is specifically a symptom of the ongoing war between risk-averse IT and personal productivity in the enterprise.
1. A company still has to provide computing equipment to everybody who doesn’t BYOD.
Lots of people aren’t going to bring their own device, because they don’t have one, or aren’t paid enough to buy one. As such, a company is going to have to provide them one anyhow.
2. Everybody is going to buy all sorts of different equipment, nullifying all standardization.
If you let everybody buy their own equipment, or force them to, everybody is going to buy different stuff. You’ll get every screen resolution imaginable, every hard disk size, every keyboard layout, every network card, every OS. Try having your support staff explain to someone how to connect to the wireless network – there will be 87 different ways to do that. That app window your sales person can’t find? Yeah, it’s because their screen is too small. The list is endless.
And if you try to standardize, what’s the point of BYOD then? Just do it for them. Besides, there’s a comparative advantage in letting an IT staffer do this work. Your sales guys are good at selling, not picking out a new computer. Let someone who is good at picking out computers do that, while the rest of the employees do the jobs they were hired for.
3. All the different equipment is going to have different lifespans and warranties.
A company is going to have to maintain a fleet of loaner devices anyhow, to cover employees for the six weeks it takes for the device to be mailed to the manufacturer for a repair.
4. Your corporate IT staff will now be supporting people’s home computers.
If the device they bring is a mobile one, it’s likely to be their home PC, too. I can just imagine the case of “Farmville doesn’t work right anymore,” though. No matter how dumb that situation seems, it’s important to the user, and you’ll have to deal with it professionally and expediently.
5. Very few people in an enterprise can effectively support their own device.
Enterprises are built on people who might be good at their jobs but whose home computers are infected with spyware, who have 4 toolbars installed in each browser, and who haven’t run Windows Update in years. Why is it a good idea to trust the corporate network to these people?
And, like the other points, if you’re going to manage it for them why even BYOD?
6. There are all manner of security problems with these devices.
Desktop virtualization and other means of smoothing out the differences between devices are still susceptible to problems like keystroke loggers. Knowing how poorly IT staff do with keeping up with patches on servers, and securing sensitive data in general, I’d be very afraid if people were bringing their own devices inside the corporate firewall. It also means that you might not get a chance to remove things from their PC before an employee quits (or loses the device).
7. Who owns the device? If the company gave me money for it does it belong to them? Do I have to give it back when I leave? Can I do whatever I want with it? If it’s mine why can’t I have administrator rights on it? Whose responsibility is it to back it up? What if I want to attach a device to it?
Aside from all those questions, I can see a whole slew of lawsuits over search histories, personal photos, music, etc. I don’t want corporate IT knowing what I’m doing with my PC off-hours. It’s none of their business, but they will make it their business if I bring that PC to work with me, or if they provided the funds or a loan for it.
“I know it’s your laptop, but we noticed that in your search history you viewed pages concerning Chinese human rights violations two nights ago. We can’t have you jeopardizing our relationships with our suppliers – you’re fired.”
8. The whole reason people started the BYOD trend is not because of the device, it’s because of what corporate IT does to devices, making them slow and horrible.
If they’re going to take my awesome i7 laptop, lock me out of it, and turn it into a 486 with their typically horrible enterprise management software, I’d rather they give me one of their own that’s pre-crapified and leave mine alone.
Now that I’ve said all that, I do think devices like iPads and iPhones can really improve productivity for folks, even if it’s just enabling iOS-friendly mail & calendar services. Thing is, you end up having to trust your users at some point, and that’s the tough part for risk-averse organizations. But, if you pick the right users, educate them, and trust them but hold them responsible, they’ll be happier and more productive. This isn’t the first grade, and just because one responsible employee can do something doesn’t mean you have to let everyone else do it. Pick the right people, set some guidelines for security & access, and let them earn your trust.
Seems to me that, overall, BYOD is just a symptom of other problems. I think most companies facing a BYOD situation might try quashing it by showing more concern for the user experience on their corporate desktops and laptops. When is the last time an IT person asked a user what they thought of their desktop? Perhaps it would help to just ask the employee why, exactly, they want to bring their iPad in, and then actually listen to the answer, even if it hurts. To some, BYOD might just mean being able to choose a better email client, play Angry Birds over lunch, or, God forbid, to be able to change their wallpaper.
Users who don’t have to fight their PCs to get work done, and are treated with a little respect and trust, might actually be happier and more productive. I don’t see how that’s a bad thing.
- Bring your own device trend spooks enterprise security folks. – ZDNet
- Bring your own device to work is finally here – Fortune
- Comparative Advantage – Library of Economics and Liberty