It may be hard for some to just say no to the growing Bring Your Own Device (BYOD) crowd, but that was the initial reaction manager of information at certified public accounting firm Burr, Pilger, Mayer Anthony Peters had when senior executives starting purchasing iPhones, asking them to be supported.
But now almost two years later, with a BYOD policy in place, "the demand comes from everyone." Much the same thing is happening all across the country in manufacturing, government, healthcare, high-tech and in law offices as BYOD challenges traditional security and mobile-device management practices.
At Foley & Lardner LLP, the 600 or so attorneys there are offered the option of BYOD on a voluntary basis and with a subsidy to keep it "cost-neutral" to whatever corporate-issued device that BYOD is expected to replace, says Rick Varju, director of engineering and operations there. He says this "whole consumerization of IT craze" basically got rolling because the CIO there got an iPad.
But due to concerns about security and compliance, IT departments are making their own demands on BYOD users often asking them to agree to give IT control over their personal smartphones and tablets. They're requiring them to use corporate-issued management and security software to monitor or remote wipe and sign off to accepted practice in BYOD policies.
John Pironti, president of consulting firm IP Architects, who has advised security association ISACA on BYOD security issues, contends the legal questions are usually harder to answer than the technology ones.
"It's about liability," when it comes to corporate data at risk, Pironti says about BYOD. In some places, BYOD should be rejected because it's too big a risk, or it's deemed a violation of the user's privacy. Either way, he warns, don't think a personally-owned BYOD device won't be subject to regulatory-driven audits just like corporate devices.
At the Burr, Pilger, Mayer firm, it is viewed that BYOD devices have to be audited just like any corporate-issued device would. So employees eager to go BYOD have to agree to use the necessary mobile-device management software and services, which includes Fiberlink MaaS360. They must adhere to specific iOS and Android types -- and definitely not 'jailbreak' their Apple smartphones to disable security (which the firm says it would know immediately if it happened). Each BYOD user also has to sign two policy documents about accepted practices and the company's requirements.
"It states you agree the firm can wipe the device," says Peters, adding the accounting firm also affirms the right to randomly monitor the device. But all these measures don't totally put to rest the uneasy feeling about the invasion of consumer devices into the corporate world.
Sign up for CIO Asia eNewsletters.