If 2013 was the year of BYOD (bring-your-own-device), then 2014 could easily be the year of CYOD.
CYOD (or choose-your-own-device) is a happy medium between corporate-issued desktops and laptops and users working from any device that they want. The basic idea is that an organization chooses upfront which device types they want to support, and makes those device types available to end users. A user is free to choose from any device offered by the organization. That way, the user has more flexibility than they would have had back in the day when corporate-issued laptops were the norm, but the organization does not have the challenges and security risks that are inherent with supporting any device type that an end user happens to want to use.
This trend is being driven by a variety of factors. One of the main factors is support costs. Although the majority of users in BYOD environments choose to use mainstream devices, there are inevitably some who will choose to use something really obscure. The problem with this is that all too often, the helpdesk staff is asked to support end-user devices that they know absolutely nothing about.
In some cases, end-users might even choose devices that are completely incompatible with the corporate network. For example, I recently heard a story of a user who found a first-generation Sony E-Reader at a garage sale and became upset when the helpdesk staff at her company told her that the device lacks the functionality of a modern tablet. In fact, the user even asked the helpdesk staff to upgrade the device to make it more like an iPad. The user simply did not understand that some devices cannot be upgraded, and even if a device can be upgraded there are limits to what can be done with it. She also did not seem to grasp the idea that this was her personal device, and the organization therefore had no obligation to do a hardware upgrade.
Another reason why 2014 will be the year of CYOD is because some organizations have found it difficult to enforce security and usage policies on employee’s personal devices. Although some organizations require employees to consent to the mandatory use of passwords and other security mechanisms, others have not had any luck enforcing basic device level security. Depending upon how the device accesses corporate resources, the lack of security could result in a major security incident if the device were ever lost or stolen.
Of course, the device might not even need to be lost or stolen to cause accidental data disclosure or data loss. Employees (or others in their family) frequently download apps, play games, or even visit potentially malicious websites from devices that are also used for work. I have lost count of the number of times over the years that I have been asked to recover data that someone’s kid accidentally deleted or remove a malware infection that allegedly resulted from a child’s use of the device.
Sometimes non-work related usage of a device can cause other types of problems. I recently heard of a situation in which an employee accessed corporate resources from a personal device that also contained some potentially objectionable content. Even though the device belonged to the end-user, there was concern that because the employee occasionally used the device while in the office, that the device’s content could potentially result in litigation from someone claiming that the device content constituted a hostile or offensive work environment.
If an organization puts a CYOD program in place, there will undoubtedly be initial costs associated with purchasing devices that can be issued to the employees. However, these upfront costs may eventually be offset by lower support costs. Furthermore, because the organization owns the devices, they are free to impose the security policy of their choosing. This should go a long way towards mitigating fears of accidental data disclosure on a lost or stolen devices. Additionally, the organization will be able to put into place acceptable use policies that prevent employees from storing offensive content on devices.