strategic bring your own device - protivitipotential benefits aside, byod presents risks for...
TRANSCRIPT
Internal Audit, Risk, Business & Technology Consulting
Strategic Bring Your Own Device
Implementing an Effective Program to Create Business Benefits While Reducing Risk
Strategic Bring Your Own Device · 1protiviti.com
Introduction
Recent forecasts suggest that the global
“Bring Your Own Device” (BYOD) market
will reach US$266.17 billion in 2019.1 This
is impressive, considering that the basic
concept of allowing employees to use
their personal computing devices, such as
smartphones and tablet PCs, for work is
only a few years old. But today, many leading
organizations have instituted some type of
BYOD program, and have found that doing
so can have a positive impact not only on
employee productivity and innovation, but
also on recruitment and retention.
1 “BYOD & Enterprise Mobility Market Worth $284.70 Billion by 2019,” MarketsandMarkets, June 2014: www.marketsandmarkets.com/PressReleases/byod.asp.
2 The Changing Mobile Landscape in Financial Services, study conducted by the Ponemon Institute for MobileIron, March 2014: www.mobileiron.com/en/whitepaper/changing-mobile-landscape-financial-services.
Potential benefits aside, BYOD presents risks for
organizations, including data security and compliance
risk. This is particularly worrisome for businesses in
heavily regulated industries such as financial services
and healthcare, where access to sensitive customer
information is part of doing business. Yet too many
organizations lack a defined BYOD strategy. A recent
study conducted by the Ponemon Institute found that
nearly half (45 percent) of financial services firms that
have embraced BYOD have instituted a program that
is not aligned with IT objectives; more than a third
(36 percent) of respondents said they have observed
a disconnect between their organization’s mobile
strategy and business operations.2
Protiviti’s Point of View
With increasingly more capable and compelling
mobile devices, it is inevitable that employees will
bring these products to the workplace — and demand
that the organization support their use. An effective
BYOD program and strategy can help organizations
meet the challenges and seize the potential business
benefits of BYOD.
2 · Protiviti
Advantages of BYOD
Organizations that have implemented effective BYOD
programs report the following key benefits:
Employee satisfaction and retention
BYOD programs can create higher satisfaction
among employees because they allow people to work
with devices they are most comfortable using and
eliminate the need to carry multiple devices. While
implementing a BYOD program may not be the most
important employee benefit, it can help organizations
attract and retain talented professionals looking to
work for companies that embrace the latest technology.
And being able to appeal to the best talent ultimately
enables an organization to foster a more efficient,
cohesive and innovative work environment.
Increased productivity and innovation
BYOD programs help support an increasingly mobile
workforce, allowing employees to integrate their work
and personal lives in a way that is most meaningful to
them. From their personal mobile devices, employees
have the ability to access their work anytime they
choose, from anywhere there is an internet connection.
Employees who use their own personal devices for
work are generally believed to be more productive
and more likely to work outside office hours. Also,
because personal devices tend to feature cutting-edge
technology, tech-savvy employees are especially well
positioned to use their devices as platforms for new
solutions and more streamlined operations.
Cost savings
BYOD strategies can also save costs when coupled with
the right IT infrastructure and policies. With employees
paying for mobile devices and data services, IT is no
longer responsible for sourcing and procuring hardware
such as smartphones, laptops, tablet computers and
even desktops. Additionally, BYOD strategies may
eliminate the responsibility for maintaining and
refreshing end user devices and managing mobile
service plans.
Strategic Bring Your Own Device · 3protiviti.com
BYOD Challenges
While the advantages of BYOD are appealing, there
are challenges for organizations to consider when
implementing a BYOD program:
Data Protection
The risk of data loss and data exposure is significantly
increased with BYOD. This is because basic security
controls may no longer be effective on mobile devices,
or consistently implemented across the wide range of
device types available to employees. Consequently,
protecting sensitive information and preventing data
loss becomes more challenging for IT teams.
Well-developed BYOD programs should be based on a
clear understanding and an evaluation of potential data
loss threats, including:
Lost or stolen personal devices
Some organizations have implemented ways to encrypt
data and remotely wipe information from a lost or
stolen device. However, pushback from employees who
don’t want to give their employer unrestricted access to
their devices has prompted companies to take a closer
look at options for successfully preventing data loss
while also considering employees’ privacy.
Mobile third-party applications
Applications may expose sensitive nonpublic data,
presenting yet another challenge for organizations to
protect sensitive data. Security experts indicate that
such applications could expose client information,
corporate contact information, sensitive emails and
device locations, among other things.
Unauthorized cloud-based storage services
These services, accessed through mobile platforms, could
be another pathway for data leakage. If proper controls to
monitor mobile devices and restrict data transmissions
are not in place, employees could use these storage
services from their personal devices to store company
data, putting that data at risk of compromise.
Application Security
With personal devices offering an easy way to
bypass the security limits normally imposed on
corporate devices, employees are putting a strain on
the corporate network and exposing it to additional
security risks, including:
Personal applications
Personal applications installed on employees’ devices
may contain malicious code or security holes. Malware
protection and control over personal devices running
different platforms and different software versions
are needed.
Corporate applications
Applications developed or deployed by the organization
may contain security vulnerabilities and weaknesses
that may enable attackers to compromise employees’
personal devices and launch an attack in the corporate
IT environment. The risk of application vulnerabilities
is increased when devices are owned by employees and
remote administrative capabilities are not managed
by the IT department. This highlights the need for
compartmentalization and protection of sensitive data
on employees’ personal devices.
4 · Protiviti
Hidden IT Costs
While an effective BYOD program is mostly viewed as
a cost-saving model, financial institutions, healthcare
organizations and other businesses should closely
evaluate hidden IT costs associated with the management
and support of personal devices in a secure environment.
A BYOD environment is almost certain to result in
significantly more unpredictability in the hardware
and software versions of personal devices. It requires
additional IT resources to manage the increased number
of personal devices and to accommodate the support of
a wide range of device types. The variation in platforms
also will complicate the process and add to the cost
of wiping personal devices when employees leave the
company, or when employees’ devices are lost or stolen.
It is important for organizations to choose the right
governance and support models to control these
hidden costs prior to implementation. Streamlining
the enrollment and deprovisioning processes will help
organizations control costs and achieve a more secure
BYOD deployment.
Another hidden cost relates to reimbursement of data
plans. Organizations may see a significant spike in data
usage, especially when rolling out mobile computing
options. Setting data usage caps and providing secure
and appropriate connectivity options for mobile
workers are effective means to control costs.
Strategic Bring Your Own Device · 5protiviti.com
Finding the Right BYOD Strategy
A comprehensive BYOD program and strategy starts
with an assessment of your organization’s unique
business needs and current IT infrastructure. IT
consulting and internal audit experts can contribute
to a successful BYOD strategy through:
• BYOD policy and security gap assessment
• BYOD policy design and implementation
• BYOD security design and implementation
• BYOD vendor evaluation and selection
There is no one-size-fits-all plan for BYOD. There
are many considerations, including which approach
will work best — and whether CYOD (see sidebar)
might be an option for your business. Organizations
should adopt BYOD strategies that balance the use
of employees’ personal devices with privacy and
security requirements — as well as help to promote
business agility.
THE CYOD OPTION
CYOD — “Choose Your Own Device” — is an alternative
to BYOD that more businesses are considering. In a
CYOD program, the employer owns the device as well
as the application licenses. Even if an employee leaves,
the licenses stay with the company.
Companies that embrace CYOD still need to provide
employees up-to-date mobile technology. They
also must allow their workers to use their devices
for personal reasons, in line with the company’s
acceptable use policies, as they would with BYOD.
CYOD is a logical approach for companies that want
more control over mobility or are in heavily regulated
industries (e.g., financial). Businesses that operate in
countries or regions with strict labor and privacy laws
and other regulations that impact mobile device usage
may find that CYOD is a good option.
THE BENEFITS OF THE CYOD APPROACH INCLUDE:
• Ability to control access/security more effectively
• Potential cost savings through the bulk purchase of devices and/or service contracts of pooled minutes/data
• Reduced reimbursement overhead
• Easier implementation and support
LAPTOP SMARTPHONE TABLET
6 · Protiviti
ABOUT PROTIVITI
Protiviti is a global consulting firm that delivers deep expertise, objective insights, a tailored approach and unparalleled collaboration to help leaders confidently face the future. Protiviti and our independently owned Member Firms provide consulting solutions in finance, technology, operations, data, analytics, governance, risk and internal audit to our clients through our network of more than 70 offices in over 20 countries.
We have served more than 60 percent of Fortune 1000® and 35 percent of Fortune Global 500® companies. We also work with smaller, growing companies, including those looking to go public, as well as with government agencies. Protiviti is a wholly owned subsidiary of Robert Half (NYSE: RHI). Founded in 1948, Robert Half is a member of the S&P 500 index.
HOW PROTIVITI CAN HELP
Protiviti develops thought leadership that is meaningful and directly applicable to our clients. We also seek to make contributions to the industries we serve through active participation in industry groups, and we support research and information-sharing through organizations such as the Open Web Application Security Project (OWASP), Financial Services Information Sharing and Analysis Center (FS-ISAC), Payment Card Industry Security Standards Council (PCI Council), Information Systems Security Association (ISSA), Computer Security Institute (CSI), InfraGard, SANS and ISACA. We are a member of the Shared Assessments Program steering committee, the Board and Advisors Committee for FS-ISAC, and the International Information Integrity Institute (I-4) industry “think tank” focused on information security.
Based on our research and industry participation, it is apparent that there is enormous pressure for financial services IT leaders to “transform” their organizations to become more nimble and adaptive, yet there is also intense pressure to maintain controls and manage costs. Our blend of consulting expertise and deep industry experience uniquely positions us to design and deliver pragmatic, risk-sensitive solutions in response to these challenges. Ultimately, our goal is to help our customers protect and enhance the value of their enterprises in the face of ever-increasing demands.
We have assisted many of the world’s largest financial services organizations in areas including, but not limited to:
• IT strategy and governance
• Enterprise architecture
• Risk and compliance
• Security and privacy
• Service assurance
• Operations improvement
• Data management
• Technology
CONTACTS
Jeffrey Sanchez [email protected]
ACKNOWLEDGMENT
Contributors to this white paper include Katie Stevens.
© 2017 Protiviti Inc. An Equal Opportunity Employer M/F/Disability/Veterans. PRO-0717-103062 Protiviti is not licensed or registered as a public accounting firm and does not issue opinions on financial statements or offer attestation services.
*MEMBER FIRM
THE AMERICAS UNITED STATES
Alexandria
Atlanta
Baltimore
Boston
Charlotte
Chicago
Cincinnati
Cleveland
Dallas
Fort Lauderdale
Houston
Indianapolis
Kansas City
Los Angeles
Milwaukee
Minneapolis
New York
Orlando
Philadelphia
Phoenix
Pittsburgh
Portland
Richmond
Sacramento
Salt Lake City
San Francisco
San Jose
Seattle
Stamford
St. Louis
Tampa
Washington, D.C.
Winchester
Woodbridge
ARGENTINA*
Buenos Aires
BRAZIL*
Rio de Janeiro Sao Paulo
CANADA
Kitchener-Waterloo Toronto
CHILE*
Santiago
MEXICO*
Mexico City
PERU*
Lima
VENEZUELA*
Caracas
EUROPE MIDDLE EAST AFRICA
FRANCE
Paris
GERMANY
Frankfurt
Munich
ITALY
Milan
Rome
Turin
NETHERLANDS
Amsterdam
UNITED KINGDOM
London
BAHRAIN*
Manama
KUWAIT*
Kuwait City
OMAN*
Muscat
QATAR*
Doha
SAUDI ARABIA*
Riyadh
SOUTH AFRICA*
Johannesburg
UNITED ARAB EMIRATES*
Abu Dhabi
Dubai
ASIA-PACIFIC CHINA
Beijing
Hong Kong
Shanghai
Shenzhen
JAPAN
Osaka
Tokyo
SINGAPORE
Singapore
INDIA*
Bangalore
Hyderabad
Kolkata
Mumbai
New Delhi
AUSTRALIA
Brisbane
Canberra
Melbourne
Sydney
© 2
01
5 P
roti
viti
In
c. A
n E
qu
al O
pp
ort
un
ity
Emp
loye
r. M
/F/D
isab
ilit
y/Ve
t. P
RO
-05
15