- The rise in IT spending is fueling the increased adoption of the bring-your-own-device (BYOD) culture in the region, and given its inherent advantages for employees and employers, BYOD adoption is bound to grow further in the coming years.
- However, BYOD adoption is accompanied by IT security risks arising out of lack of awareness about device security among employees. The situation is compounded by insufficient network resources and the lack of formal BYOD policies at organizations to manage security risks emanating from use of personal devices on official servers and networks.
- CIOs in the region need to respond by preparing IT networks and formulating a BYOD policies, which are designed to manage this increased demand for BYOD and mobile diversity in the region.
An Employee Engagement Tool or an IT Threat?
- Middle East is among the fastest growing IT markets in the world, with IT spending in the region expected to exceed $32 billion in 2014. As per the latest IT forecast by IDC, spending on IT products and services in the Middle East will increase 7.3% year on year and will cross $32 billion in 2014. Nearly 75% of this expenditure is expected to come from individual customers, the public sector, and the communications and financial services verticals. The key growth driver will be public sector investments in improving government services, education, and healthcare services in the GCC region.
- The rise in IT spending is fueling the increased adoption of the bring-your-own-device (BYOD) culture in the region, as the increased proliferation of smartphones and tablet PCs, as well as increased mobility of workforces is forcing a shift in the way that companies operate on a day-to-day basis. A survey by Aruba Networks found out that employers in the Middle East were more likely to say Yes to BYOD, as compared to companies in other parts of the world. The study found that 70% of EMEA enterprises allowed some form access from personal devices, a figure backed by Cisco’s 2013 Middle East ICT Security which found that almost two-thirds of employees in the region are allowed to use their own devices to access the company server or network.
Percentage of Companies saying Yes to BYOD across Regions
Source: Aruba Networks
- Given its inherent advantages for employees and employers, BYOD adoption is bound to grow further in the coming years. BYOD allows workers to operate on devices that they are comfortable working on, and in some cases from a location of their choice (e.g. home), thus extending flexibility in working environment. Therefore, the BYOD culture benefits employees and bossts their motivation and engagement levels. But its benefits are not limited to employees are alone. Employers too stand to benefit considerably. As per Cisco Consulting Services estimates, the annual cost benefits of BYOD range from $300 to $1,300 per employee, depending on the employee’s job role. In addition, happier and motivated employees have higher productivity, and are more likely to focus on innovation rather than just dealing with daily chores at workplace, thus contributing to the overall growth of the organization.
- However, BYOD adoption is accompanied by IT security risks arising out of lack of awareness about device security among employees. The use of mobile devices like smartphones and tablets is expected to grow over the next few years, as the region is expected to have 850 million mobile users by 2017. And most of these devices will also be used by employees at workplace as BYOD adoption increases – this is corroborated by the Middle East ICT Security Study that found that nearly 64% employees are allowed to use their own devices to access the company server or network. However, 65% of employees their own devices in the workplace currently do not understand the security implications of using personal devices in the workplace, thereby exposing the company server or network to high degree of IT security risk.
- The situation is compounded by insufficient network resources and the lack of formal BYOD policies at organizations to manage security risks emanating from use of personal devices on official servers and networks. As of 2013, only 55% companies in the Middle East have a plan or a formal policy to manage the use of personal devices for work related purposes. As a result, cyber-criminals are increasingly attacking internet infrastructure rather than individual computers or devices, with password and credential theft, infiltrations, and breaching and stealing data. Therefore, it is not surprising that businesses in the Middle East are facing a growing risk of cyber-attacks as per the 2014 IT Security Study in the Middle East.
As per the Aruba Networks survey, the IT security challenge is accompanied by insufficient network resources to support the influx of multimedia-rich devices, as 35% organizations claimed that they did not have enough wireless coverage and capacity for supporting BYOD.
- Overall, the key challenges and concerns highlighted by businesses considering or implementing BYOD in the region are:
- Securely connecting devices (especially mobile) to corporate networks
- Avoiding an increase in IT resources and expenses
- Ensuring wireless coverage and capacity
- Ensuring device security
- Establishing corporate policies and acceptable uses
- Enforcing access rights to resources based on user, device, and app
- CIOs in the region need to respond by preparing IT networks and formulating a BYOD policies, which are designed to manage this increased demand for BYOD and mobile diversity in the region. As a first step, CIOs need to develop IT infrastructure that is capable of supporting a broad array of devices without overburdening their IT staff. With mobile devices leading the BYOD adoption, this would mean increased investment in wireless infrastructure in the coming years. The requisite IT infrastructure development needs to be complemented by developing and implementing organization-wide BYOD strategy and policy. To develop an effective policy, organizations need to define and understand factors such as which devices and operating systems to support, security requirements based on employee role and designation, the level of risk they are willing to tolerate, and employee privacy concerns.
The key characteristics of a good BYOD policy are:
- Balances security requirement vs. employee experience and privacy. It is important to develop policies that have minimal impact on employee’s experience, while maintaining the required security levels. Equally important is defining and communicating the level of vigilance/monitoring that IT department plans to implement to monitor device usage. Given that BYOD is an employee-driven phenomenon, a policy that is too restrictive or invades user privacy might prove counter-intuitive to the whole concept (and related benefits) of BYOD. So mapping the security requirement based on employee role is critical.
- Supports multiple devices and operating systems: It is important for CIOs to factor-in all types of platforms and operating systems used by employees. While iOS is a natural choice due to the high level of in-built security, Windows (phone, PC, tablets) and Android (phone, tablets) have also gained immense popularity and can no longer be overlooked.
- Is flexible (semi-BYOD): for organizations that have high degree of data security risk (e.g. financial services firms), CIOs can opt for semi-BYOD policies which allow their employees to use their own devices so long as they comply to a list of company-approved devices, so that IT departments don’t have sleepless nights over what devices their networks might have to accommodate.
- Most importantly, a good BYOD strategy is focused educating employees about BYOD policies and ensuring compliance to alleviate related risks. It is important for organizations to not just develop such policies, but also provide guidance on ‘Do’s and Don’ts’ and best practices on using personal devices for official purpose. Conducting company-wide roadshows and training/counselling sessions, followed-up by online tests around the company’s BYOD policies is another way to driving home the message of the company’s seriousness about such initiatives and IT security at the same time.
We believe designing and implementing BYOD policies is important not just for organizations that either adopted or are considering BYOD, but for others as well since BYOD adoption is a question of ‘when’ and not ‘if’ for businesses in the region.
The article was originally published at: Arab Business Review
To read more thought-leadership stuff by leaders from Arab Region, please visit Arab Business Review