Should CIOs Use a Carrot or a Stick to Rein In BYOD Workers?

Like the sword of Damocles, the CIO's hand on the mobile kill switch hangs over employees and their BYOD smartphones and tablets. If employees do not adhere to the company's security policy, then their personally bought phones may suffer a terrible fate. To comply or not to comply, that is the BYOD question.

Conversely, CIOs can lead BYOD employees to greener security pastures by dangling a stipend in front of them -- that is, the promise of a monthly payment that offsets the cost of the phone bill in return for following the company's mobile device policy.

Whether using the stick or the carrot, CIOs must find a way to get BYOD employees to care about security. Mobile security provider AdaptiveMobile surveyed 500 companies (and employees), with 80 percent supporting BYOD, and found that half of all companies experienced a breach within the last 12 months. One company in the study lost $80,000 when its financial database was hacked last year via a mobile device.

A Centrify survey of more than 500 employees at mid-to-large companies showed that 43 percent have accessed sensitive corporate data while on an unsecured public network, 15 percent have had their personal account or password compromised, and 15 percent say they have no to minimal responsibility to protect data stored on their personal devices.

Why IT Sometimes Goes to Extremes

Some CIOs have taken drastic measures to combat the problem. In an extreme case, employees can be fired for not complying with BYOD security policies. More than 60 percent of companies in the AdaptiveMobile survey said they have kill switch and lock device capabilities that most employees aren't aware of.

Now companies want to bring awareness to the kill switch, in hopes of making employees more responsible when using BYOD, according to the AdaptiveMobile survey.

The smartphone kill switch is making news lately. Wireless industry group CTIA announced a partnership between major smartphone makers and wireless carriers to enable kill-switch functionality, a measure aimed to thwart smartphone theft. At the heart of the partnership, a provision blocks factory reset capabilities and makes stolen devices useless after a certain number of failed password attempts.

Many BYOD policies grant CIOs similar powers, such as locking devices and remotely wiping apps and data. BYOD employees often mindlessly hand over these rights. The security policy usually shows up as a wordy single page in small print with a "click to accept terms" button at the bottom, which online employees are accustomed to scroll down and click.

"Companies already have more control and visibility than people realize as shown in our research, from monitoring apps installed through to potentially locking or resetting a device," says Gareth Maclachlan, chief commercial officer and co-founder at AdaptiveMobile.

Moreover, companies are becoming more assertive with their security controls. They may be more likely to lock devices if they believe a significant threat is underway, Maclachlan says.

AdaptiveMobile's survey reports that companies are unable to see eight out of 10 security threats: malware infection, access to inappropriate or harmful sites, installation of unwanted apps, existence of spyware or other espionage apps, use of unapproved file transfer sites, protection against roaming costs, SMS or MMS spam and malware distribution, personal expenditure on data or messaging, compromise or loss of customer data, and spambot or botnet infection.

Is Killing Really the Answer?

Is the threat of a corporate kill switch really the way to enforce BYOD security policies? Not everyone thinks so.

"If company policy, agreed to in writing by the user, allows for the corporate administrator to kill the device when compromise is feared, then the company will own the kill switch," says Jeff Rubin, vice president at Beachhead Solutions. "But obviously this is exactly the type of Big Brother action that inhibits the expansion and use of BYOD, because users may rightly feel that only they should control the fate of their devices."

Rubin says he believes the user should own the hardware kill switch in a BYOD setting, in which case the user will flip the switch and destroy the device in only dire cases. With users in control, of course, the threat to follow security practices is gone.

Even AdaptiveMobile's survey shows signs that a kill-switch stick might not work. A whopping 67 percent of employees said they would stop using personal devices at work if they knew their employer had a kill switch.

Money Changes Everything

Instead of the stick, CIOs can use a carrot -- in this case, a stipend.

Money talks, and the offer of stipends gets employees' attention, says Josh Bouk, vice president of sales and marketing at Cass's expense management division. Cass helps employees onboard to a BYOD program, serving up a portal for employees to enroll and accept a company's policies, go through an eligibility process and receive an appropriate stipend.

More importantly, Cass serves up a compelling carrot by bypassing expense reports and delivering stipends directly on an employee's phone bill. Cass can also withdraw a stipend quickly if an employee falls out of compliance with the BYOD policy.

Of course, stipends, too, face an uncertain future. BYOD stipends are starting to disappear in areas of the country where jobs are sparse and companies aren't under pressure to provide perks. Some industry watchers predict BYOD stipends will go away completely, much like reimbursements for home WiFi.

Nevertheless, when a stipend is involved, employees are quick to respond to company expectations lest they lose precious dollars. "Employees become more compliant," Bouk says.

Join the CSO newsletter!

Error: Please check your email address.

Tags MDMAdaptiveMobileConsumerization of IT | BYODMobile device managementsecuritymobile securitymobileIT managementconsumerization of ITBYOD

More about Brother International (Aust)CentrifyCTIA

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tom Kaneshige

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts