Internal Audit, Risk, Business & Technology Consulting

Strategic Bring Your Own Device

Implementing an Effective Program to Create Business Benefits While Reducing Risk

Strategic Bring Your Own Device · 1protiviti.com

Introduction

Recent forecasts suggest that the global

“Bring Your Own Device” (BYOD) market

will reach US$266.17 billion in 2019.1 This

is impressive, considering that the basic

concept of allowing employees to use

their personal computing devices, such as

smartphones and tablet PCs, for work is

only a few years old. But today, many leading

organizations have instituted some type of

BYOD program, and have found that doing

so can have a positive impact not only on

employee productivity and innovation, but

also on recruitment and retention.

1 “BYOD & Enterprise Mobility Market Worth $284.70 Billion by 2019,” MarketsandMarkets, June 2014: www.marketsandmarkets.com/PressReleases/byod.asp.

2 The Changing Mobile Landscape in Financial Services, study conducted by the Ponemon Institute for MobileIron, March 2014: www.mobileiron.com/en/whitepaper/changing-mobile-landscape-financial-services.

Potential benefits aside, BYOD presents risks for

organizations, including data security and compliance

risk. This is particularly worrisome for businesses in

heavily regulated industries such as financial services

and healthcare, where access to sensitive customer

information is part of doing business. Yet too many

organizations lack a defined BYOD strategy. A recent

study conducted by the Ponemon Institute found that

nearly half (45 percent) of financial services firms that

have embraced BYOD have instituted a program that

is not aligned with IT objectives; more than a third

(36 percent) of respondents said they have observed

a disconnect between their organization’s mobile

strategy and business operations.2

Protiviti’s Point of View

With increasingly more capable and compelling

mobile devices, it is inevitable that employees will

bring these products to the workplace — and demand

that the organization support their use. An effective

BYOD program and strategy can help organizations

meet the challenges and seize the potential business

benefits of BYOD.

2 · Protiviti

Advantages of BYOD

Organizations that have implemented effective BYOD

programs report the following key benefits:

Employee satisfaction and retention

BYOD programs can create higher satisfaction

among employees because they allow people to work

with devices they are most comfortable using and

eliminate the need to carry multiple devices. While

implementing a BYOD program may not be the most

important employee benefit, it can help organizations

attract and retain talented professionals looking to

work for companies that embrace the latest technology.

And being able to appeal to the best talent ultimately

enables an organization to foster a more efficient,

cohesive and innovative work environment.

Increased productivity and innovation

BYOD programs help support an increasingly mobile

workforce, allowing employees to integrate their work

and personal lives in a way that is most meaningful to

them. From their personal mobile devices, employees

have the ability to access their work anytime they

choose, from anywhere there is an internet connection.

Employees who use their own personal devices for

work are generally believed to be more productive

and more likely to work outside office hours. Also,

because personal devices tend to feature cutting-edge

technology, tech-savvy employees are especially well

positioned to use their devices as platforms for new

solutions and more streamlined operations.

Cost savings

BYOD strategies can also save costs when coupled with

the right IT infrastructure and policies. With employees

paying for mobile devices and data services, IT is no

longer responsible for sourcing and procuring hardware

such as smartphones, laptops, tablet computers and

even desktops. Additionally, BYOD strategies may

eliminate the responsibility for maintaining and

refreshing end user devices and managing mobile

service plans.

Strategic Bring Your Own Device · 3protiviti.com

BYOD Challenges

While the advantages of BYOD are appealing, there

are challenges for organizations to consider when

implementing a BYOD program:

Data Protection

The risk of data loss and data exposure is significantly

increased with BYOD. This is because basic security

controls may no longer be effective on mobile devices,

or consistently implemented across the wide range of

device types available to employees. Consequently,

protecting sensitive information and preventing data

loss becomes more challenging for IT teams.

Well-developed BYOD programs should be based on a

clear understanding and an evaluation of potential data

loss threats, including:

Lost or stolen personal devices

Some organizations have implemented ways to encrypt

data and remotely wipe information from a lost or

stolen device. However, pushback from employees who

don’t want to give their employer unrestricted access to

their devices has prompted companies to take a closer

look at options for successfully preventing data loss

while also considering employees’ privacy.

Mobile third-party applications

Applications may expose sensitive nonpublic data,

presenting yet another challenge for organizations to

protect sensitive data. Security experts indicate that

such applications could expose client information,

corporate contact information, sensitive emails and

device locations, among other things.

Unauthorized cloud-based storage services

These services, accessed through mobile platforms, could

be another pathway for data leakage. If proper controls to

monitor mobile devices and restrict data transmissions

are not in place, employees could use these storage

services from their personal devices to store company

data, putting that data at risk of compromise.

Application Security

With personal devices offering an easy way to

bypass the security limits normally imposed on

corporate devices, employees are putting a strain on

the corporate network and exposing it to additional

security risks, including:

Personal applications

Personal applications installed on employees’ devices

may contain malicious code or security holes. Malware

protection and control over personal devices running

different platforms and different software versions

are needed.

Corporate applications

Applications developed or deployed by the organization

may contain security vulnerabilities and weaknesses

that may enable attackers to compromise employees’

personal devices and launch an attack in the corporate

IT environment. The risk of application vulnerabilities

is increased when devices are owned by employees and

remote administrative capabilities are not managed

by the IT department. This highlights the need for

compartmentalization and protection of sensitive data

on employees’ personal devices.

4 · Protiviti

Hidden IT Costs

While an effective BYOD program is mostly viewed as

a cost-saving model, financial institutions, healthcare

organizations and other businesses should closely

evaluate hidden IT costs associated with the management

and support of personal devices in a secure environment.

A BYOD environment is almost certain to result in

significantly more unpredictability in the hardware

and software versions of personal devices. It requires

additional IT resources to manage the increased number

of personal devices and to accommodate the support of

a wide range of device types. The variation in platforms

also will complicate the process and add to the cost

of wiping personal devices when employees leave the

company, or when employees’ devices are lost or stolen.

It is important for organizations to choose the right

governance and support models to control these

hidden costs prior to implementation. Streamlining

the enrollment and deprovisioning processes will help

organizations control costs and achieve a more secure

BYOD deployment.

Another hidden cost relates to reimbursement of data

plans. Organizations may see a significant spike in data

usage, especially when rolling out mobile computing

options. Setting data usage caps and providing secure

and appropriate connectivity options for mobile

workers are effective means to control costs.

Strategic Bring Your Own Device · 5protiviti.com

Finding the Right BYOD Strategy

A comprehensive BYOD program and strategy starts

with an assessment of your organization’s unique

business needs and current IT infrastructure. IT

consulting and internal audit experts can contribute

to a successful BYOD strategy through:

• BYOD policy and security gap assessment

• BYOD policy design and implementation

• BYOD security design and implementation

• BYOD vendor evaluation and selection

There is no one-size-fits-all plan for BYOD. There

are many considerations, including which approach

will work best — and whether CYOD (see sidebar)

might be an option for your business. Organizations

should adopt BYOD strategies that balance the use

of employees’ personal devices with privacy and

security requirements — as well as help to promote

business agility.

THE CYOD OPTION

CYOD — “Choose Your Own Device” — is an alternative

to BYOD that more businesses are considering. In a

CYOD program, the employer owns the device as well

as the application licenses. Even if an employee leaves,

the licenses stay with the company.

Companies that embrace CYOD still need to provide

employees up-to-date mobile technology. They

also must allow their workers to use their devices

for personal reasons, in line with the company’s

acceptable use policies, as they would with BYOD.

CYOD is a logical approach for companies that want

more control over mobility or are in heavily regulated

industries (e.g., financial). Businesses that operate in

countries or regions with strict labor and privacy laws

and other regulations that impact mobile device usage

may find that CYOD is a good option.

THE BENEFITS OF THE CYOD APPROACH INCLUDE:

• Ability to control access/security more effectively

• Potential cost savings through the bulk purchase of devices and/or service contracts of pooled minutes/data

• Reduced reimbursement overhead

• Easier implementation and support

LAPTOP SMARTPHONE TABLET

6 · Protiviti

ABOUT PROTIVITI

Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries. 

We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.

HOW PROTIVITI CAN HELP

Protiviti develops thought leadership that is meaningful and directly applicable to our clients. We also seek to make contributions to the industries we serve through active participation in industry groups, and we support research and information-sharing through organizations such as the Open Web Application Security Project (OWASP), Financial Services Information Sharing and Analysis Center (FS-ISAC), Payment Card Industry Security Standards Council (PCI Council), Information Systems Security Association (ISSA), Computer Security Institute (CSI), InfraGard, SANS and ISACA. We are a member of the Shared Assessments Program steering committee, the Board and Advisors Committee for FS-ISAC, and the International Information Integrity Institute (I-4) industry “think tank” focused on information security.

Based on our research and industry participation, it is apparent that there is enormous pressure for financial services IT leaders to “transform” their organizations to become more nimble and adaptive, yet there is also intense pressure to maintain controls and manage costs. Our blend of consulting expertise and deep industry experience uniquely positions us to design and deliver pragmatic, risk-sensitive solutions in response to these challenges. Ultimately, our goal is to help our customers protect and enhance the value of their enterprises in the face of ever-increasing demands.

We have assisted many of the world’s largest financial services organizations in areas including, but not limited to:

• IT strategy and governance

• Enterprise architecture

• Risk and compliance

• Security and privacy

• Service assurance

• Operations improvement

• Data management

• Technology

CONTACTS

Ed Page+1.312.476.6093ed.page@protiviti.com

Jeffrey Sanchez +1.213.327.1433jeffrey.sanchez@protiviti.com

ACKNOWLEDGMENT

Contributors to this white paper include Katie Stevens.

© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0717-103062 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.

*MEMBER FIRM

THE AMERICAS UNITED STATES

Alexandria

Atlanta

Baltimore

Boston

Charlotte

Chicago

Cincinnati

Cleveland

Dallas

Fort Lauderdale

Houston

Indianapolis

Kansas City

Los Angeles

Milwaukee

Minneapolis

New York

Orlando

Philadelphia

Phoenix

Pittsburgh

Portland

Richmond

Sacramento

Salt Lake City

San Francisco

San Jose

Seattle

Stamford

St. Louis

Tampa

Washington, D.C.

Winchester

Woodbridge

ARGENTINA*

Buenos Aires

BRAZIL*

Rio de Janeiro Sao Paulo

CANADA

Kitchener-Waterloo Toronto

CHILE*

Santiago

MEXICO*

Mexico City

PERU*

Lima

VENEZUELA*

Caracas

EUROPE MIDDLE EAST AFRICA

FRANCE

Paris

GERMANY

Frankfurt

Munich

ITALY

Milan

Rome

Turin

NETHERLANDS

Amsterdam

UNITED KINGDOM

London

BAHRAIN*

Manama

KUWAIT*

Kuwait City

OMAN*

Muscat

QATAR*

Doha

SAUDI ARABIA*

Riyadh

SOUTH AFRICA*

Johannesburg

UNITED ARAB EMIRATES*

Abu Dhabi

Dubai

ASIA-PACIFIC CHINA

Beijing

Hong Kong

Shanghai

Shenzhen

JAPAN

Osaka

Tokyo

SINGAPORE

Singapore

INDIA*

Bangalore

Hyderabad

Kolkata

Mumbai

New Delhi

AUSTRALIA

Brisbane

Canberra

Melbourne

Sydney

© 2

01

5 P

roti

viti

In

c. A

n E

qu

al O

pp

ort

un

ity

Emp

loye

r. M

/F/D

isab

ilit

y/Ve

t. P

RO

-05

15