Is BYOD Bad for Company Email?

Any gadgetphile would never be without the trusty smart phone and tablet by their side.

This is especially true at work. Their use of gadgets and technology help make them more productive. Using these devices to communicate and multi-task, workers find that without relying on these technology tools they are lost.

Businesses have been quick to embrace the BYOD (Bring Your Own Device) mentality because they see results from it and it doesn’t cost them anything as far as purchases are concerned. The users are bringing devices they bought for their personal use and connecting to existing wireless/cellular infrastructures.

In fact this trend is so popular that many organizations even allow users to connect their personal mobile devices to corporate resources like file sharing and email.

Like most things that seem like a good idea, there are some problems when it comes to security. The main problem is that many email administrators aren’t aware of the problems of mobile endpoint security and allow users to connect to email servers.

What’s the problem with BYOD?

Organizations who allow users to connect to company resources with their own devices typically run into two major problems:

  1. IT staff has to support the endpoint devices that are brought into the infrastructure.
  2. Personal devices are usually not adequately secured.

The first issue can plague email administrators because the number one resource that people want to access with their own equipment is their email. In just over a year, the number of Android phones being used in small to medium sized businesses has grown 7.1 percent, iPhones have increased 3.1 percent and iPad use has grown 1.9 percent.

While IT generally doesn’t service personal technology devices, the configuration of the servers to allow these devices falls into the hands of the email administrator; as does the creation of policies and instructions for connecting these devices.

But quite frankly, in most SMBs the email administrator isn’t going to turn away the guy in the next cubicle who is trying to get their emails on their new iPhone. He or she is going to help get that device connected. But each time one of these devices needs support, time is taken away from other things. In fact, Osterman Research found that it takes an estimated 72 minutes to address endpoint related issues. That is an hour and a quarter that could be used more productively.

Yet while supporting personal devices can be costly and even annoying, they introduce something that is even more troubling to a small business. That issue is lack of security.

Between 2007 and 2012 organizations have noticed a 12 percent increase in email violations as a result of personal devices being used in the workplace.

Most commonly, these violations are coming as malware and phishing attacks. Using an infected device for email communications, or using a device that is not protected by network security resources, makes it very possible for emails containing malware or phishing attacks to be opened by unsuspecting victims.

Not only do these attacks cost money in cleanup and mitigation costs, but an increased focus on spear phishing attacks means that financial loss from theft is a reality for even government and small businesses. In fact, more than a billion dollars was stolen from small to medium sized businesses last year alone, including:

  • $600,000 stolen from the Catholic Diocese of Des Moines
  • $378,000 stolen from the City of Poughkeepsie
  • $447,000 stolen from a construction company in California
  • $78,421 stolen from a law firm in South Carolina
  • $75,000 stolen from an auto part store

These are real cases showing that phishing via mobile devices is a real threat.

What to do?

Like any dilemma involving security, allowing a BYOD environment takes a great deal of balance.

Organizations who allow workers to bring devices into the workplace must make sure that they have network based anti-spam/anti-phishing/anti-malware solutions in place. Relying on desktop security solutions will not work if the device brought from home has no protection.

Written by Jeff Orloff

4 Comments

  1. Ashley · September 25, 2012

    I always believe that there should be a very clear demarcation line between personal and professional life. Thus, there should be a separate phone for personal and work use. It just makes things easy. The only thing to think about is the hassle of balancing two types of phones, but it’s easier for the company to keep track of your use, and you can turn the phone off if you want some personal time. I know the constant worry among companies is the cost, but the employee can just return the phone when he is going to resign and let a new one use it.

  2. Jason Rogers · September 26, 2012

    I remember the hassle when USB devices became hot almost a decade ago and the security risks they posed. With BYOD, USB drama looks like a piece of cake. Mobile devices have become so powerful that if they get in the wrong hands, they can do some very serious damage. I know not many employees will like it, but I will advise to keep the use of own devices outside the office. Work and personal must be really separate fields – when we mix them, this usually spells trouble.

  3. Andrew · September 27, 2012

    I think it is bad to use BYOD for your own company e-mail, because it is just hard to keep track. Plus, it isn’t impossible for employees to abuse it. Worse, some of these employees don’t know how to properly secure their phone, so they end up making their own devices and their emails susceptible to viruses and other compromises into the system. I should know because I have a couple of colleagues who met such an unfortunate circumstance. And they definitely gave our IT a very huge headache. It took them a couple of weeks to settle the problem.

  4. Oliver White · September 27, 2012

    I really don’t think it’s going to be that disastrous if the company opts to tap on its employees’ personal phones for company e-mail. It’s just a matter of proper training, teach them how to fully maximize their phones and protect them as well for potential threats to security. It would also help if the company will provide a sort of allowance or incentive for the employee so he gets to have a very good plan and phone. After all, they get to save money in the long run. But I know some of the people here have a valid point.

Leave A Reply