Should CIOs Use a Carrot or a Stick to Rein In BYOD Workers?
- 07 May, 2014 03:58
Like the sword of Damocles, the CIO's hand on the mobile kill switch hangs over employees and their BYOD smartphones and tablets. If employees do not adhere to the company's security policy, then their personally bought phones may suffer a terrible fate. To comply or not to comply, that is the BYOD question.
Conversely, CIOs can lead BYOD employees to greener security pastures by dangling a stipend in front of them -- that is, the promise of a monthly payment that offsets the cost of the phone bill in return for following the company's mobile device policy.
Whether using the stick or the carrot, CIOs must find a way to get BYOD employees to care about security. Mobile security provider AdaptiveMobile surveyed 500 companies (and employees), with 80 percent supporting BYOD, and found that half of all companies experienced a breach within the last 12 months. One company in the study lost $80,000 when its financial database was hacked last year via a mobile device.
A Centrify survey of more than 500 employees at mid-to-large companies showed that 43 percent have accessed sensitive corporate data while on an unsecured public network, 15 percent have had their personal account or password compromised, and 15 percent say they have no to minimal responsibility to protect data stored on their personal devices.
Why IT Sometimes Goes to Extremes
Some CIOs have taken drastic measures to combat the problem. In an extreme case, employees can be fired for not complying with BYOD security policies. More than 60 percent of companies in the AdaptiveMobile survey said they have kill switch and lock device capabilities that most employees aren't aware of.
Now companies want to bring awareness to the kill switch, in hopes of making employees more responsible when using BYOD, according to the AdaptiveMobile survey.
The smartphone kill switch is making news lately. Wireless industry group CTIA announced a partnership between major smartphone makers and wireless carriers to enable kill-switch functionality, a measure aimed to thwart smartphone theft. At the heart of the partnership, a provision blocks factory reset capabilities and makes stolen devices useless after a certain number of failed password attempts.
Many BYOD policies grant CIOs similar powers, such as locking devices and remotely wiping apps and data. BYOD employees often mindlessly hand over these rights. The security policy usually shows up as a wordy single page in small print with a "click to accept terms" button at the bottom, which online employees are accustomed to scroll down and click.
"Companies already have more control and visibility than people realize as shown in our research, from monitoring apps installed through to potentially locking or resetting a device," says Gareth Maclachlan, chief commercial officer and co-founder at AdaptiveMobile.
Moreover, companies are becoming more assertive with their security controls. They may be more likely to lock devices if they believe a significant threat is underway, Maclachlan says.
AdaptiveMobile's survey reports that companies are unable to see eight out of 10 security threats: malware infection, access to inappropriate or harmful sites, installation of unwanted apps, existence of spyware or other espionage apps, use of unapproved file transfer sites, protection against roaming costs, SMS or MMS spam and malware distribution, personal expenditure on data or messaging, compromise or loss of customer data, and spambot or botnet infection.
Is Killing Really the Answer?
Is the threat of a corporate kill switch really the way to enforce BYOD security policies? Not everyone thinks so.
"If company policy, agreed to in writing by the user, allows for the corporate administrator to kill the device when compromise is feared, then the company will own the kill switch," says Jeff Rubin, vice president at Beachhead Solutions. "But obviously this is exactly the type of Big Brother action that inhibits the expansion and use of BYOD, because users may rightly feel that only they should control the fate of their devices."
Rubin says he believes the user should own the hardware kill switch in a BYOD setting, in which case the user will flip the switch and destroy the device in only dire cases. With users in control, of course, the threat to follow security practices is gone.
Even AdaptiveMobile's survey shows signs that a kill-switch stick might not work. A whopping 67 percent of employees said they would stop using personal devices at work if they knew their employer had a kill switch.
Money Changes Everything
Instead of the stick, CIOs can use a carrot -- in this case, a stipend.
Money talks, and the offer of stipends gets employees' attention, says Josh Bouk, vice president of sales and marketing at Cass's expense management division. Cass helps employees onboard to a BYOD program, serving up a portal for employees to enroll and accept a company's policies, go through an eligibility process and receive an appropriate stipend.
More importantly, Cass serves up a compelling carrot by bypassing expense reports and delivering stipends directly on an employee's phone bill. Cass can also withdraw a stipend quickly if an employee falls out of compliance with the BYOD policy.
Of course, stipends, too, face an uncertain future. BYOD stipends are starting to disappear in areas of the country where jobs are sparse and companies aren't under pressure to provide perks. Some industry watchers predict BYOD stipends will go away completely, much like reimbursements for home WiFi.
Nevertheless, when a stipend is involved, employees are quick to respond to company expectations lest they lose precious dollars. "Employees become more compliant," Bouk says.