January 14, 2014
We predicted that the practice of Bring Your Own Device would remain an insoluble conundrum for many firms throughout the year and two recent pieces of conflicting advice on the subject make the point point for us. On the one hand, the Information Commissioner’s Office (ICO) in the UK has issued fresh guidance to organisations about the possible perils of BYOD and the need to establish formal policies and procedures, including the ability for the firm to wipe ALL data from lost or stolen devices, determine applications and operating systems and decide on what happens to devices at the end of contracts. On the other hand a Gartner analyst has predicted that the dead hand of organisational control will mean around a fifth of BYOD policies will fail within the next two years, rendering the efforts at control completely counterproductive.
The ICO, a government created independent authority ‘set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals’ claims that firms and public sector organisations should ensure that staff are made aware of the pitfalls associated with the use of personal devices for work, and the key steps needed to prevent them. These included ensuring devices are secure and have encryption in place and that they avoid the use of unsecured servers including cloud storage tools. In addition there should be a clear end-of-contract policy and the firm should retain an ability to wipe or immobilise lost and stolen devices.
However, a Gartner analyst called Ken Dulaney has predicted that it is exactly this kind of strict control that will undermine the successful implementation of many BYOD programmes. Among a list of predictions, Dulaney claims that as many as a fifth of organisations will cause their own policies to fail by making them too restrictive or demanding. This will be counterproductive because individuals are likely to reject such controls. Dulaney claims that as a result staff will instead demand the ability to “isolate personal content from business content and restrict the ability of the IT organization to access or change personal content and applications”.