For much of the digital age, employees in need of new office technology had little choice: Accept whatever electronics the IT department offered, or do without.
Today, the reality is far different. At many companies, workers bring their own devices from home or they get a stipend to buy what they want. Convenient? Certainly. Employees are happier and more productive, in theory. Meanwhile, IT departments can cut costs by leaving it up to workers to maintain their own technology.
But such “bring your own device” programs, as they are known, also create security risks that, if left unaddressed, raise the potential for company secrets to leak out. To minimize the threat, some companies’ IT departments closely manage employee mobile devices, similar to the way they’ve long controlled company-issue desktop computers in the office. With tools available from companies such as MobileIron, Zenprise, and Mobile Active Defense, they can set the level of access for individual users on the network, block apps that are deemed risky, and remotely erase corporate information from lost devices.
Still, people intent on stealing corporate secrets, particularly insiders, can get around the protections. Security holes are inherent in virtually any workplace technology, and not just smartphones and tablet computers.
James Gordon, vice president of IT for Needham Bank, which serves the Boston suburbs, says he’s satisfied that the benefits of mobile devices far outweigh the risks. His department issues mostly iPhones and iPads to all of its executives, while letting other employees bring their personal devices from home. Needham blocks its employees from downloading apps like Dropbox, a cloud storage service, and from using iCloud, Apple’s (AAPL) storage service. Like many companies, Needham is concerned about employees uploading sensitive files onto another company’s servers.
Additionally, workers can’t use their mobile devices to withdraw or deposit money from corporate accounts. Such transactions can only be done from a desktop computer. “We don’t want people moving money from Peru,” Gordon says.
Bring-your-own-device programs are gaining widespread acceptance in the workplace, according to a survey of more than 2,800 business leaders and workers by the Yankee Group, a technology consulting firm. This year, 60 percent of companies are allowing consumer devices and software, up from 43 percent in 2011, the survey found.
Over the years, IT departments tried to tackle security risks by keeping tight control over the technology employees used. Limiting the choice of mobile phones to Research In Motion’s (RIMM) BlackBerry, in particular, made it easier to ensure they met security standards. But the rise of consumer smartphones and tablets, mainly Apple’s iPhone and iPad, chipped away at the IT department’s dominance. Employees started bringing their own devices to the office without official authorization. Restoring some control became vital.
“You’re mixing corporate and personal information on the same device,” said Carl Howe, an analyst for the Yankee Group. “People make mistakes. They may not use password protection and then leave their phone in a cab.”
Educating employees about the potential dangers of carelessness is one of the first steps many companies take when implementing bring-your-own-device programs. Workers are also often required to sign an agreement that they will always protect their mobile devices with passwords.
Technology can ensure that proper security measures are in place. For example, IT departments can detect whether workers have the latest antivirus software, and, if not, block them from the corporate network. They can also set access so that workers can only see files they need for the job. Settings can vary depending on whether the employee is using a company-owned device or a personally owned one.
Howe says some companies remain cautious about mobile, not so much for fear of their internal documents leaking out, but rather those of business partners that happen to be on their network. Legal liability, as well as losing a major contract over a leak, can cost a company millions of dollars, he says.
To protect their privacy, employees should exercise some caution before agreeing to use their personal devices for work. Knowing how much access employers have to personal data on their devices is important. Tracking the location of devices using GPS can show where an employee is around the clock—a potential point of contention. Workers may also balk at their employer blocking them from downloading certain apps on their personal phone.
“‘You can’t have Twitter, you can’t have Facebook (FB)‘—you may be able to live with that on a corporate device,” said Ojas Rege, vice president of strategy for MobileIron, which helps companies manage mobile security. But “with a personal device, that doesn’t cut it.”
Rege says that ultimately, excessive security undermines the benefits of mobile devices in the workplace. Companies should use a measured and practical approach, he says, or else employees will just consider using their phones and tablets too much of a hassle.
Furthermore, companies need to keep in mind that data leaks happen all the time. Careless employees can talk too loudly in public, for example, or, if they’re more criminally minded, photograph sensitive documents and walk out the door. “You can’t stop a bad employee,” Gordon from Needham Bank says. “You can’t stop someone who is intentionally malicious.”
Kopytoff is a Bloomberg Businessweek contributor in San Francisco.
