BYOD: When Geeks Invade the Workplace
When the iPhone launched in 2007, nearly every rabid geek rushed to get one. And the first thing a true technophile does with a new piece of gear is take it to work to demonstrate his obvious intellectual superiority.
Yes, we live in strange times indeed when waiting in front of a store overnight for a phone makes you cool. However, sooner or later everyone else at work decides they too need a handful of the future and get an upgraded device. If you’re a typical office worker, the idea of replacing a dark-colored plastic blob with a 256-color screen that did very little (remember the first BlackBerry phones?) with a beautiful touchscreen device that was part phone and part Star Trek Tricoder seemed as irresistible as it was obvious. But if you’re in corporate IT, tasked with supporting mobile users, this is typically seen as the worst thing to ever happen to civilization since the invention of black powder.
Thus, the inevitable tug of war between employees who want more productive capability and the risk-adverse corporate environment tasked with supporting them was clearly underway. This has ultimately led us to the phenomenon known as BYOD (bring your own device).
One side sees no harm in their work product flying all over public channels (“Who would care about our boring five-year business plan?”) and the other is horrified at the thought of a single email about that going-away party for Gary in accounting getting onto a phone unless it passes through three firewalls and a team of lawyers. The two have somewhat mutually exclusive goals at opposite poles of the risk spectrum. This brings us to the central question for any corporate discussion about technology and data security in the workplace: How close can you come to mitigating all security risks to zero without stopping productivity completely or risking a revolt by the users?
From what I can observe in the current marketplace, most companies have chosen to obsess over the risk of data loss while ignoring the risk of untapped productive capacity, while also frustrating the users. By focusing on risks, they’ve lost sight of the potential upside to letting users bring in their own devices. In short, they’ve over-mitigated a threat while under-realizing the business opportunity.
The Fear of Data Loss in a Nutshell
First, let me say some genuine security concerns exist. If you work in a highly secured environment that handles missile launch codes or makes radar jamming technology for submarines, yeah, it’s probably not going to work for you to bring your own smartphone. Even in the private sector there are companies, particularly those working in R&D, that prohibit smartphones because it is an easy vector for data getting outside of corporate control where it could do enormous financial damage.
However, these environments represent a fraction of the overall market trying to grapple with BYOD. For the overwhelming majority of corporate environments, data security covers the boring basics like emails, work documents, and employee portal or intranet access. Of course, the easiest way to mitigate against these types of risks is a policy that forbids BYOD outright … or so they think. Like everyone else who has worked in a company with policies out of sync with the modern state of technology, I know such a policy stance simply belies reality. Nearly everyone I know uses an online site to place work files into an easily accessible location for later access. Users have decided that dealing with burdensome VPNs (virtual private networks), or remote-desktop viewing is too much work to simply edit a Word document or Excel spreadsheet. In fact, more of the people I collaborate with don’t create much of their work product inside the corporate network. They use Microsoft SkyDrive or Google Docs to create the document and share it inside. This is especially common among the IT crowd that favors quick and light “get it done” solutions with minimal bureaucratic overhead.
The point is sometimes information security is an illusion. Ironclad policies that ignore reality function as a mirage that clouds what is really going on with corporate data and keeps companies from focusing on how to be more flexible with technology to drive more productivity from happier users.
Users Move Faster than IT
In the year 2000, the average cellphone-replacement cycle was 21 months. By the year 2006, it dropped to 18 months, and today it is closer to 16 months. For smartphones, however, it is just 11.5 months! This shortened replacement cycle is particularly prevalent among the crowd at the center of the BYOD movement. Now, contrast that with the average replacement cycle of a PC or work cellphone in corporate America, which is probably closer to three years. If users waited for the typical corporate IT department to upgrade their phone, they might be driving a hover car to work before the new phone shows up.
There are some real issues with supporting BYOD, but it’s easier than ever. There are numerous applications and management products that allow you to propagate security and support policies down to the mobile device. Microsoft Exchange, which nearly all of corporate America uses, allows mobile policies to be pushed down to smartphones configuring things like requiring a PIN for login, data encryption, and remote wiping. Both Android and iOS offer VPNs to be terminated to the device giving users a secured and authenticated tunnel into the workplace, and malware protection suites are already available to limit malware problems. It’s all doable; it’s just a matter of flexibility, research, and pacifying your legal team.
Researchers at Virginia Tech developed software for Android OS that provides a glimpse of how they can overhaul the technology landscape at work. The software enabled configuration of the phone based on geolocation. While it may seem like a simple security trick, the implications are enormous.
If ever there was a “one ring to rule them all” for technology, it would be a smartphone. Imagine you bring your smartphone to work on the first day at a new job. It isn’t the top-of-the-line model but does have Wi-Fi, Bluetooth, a camera, and NFC (near-field communication). Corporate IT provisions a user account, they point your mobile browser to an internal site (via Wi-Fi) and you log in. With a few clicks, your phone is registered in the system. To open the door to your building, you tap your phone’s NFC chip to the contact plate and it lets you in. The security guard can see your picture on the monitor to confirm it’s really you.
Because your phone knows you’re in the R&D building, the camera has been temporarily disabled, but it’s automatically turned back on when you leave the area. Your phone has been populated with an authentication certificate so you can hop on Wi-Fi without any manual configuration. The corporate directory has already listed the number assigned to your phone’s VoIP client, so calls can be routed to you anywhere you have Wi-Fi access or even forwarded to you via cellular. When you step outside for lunch, a VPN allows you to securely access anything on the secure internal network.
If companies learn to embrace the fast pace of technologically savvy users, realistically addressing security and support concerns, they’ll realize new productive possibilities and have a workplace that is the envy of the business world.
Nick Nero is a lifelong geek and technologist. He worked in technology leadership positions at The Walt Disney Co., for nearly a decade and is now a technology strategy consultant. He can be reached at