That BYOD Sweet Spot

There comes a moment in many business practices when something that lots of people were doing anyway becomes sufficiently widespread that it is suddenly christened. If that practice is particularly unremarkable, the choice for naming it is either to come up with something cool-sounding that will itself require explanation - I can recall my disappointment at discovering what 'negative-gearing' really meant - or to burden it with an acronym. The goal, in each case, is to pretend that a practice that has been going on for years is thrillingly new, and that it therefore deserves commentary, analysis, and strenuously-wrought policy.

Fitting this trend perfectly is BYOD. It sound snazzy, and everyone is suddenly talking about it, even though it just means bringing your own phone or computer to work. BYOD stands for Bring Your Own Device, and was therefore crying out for an acronym as much as, say, Pretending Stuff is a Big Deal (PSBD). In fact, I am typing this on my own laptop, at work, and am therefore part of the groundswell for this new movement. It's strange, but I don't feel cutting edge.

Since lots of people are now talking about BYOD, it was inevitable that opinion would divide sharply. Here's a pronouncement that BYOD as a practice is fated to pass. Meanwhile, this article declares BYOD to be 'unstoppable'. Both appeared within the last four days. There's no denying this is a hot topic.

Its heat derives from the inherent security risks involved. Allowing employees to bring their own devices (and use them, which is the real issue), means that company data is inevitably being accessed by devices that the company has limited control over. Depending on the device, and on the company, there are any number of possible solutions, although some are so draconian they might as well just ban the devices. The issue with all of them is that they seem to become unworkable for larger companies, particularly when we move in to enterprise class organisations. The potential security risks are just too great, and addressing them requires ever greater management and man-power.

One of the toughest suggestions I've seen is that employees should be forbidden from downloading apps from iTunes or the Android Market (Google Play) on their own phones. If the idea is to be able to bring your own device - the very essence of BYOD - then how can you stop someone downloading whatever app they want? In what sense is it truly their device? A smartphone upon which you can only install business apps authorised by your employer - well, that sounds just like a business phone that your employer has gotten you to pay for. This is the rival complaint sometimes levelled at BYOD, this time by the 'bringers'. When an employee is obliged to bring their own device, but is then severely limited in their freedom to use that device even outside of office hours, it can just seem like a cynical ploy by business to shift the mobility cost on to the employee.

The most commonly-voiced solution is for organisations to build their own secure apps, that employees use to access company data. The issue with this is that building apps is not that easy - in fact, it's incredibly easy to build an app with more security flaws than  you're trying to close. The other issue is that it is expensive, and time-consuming.

There seems to be an impasse here. It's reasonable for a business to want to protect their data. It's reasonable for a person to feel like they can use their own phone how they want to. Using your phone however you want to - such as accessing iTunes - compromises business data, through the potential for malicious apps to be installed. As far as I can see, no one has yet come up with a way of reconciling BYOD to a large corporate environment. The most effective security provisions require specific configuration of each specific user-brought machine, whether it is a smartphone or a tablet or a laptop. However, the larger the organisation, the less reasonable this undertaking would be. The key to a mobile workforce is mobility, and having your IT department chase these users around to regularly reconfigure each device can be a nightmare.

This is not really a issue for smaller businesses. For starters, being small they don't have that much sensitive business data, and are rarely targeted for corporate espionage. Secondly, due to their size it is far more likely that all users know each other, and that every device can be assessed on a case-by-case basis. It has been overwhelmingly my experience that BYOD is most effective in the SME environment.