More and more workers around the world are bringing their personal mobile devices to the office daily, and companies appear to be having trouble keeping up with the trend.
About 60 percent of organizations acknowledged they either don't have a policy that specifies how employees may use their own devices in the workplace (41 percent) or are just planning to write such a policy, a study released on Wednesday from Acronis and the Ponemon Institute has found.
"Even though we're still in the early stages of BYOD [Bring Your Own Device], companies are playing catch-up to where their users are," Anders Lofgren, director of Mobility Solutions for Acronis, told CSOonline.
Even as recently as three years ago, IT departments had an iron grip on the endpoints to their networks. "They could secure and provision a fixed device that was procured by the enterprise," said Ben Gibson, chief marketing officer for Aruba Networks.
Now IT has to deal with many devices being brought to work by employees. "Enterprises and IT organizations are in the process of catching up with this trend," Gibson said.
Slow adoption of BYOD policies by companies could be a sign of denial, said Steve Martino, vice president of information security and acting CISO of Cisco. "If a company doesn't have a BYOD policy, it's because they're trying to pretend this isn't happening in their organization," he said in an interview. "They think that if they don't have a policy, BYOD isn't happening in their organization."
Of the companies with BYOD policies, almost three quarters of them imposed highly restrictive policies on their workers by either requiring personal devices to be approved by the company before being allowed to access the firm's networks (43 percent) or banning personal devices from company nets (31 percent).
Those numbers could be misleading because there are industries where launching BYOD programs is severely limited, such as banking, pharmaceuticals, health care and defense. "But those barriers are breaking down," Acronis's Lofgren said.
[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]
While it may be necessary to restrict BYOD in some industries dealing with highly sensitive data, it isn't necessary for most rank-and-file office workers, said Cisco's Martino.
"For the basic white collar productivity worker, companies can see real benefits from a BYOD program," Martino said. "By forbidding BYOD, you encourage people to work around the policy."
"Then, because you have controls that say you can't use it, you think you're protecting your data," he said. "When actually you're limiting your effectiveness to identify and control security incidents when they happen."
"Forbidding BYOD is more trouble than having a controlled policy to adopt it," Martino said.
Cross-country attitudes could also be affecting a company's ability launch full bore BYOD programs. "Some countries have strict cultural policies about whether you can bring a personal device to work or not," Aruba's Gibson said.
Nevertheless, it will be increasingly difficult for any organization anywhere in the world to ignore BYOD. "I believe all industries will be moving toward BYOD because the consumerization of IT trend is one that will become prevalent," Gibson maintained.
Nearly three-quarters of the companies with BYOD policies (73 percent) told surveyors that they applied their BYOD policies equally to everyone, although about a quarter of the businesses said they made exceptions to their policies for executives and privileged users.
Of the more than 4,300 IT practitioners participating in the survey, more than three quarters (77 percent) said their organizations had not trained their employees to understand BYOD privacy risks.
"What might happen is an employee may try to access their files with their smartphone or tablet and use unauthorized methods to do that," Lofgren said.
"That will expose some of these organizations to risk, whether they know it or not," he said.