Can employee-owned devices save companies money?

The costs of a 'bring your own device' (BYOD) enterprise deployment can be tricky to figure

The "bring your own device" (BYOD) phenomenon is sweeping through the enterprise, and businesses such as Chicago-based design firm Holly Hunt have embraced it with gusto, offering stipends to employees to use their own mobile devices for work.

"We said, let's make this an employee benefit. If you are in a role where we issued you a corporate BlackBerry, you can if you want turn that in and carry your own device -- and you'll receive a stipend," says Neil Goodrich, director of business analytics and technology at Holly Hunt, which has upscale furniture showrooms across the country as well as manufacturing and warehouse locations.

SECURITY MINEFIELD: BYOD will bedevil IT security in 2012

BYOD: There is no stopping employees' devices on your network

The company does require employees choosing the BYOD option to sign an agreement "that says we are allowed to reach into the device," says Goodrich, doing this with mobile management software from BoxTone that's loaded up on employee-owned BYOD smartphones and tablets. Goodrich also says he likes BoxTone because it has an integrated dashboard that can combine information related to the BlackBerry Enterprise Server and the BYOD employee devices.

Several Holly Hunt employees have given up their BlackBerries in favor of personal devices, and Goodrich says the stipend, which ranges between $60 to $75 each month for employees, has so far ended up looking like a 5% reduction in cellular costs for the company.

The firm is hardly alone in embracing BYOD; a survey of 688 information and security managers done by Ponemon Institute recently found 17% of the respondents said more than 75% of the organization's employees use their personal devices in the workplace. Another 20% said more than half did. A quarter of the respondent use some kind of mobile-device management (MDM) today.

Holly Hunt requires the MDM software it selected to be installed on the employee-owned devices, and some analysts strongly support that be done especially before hooking up BYOD smartphones and tablets to corporate email, if not sooner.

Aberdeen Group analyst Andrew Borg says basic MDM controls, include device lock and wipe and adding encryption, are also going to be a requirement for some organizations. And Borg discourages a BYOD approach that would let employees select just any smartphone or tablet.

"Never say 'all,' never say 'anything goes,'" he warns. Drawing up a list of specific models of Android and Apple smartphones and tablets allowed for BYOD will go a long way in holding down costs in time and maintenance, says Borg, since IT departments will be supporting MDM software and setting security and management policies.

In its research, Aberdeen has also found that the costs related to BYOD devices, stipends and telecom are more complex than what they may seem to be at first glance.

Aberdeen found that the cost to a company from the carrier, such as AT&T, Sprint or Verizon, averages $70 per user per month for BYOD launches, while more traditional corporate enterprise deployments average $80 per user per month in direct costs, says Aberdeen analyst Hyoun Park. "At first glance, this looks like a clear win for the BYOD approach," says Park. "However, this ignores two key points."

First, he says, enterprise deployments can be highly optimized through rate plans, contract negotiations and ongoing cost management practices associated with best-in-class wireless expense management. "Aberdeen finds that these practices typically result in over 25% savings and many of these practices cannot be performed in a direct fashion through BYOD deployments," Park claims.

"Second, there is typically a high degree of overhead associated with compensating BYOD users," says Park, noting the majority of BYOD users are reimbursed through monthly expense reports. Aberdeen research shows that the average total cost associated with processing an expense report is $29, making the average total cost per month $99. However, because this management cost is typically hidden to the enterprise, it is typically not considered in context of the total cost of BYOD, Park points out. "In contrast, the total cost of expense management for a formally managed enterprise mobile device is typically around $5 per month," he notes, for a total corporate average of $85 for non-BYOD.

"There's no vendor in the telecom management expense management space that has come up with an elegant approach to aggregate BYOD billing," Borg adds. "Bills are getting disaggregated because of BYOD," he says. Consequently, businesses embracing BYOD may be giving up the ability to aggregate the bills.

For these reasons, though it may seem that costs have shifted to the employee, the opposite may be occurring as operational costs are actually going up because of BYOD.

BYOD is here to stay

However, it's unlikely that BYOD is a passing phenomenon. Borg notes that while it may be seen as a disruptive change, driven by the employee enthusiasm for new technologies, it can be utilized effectively through clear planning.

But more challenges appear to arise from the "dual-use" device that BYOD engenders as one employee-owned mobile smartphone or tablet is carried for both business and personal communication. For one, how will business and personal apps be differentiated; how will sensitive business data be cordoned off from personal use?

Newer mobile virtualization approaches put forward by VMware and Citrix, though not yet widely deployed, will be among possibilities that businesses examine to create "dual-use" mobile devices. But other choices are also there to be explored.

One of them is Mocana Corp.'s Mobile App Protection, available for Android now and Apple iOS in a few months, which takes mobile apps and wraps a security compartment around each designated app. This means specific apps and their data can be encrypted, or several other securities policies applied for each app, such as requiring storing passwords or blocking cutting and pasting data, says Kurt Stammberger, Mocana's vice president of marketing development.

Mocana's approach is being put forward to tackle the BYOD security problem and it does compete with ideas put forward by the big virtualization vendors. "We believe that using a sandbox or virtual machine is a clumsy way of doing this," says Stammberger. "This is a lot more transparent."

The Mocana Mobile App Protection is still in its early days, too, being trialed by enterprises such as banks that aren't being disclosed. Mocana's business strategy calls for selling in an OEM capacity its Mobile App Protection to existing MDM software vendors, with BoxTone, Mobiquity and MFormation Technologies and systems integrators such as CACI among them. The first version of Mobile App Protection for BoxTone, for example, isn't wholly integrated into the BoxTone MDM software yet, it co-exists with it, but the next version is expected to be fully integrated, says Stammberger. "Mocana doesn't want to be an MDM vendor," he adds.

Intel (which bought McAfee) and Symantec are two security vendors that have investment stakes in Mocana, but at this point, neither McAfee nor Symantec, which each have MDM security products now, has included Mobile App Protection in their products, says Stammberger.

Mobile App protection does add costs, and users can expect to see anywhere from a 50% to 100% increase in the underlying price of MDM software that includes it.

Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2012 IDG Communications, Inc.