Before rushing into allowing employees to do their jobs on their personal devices, organizations need to diligently address the unique risks of that practice, cautioned a report by an international cybersecurity information organization.
When businesses push Bring Your Own Device (BYOD) programs into place too quickly, risk management is often neglected or rushed, leaving organizations with both unknown and unnecessary risks, the Information Security Forum reported on Tuesday.
For organizations to be successful in the era of mobile devices in the workplace, risk management must be the foundation of any BYOD program, the report added.
"The use of personal devices to store and process sensitive information continues to rapidly affect the way we do business," ISF CEO Michael de Crespigny said in a statement.
"At the same time," he said, "it means organizations are easily exposed to new and more complex threats from stolen, lost or destroyed data, malware and other attacks if the device is not securely used and protected."
Personal devices can be challenging for IT departments because they may be used in ways that wouldn't be allowed if the device were owned by the company.
"By putting the right business practices and usage policies in place now, organizations will benefit greatly from the flexibility, increased productivity and reduced costs that mobile devices can bring to today's workplace, while minimizing exposure to potential security risks," de Crespigny said.
IT may be accused of currying favor with users at the expense of risk management, but BYOD is a new world for them, too. "It's a completely new shift in how they have to be thinking about their end users," said Gregg Ostrowski, senior director for enterprise developer and tech partnerships at BlackBerry.
[Joan Goodchild in Leading Edge: Should security be responsible for BYOD policy?]
BYOD also opens up issues that requires IT planners to reach beyond their bailiwick's walls. "You have to involve human resources and legal in the process," Tenable's CEO, Ron Gula, said in an interview.
"If you're going to put any technology on any device that you don't control, and you don't think you're not going to create some liability for your company, you're wrong," Gula said.
Any BYOD management program, however -- even one weak on risk management -- may be better than no program at all. "There isn't an option for companies not to have a mobile strategy," said Caleb Barlow, an application, data and mobile security director for IBM.
"Not having a mobile strategy just means your information is going to leak out of mobile devices outside your control," Barlow said.
Still, it's estimated that anywhere between 60 and 80 percent of companies have no formal BYOD policy.
"It doesn't matter if it's 60 or 80 -- there's a lot of companies that don't have formal BYOD programs today, yet their employees are using their phones and tablets for work, and the IT department doesn't know it or chooses to ignore it," said Anders Lofgren, director of mobility solutions at Acronis.
"The reality is, if you don't have a program in place, your employees are still going to be using their phones and tablets at work," Lofgren said. "You're just not going to have any insight or visibility into it."
Although the ISF is urging companies not to rush into BYOD, that advice may be difficult to heed. "Companies have had no choice with offering BYOD support or access to their employees," said Skybox Security's Vice President, Michelle Cobb.
"The old IT joke about 'How do you protect your employees from the Internet? Unplug it.' can't be applied here," Cobb told CSOonline. "BYOD offers such value to organizations' and employees' productivity, you can't ignore it."