The conventional wisdom holds that workers might be more productive if they're using their own smartphones and tablets to access information, communicate with customers and collaborate with co-workers, and as a result, the bring-your-own-device trend is gaining traction.
According to "Mobile Devices in the Enterprise: MDM Usage and Adoption Trends," a research paper by Osterman Research, 32 percent of employees at mid- and large-sized North American organizations used smartphones on the job last year; that number is expected to increase to 41 percent in 2012 and 50 percent by 2013. The research also found that this year, 17 percent of the workforce used an iPad or another tablet computer, and that number is expected to increase to 25 percent by 2013. Separately, according to management consulting firm Janco Associates Inc., more than 90 percent of all corporations will allow BYOD in 2013.
But providing secure environments for consumer mobile devices is proving challenging, as Jeanette Horan, IBM's VP and CIO, described in the May issue of MIT's Technology Review. File-sharing applications, webmail services and using the device as a Wi-Fi hub, all create potential vulnerabilities, a situation exacerbated by the rapidly growing number of device manufacturers, models, operating systems and software versions.
To help organizations cope with some of these issues, Janco added a BYOD policy to its CIO Infrastructure Policy bundle, a set of standard procedures CIOs can implement to manage emerging technologies and processes. The policy addresses the issues associated with sensitive data on personal devices, including how they're backed up, secured and, if necessary, destroyed. It also covers what to do with mobile devices when an employee leaves the company, as well as legal issues that arise out of the employer's access to employee data.
The Best Approach
Insurers that do opt for BYOD are approaching it cautiously. Safety Insurance Co., an auto and homeowners insurance provider, limits BYOD access to corporate e-mail. "We do require them to allow us to install a service on their device that will enable us to wipe the e-mail access in the event that their device is lost or stolen," says Steve Varga, senior IT director.
The company also requires devices be protected by password or PIN and does not provide Wi-Fi access for those devices. "We also utilize mobile device management software that enables us to help secure and manage the devices," he says.
Again, the wide array of devices and the variety of ways they're being used pose a challenge. "Prior to mobility, the challenge was much more simple, with the need to secure devices limited to in-office desktop computers and a limited number of laptop computers," Varga says.
Regardless of policies covering mobile access to corporate networks, it's likely that a growing number of employees are going to want to bring their devices to work, and companies need to be prepared.
The most important thing insurers can do is have and enforce mobility policies, says Chad Hersh, partner at Novarica. They also need to take every precaution to keep devices from becoming security liabilities.
"My iPad is remotely locked up with a password by my corporate IT department," Hersh says. "And should I lose it, they'll wipe out the e-mail and VPN access. Carriers need to recognize that employees will bring and use their own devices one way or another; and supporting those employees is much cheaper than either buying them corporate-owned devices and service, or the fines, reputational damage or other problems caused by a rogue device."
Beyond the multitude of new devices accessing the networks, the networks themselves are straining under the need for bandwith.
In "Network Barometer Report 2012," Dimension Data evaluates the readiness of enterprise networks to support ongoing business operations and includes findings from nearly 300 technology-lifecycle management assessments at enterprise organizations worldwide. According to the report, within five years, 45 percent of the enterprise networks assessed during 2011 will be obsolete, and therefore more vulnerable to attack. More distressing is that two-thirds of all the devices accessing those networks had one or more known security vulnerabilities. To further complicate security challenges, four of the 10 most common vulnerabilities were new.
For companies that handle financial, personal, medical and other sensitive data, it has gotten to the point that BYOD has come to be considered a high risk, and one that many insurers don't want to take on out of concern that the devices, the data they hold, and the networks they access cannot be effectively secured.
The Unknown
Meadowbrook Insurance Group, a specialty insurer, embraces new technology and has a rigorous evaluation process to ensure each piece offers a clear return on investment and supports corporate as well as IT objectives, explains R. Chris Spring, SVP of business operations.
After much consideration, the insurer determined BYOD wasn't consistent with its IT strategy. Meadowbrook's IT department has spent years standardizing and minimizing its desktop landscape, Spring says, and the company has implemented a program and associated tools to manage security and prohibits personal equipment on the company network.
The biggest concerns for the IT department are the risks associated with zero-day threats and the inability to manage non-company equipment, Spring says.
"BYOD introduces a level of unknown as it relates to virus, malware, botnets, and other security risks and associated protection for the company," Spring says. "We continue to increase our security posture to manage an evolving threat landscape through the adoption of security best practices, education and security assessments that allow us to identify and remediate security risks to the company," Spring says.
In his research, Andy Kellett, principal security analyst at research and analysis firm Ovum, sees the risks. "The introduction of new devices is causing problems, especially because this is new technology and the security infrastructure required to cope is still very immature."
Too many devices, too little control, and security as an afterthought are the issues, Kellett says. In some organizations, there's not enough consultation with IT before devices are brought into use, and even the mainstream security vendors are still at an early stage when it comes to developing integrated control systems for the various mobile platforms, he adds.
This is worrisome, he explains, because as new generations of mobile devices are used for business applications, if devices aren't managed properly data can be lost.
"Policies that allow BYOD access to enterprise data open up security and governance needs on the business side of operations at insurers," Kellett says.
In fact, insurers need to be particularly cautious with mobile technologies and especially BYOD because of the sensitivity of the information, says Victor Janulaitis, CEO of Janco Associates, and companies must be diligent about protecting information such as patient records and credit card data.
BYOD can make it more difficult for insurance IT managers to ensure that data is protected because of the growing number of devices and the fact users need access to a variety of information and applications. Once devices start merging personal information with business records, Janulaitis says, companies have issues such as deciding what data to protect and backup, and what to do when devices are lost or stolen.
The increasing sophistication of mobile devices can make them an even a bigger security risk.
"Most newer smart phones can download, store and view-or even edit-files, and can even be used essentially as a flash drive," Hersh says. "This means that if an employee or agent downloads, for example, a hospital report for a personal injury or a workers' compensation claim, onto [his or her] phone from an e-mail attachment, an app, or any other source, that device just became a large potential liability to the insurer (HIPAA violations, privacy lawsuits, etc.)."
If employees download what should be HIPAA-compliant data onto a device and then lose that device, the company could incur fines of up to $1.5 million, Hersh says. Reputational damage and costs can be equally-if not more-severe, Hersh notes. Zurich was recently fined nearly $3 million for data lost on a backup drive that was in transit to the storage facility; the same thing could easily happen with a lost mobile device.
"Data on mobile devices, even BYOD that are not corporate-owned, must be protected and subject to password protection, remote wipe, etc.," Hersh says.
Bob Violino is a business editor and writer based in New York.
