This story was written by Keith Dawson for UBM DeusM’s community Web site Business Agility, sponsored by IBM. It is archived here for informational purposes only because the Business Agility site is no more. This material is Copyright 2012 by UBM DeusM.

Mobility and the Risks of BYOD

Evidence has been growing that every company needs a BYOD policy; here is some more of that.

A new survey of mobile consumers and IT leaders worldwide points up some of the concerns lurking in the BYOD trend.

According to the "Trusted Mobility Index" (PDF), a survey conducted by Juniper Networks among more than 4,000 mobile consumers and IT staff in the US, UK, Germany, China, and Japan, use of mobile devices is beyond widespread. Respondents in the survey own an average of three Internet-connected mobile devices -- smartphones, tablets, e-book readers, and portable video-game systems. Eighteen percent of them own five or more.

Of those who identified as business users, a striking 89 percent use their mobile devices to access critical work information. Among the IT leaders responding to the survey, 33 percent feel pressure from senior management to support a BYOD policy, 23 percent feel that pressure from the rank-and-file, and 43 percent say that both groups are agitating for BYOD.

Regardless of whether their company has a BYOD policy or not, 41 percent of those surveyed say they use their personal devices for work purposes without the company's permission.

The security threats alone from this widespread circumvention are obvious, and IT is aware of them (even if they may be in the dark about the extent of rank-and-file rule-breaking). Of the IT leaders surveyed, 41 percent are concerned about security breaches resulting from lost or stolen devices. Almost as many worry about the difficulty of managing many different types of devices, operating systems, and protocols. Concerns about employees introducing malware into the corporation trouble 32 percent of the IT respondents.

The worries about security are warranted. Worldwide, 30 percent of IT leaders report that their company has already experienced a security threat as a result of personal mobile devices accessing corporate data. In China, that figure is 69 percent.

To me the scariest figure in the survey was the 72 percent of people worldwide who use their mobile devices on open wireless networks -- or who don't know the difference between an open and a secured wireless network. Mash that figure together with the 76 percent who report using mobile devices to access sensitive data, such as online banking or personal medical information, and you've got trouble even before considering the risks to corporate data.

People don't know yet whether they can trust the security of their mobile devices; most (63 percent) have not made up their minds on the question. Just 15 percent have a great deal of confidence in their devices' security, while 18 percent have little or no confidence. And among those who are confident, that confidence may be misplaced: 63 percent trust their service providers to protect their data. The Verizons and AT&Ts of the world do not believe that is their job.

Though the Juniper survey didn't cover it, explored the subject of legal risks arising from BYOD policies, both for the corporation and for workers. The upshot is that BYOD policies need to spell out rights and responsibilities for both sides. Employees need to know what fraction of privacy they are giving up for the privilege of mixing business and personal on a single device. The corporation needs to know what it can and cannot do, for instance, with data it discovers while searching an employee device for security purposes.

The upshot of all of this is clear enough. You need a BYOD policy, and you need one that is carefully thought-out and crafted, with an eye for the legal corner cases.