Business Report

IBM Faces the Perils of "Bring Your Own Device"

After letting its employees use their own phones and tablets for work, the company confronted a flood of insecure apps from the open Web.

When IBM loosened its restrictions on the smart phones and tablets its employees could use for work, the company got a lesson in IT management of the kind it usually sells to clients.

Inside job: At IBM, chief information officer Jeanette Horan asks employees to avoid using some popular Web apps.

In 2010, like many large companies in recent years, IBM adopted a “bring your own device” policy, meaning that employees who want to work outside the office don’t have to use a smart phone provided by the company. Although IBM still gives BlackBerrys to about 40,000 of its 400,000 employees, 80,000 other workers now reach internal IBM networks using other smart phones and tablets, including ones they purchased for themselves.

The trend toward employee-owned devices isn’t saving IBM any money, says Jeanette Horan, who is IBM’s chief information officer and oversees all the company’s internal use of IT. Instead, she says, it has created new challenges for her department of 5,000 people, because employees’ devices are full of software that IBM doesn’t control.

Horan says that when IBM surveyed several hundred employees using mobile devices, many were “blissfully unaware” of what popular apps could be security risks.

Since then, Horan’s team has established guidelines about which apps IBM employees can use and which they should avoid. On the list of banned apps are public file-transfer services such as Dropbox; Horan says IBM fears that using such software could allow confidential information to get loose. In the survey, other employees were found to be violating protocol by automatically forwarding their IBM e-mail to public Web mail services or using their smart phones to create open Wi-Fi hotspots, which make data vulnerable to snoops.

“We found a tremendous lack of awareness as to what constitutes a risk,” says Horan. So now, she says, “we’re trying to make people aware.”

Horan isn’t only trying to educate IBM workers about computer security. She’s also enforcing better security. Before an employee’s own device can be used to access IBM networks, the IT department configures it so that its memory can be erased remotely if it is lost or stolen. The IT crew also disables public file-transfer programs like Apple’s iCloud; instead, employees use an IBM-hosted version called MyMobileHub. IBM even turns off Siri, the voice-activated personal assistant, on employees’ iPhones. The company worries that the spoken queries, which are uploaded to Apple servers, could ultimately reveal sensitive information.

“We’re just extraordinarily conservative,” Horan says. “It’s the nature of our business.”

Horan’s division faces new complexities as it manages a growing number of devices that don’t come with as much security as BlackBerry phones. Even though the configuration of devices all happens remotely—the updates are beamed to the phones over the air—it is still cumbersome. Each employee’s device is treated differently, depending on what model it is and what the person’s job responsibilities are. Some people are only permitted to receive IBM e-mail, calendars, and contacts on their portable devices, while others can access internal IBM applications and files.

For employees in the latter category, Horan’s team equips phones with additional software, such as programs that encrypt information as it travels to and from corporate networks. The options vary even further; the IT department can match an employee with one of about 12 different “personas” that dictate what he or she is allowed to do on a mobile device, says Bill Bodin, IBM’s chief technology officer for mobility.

The kinds of challenges IBM faces are becoming increasingly common. Surveys have shown that more than half of large companies are catering to their employees’ desire to use their own smart phones, and as a result, the market for “mobile-device management” tools is booming. A January report by Forrester Research counted more than 40 companies offering such services.

Bodin expects device management to get even more complex in the coming years, but perhaps less restrictive, too. For instance, instead of making employees avoid apps like iCloud entirely, employers someday might be able to turn off just the two or three functions that worry them. Whatever happens, fewer and fewer IT departments will own their employees’ equipment. “The genie is out of the bottle,” says Bodin.