A cloudy BYOD trap

Last week I met clients in the Bay area and had two very interesting conversations about BYOD (Bring Your Own Device) policies.

In one case, the CIO had been struggling for so long with frequent requests from users to support their devices of choice that he went for a much broader choice of enterprise-provided user devices. The reasoning that the cost of supporting an increasing variety of user-owned devices and the risks posed by how employees may mismanage the boundary between enterprise and personal use were greater than the cost of providing enterprise devices. He claimed that this helped make employees more conscious of and cautious about the distinction between business and personal use.

In the other case, the CIO told me that there's a proliferation of devices, despite the lack of a formal BYOD policy. When we touched upon one of the typical risk, which is the use of personal clouds (such as DropBox, iCloud, Google Drive), he told me that one of the personal cloud providers contacted him, providing a list of hundreds of employees in his organisation who had registered for their service (presumably with their business email address). The purpose was clearly to sell the enterprise version, but this raises a very interesting question: to what extent are consumer software providers respecting their users' privacy and how is our personal data being used in ways that we would not anticipate.

If I were one of the employees using that tool, I would be pissed at the vendor. I may be using the personal cloud for purely personal purposes or to store public data, hence in full compliance with my code of conduct, and yet my employer would have reasons to believe that am doing something wrong.

This is not new. Every time we visit a web site from our corporate network or give our business email address when registering for a service we leave a digital trace. We rarely think about what the provider might do with it besides piling on our spam load. However this example shows that the vendor can simply tell our employer.

BYOD looks like an unstoppable trend, as more and more people look for the convenience of using their own device. However there are potentially serious implications, ranging from the enterprise erasing a personal device in case it is lost (including all personal data, which is irremediably lost in case we find the device but have missed the last backup), to a vendor airing our possible non-compliance to our employer, to our employer accessing and analysing our personal data.

The irony is that while everybody is worried about the risks of BYOD to the enterprise, the worst risks could be for us.

Andrea Di Maio is a vice president and distinguished analyst in Gartner Research, where he focuses on the public sector, with particular reference to e-government strategies, Web 2.0, the business value of IT, open-source software. You can read his other posts here.