Bring Your Own PC-September 2010
As consumers have rushed to buy the latest and flashiest electronic devices, more conservative technology spending by corporations has triggered a debate in information technology circles that would have unthinkable only a few years ago. The question is this: Should companies allow increasingly mobile and tech-savvy workers to use their own smart phones and laptops in the workplace, rather than requiring them to use company-owned hardware and software, which often lags behind on the evolutionary scale?
This movement, dubbed BYOPC (bring your own personal computer), has been embraced by a handful of leading-edge technology companies such as Citrix and Google as well as producers of non-technology products such as Kraft Foods. It is also being piloted in some Minnesota companies. Proponents of the practice argue that allowing employees to bring the latest technology to the office boosts work force productivity, efficiency, and morale—and as owners rather than renters they’re more likely to take better care of their devices.
Other factors being equal, proponents say, BYOPC is also a good recruiting and retention tool for top talent that appreciates choice and has a strong preference for, say, iPhones over BlackBerries or Macs over Dells.
“Many of today’s workers lead dual technology lives,” says Theresa Putzier, information technology practice manager for OTT, an information technology consulting company in Roseville. “They use older technology in the workplace, like Windows XP operating systems and e-mail systems with limited storage, and then go home to the latest hardware and software where they can do things faster and better. That causes frustration, and forces some to become digital rogues and use devices or software not sanctioned by the IT department.”
Indeed, the pro-BYOPC faction often faces stiff resistance from information technology managers more concerned with security issues, liability matters, and the potential for new support headaches than with providing greater personal choice to employees. While BYOPC sounds good in theory, most IT leaders believe the proof is in the pudding and are approaching it with baby steps.Flavors of BYOPC
The two predominant BYOPC models are the full-fledged approach and the hardware and application virtualization model. In the former practice, employees are provided a stipend to purchase a mobile device and an operating system from a defined list. (Citrix, for example, gave each employee $2,100 for laptop purchases, and Kraft employees receive a stipend every 18 months to buy a smart phone of their choice.) Employees also are required to buy hardware maintenance contracts. Under that arrangement, corporate and personal data might sit side by side on a computer, as might corporate software applications and personal software employees choose to install on their own.
With virtualization and “thin client” approaches, employees can use their own hardware, but key business data and corporate applications are stored on corporate servers and delivered to workers via “virtual desktops” or virtual private networks (VPNs) rather than installed locally. One disadvantage to thin client approaches is they require network connections, meaning employees can’t use them in an offline capacity. Virtualization technologies reduce the chance that compromised corporate data will leave the workplace on an employee’s laptop—a recurring nightmare for IT, human resources, and legal—by enabling organizations to configure laptop computers with two independent personalities, says Tom Kieffer, CEO of St. Louis Park–based technology consulting firm Virteva.
“With virtualization techniques, you can configure laptops to come up as an enterprise device or a personal device, and have complete isolation between those two on the same computer, creating what we call a ‘liability firewall,’” Kieffer says.
Carlson on the Cusp
One organization that’s looking hard at BYOPC is Carlson, the Minnetonka-based hospitality and travel company. Like many organizations, Carlson has supported remote access, using Outlook Web Access to let employees connect to e-mail from almost any device connected to the Internet, says Joe Terhaar, Carlson’s vice president of information technology. But as cutting-edge smart phones and laptops have flooded the market, employees increasingly request more control over devices they can use for work purposes.“We get calls regularly from new executives joining Carlson who have a personal preference in the technology they use, and they are seeking ways to make it secure so they can use it in our environment,” Terhaar says.
That demand led Carlson to launch its “pink laptops” BYOPC pilot project in June, where IT staffers will operate 10 to 20 off-the-shelf, Windows-based laptops to study how BYOPC works under real-world conditions. How the pilot performs against three tests will determine the feasibility of a broader rollout, says Bruce Whitmore, Carlson’s senior director of IT.
“We’ll be monitoring to see how easy it is to identify the devices as connected to our environment, whether we can authenticate users on the device, and whether we can ensure the device is operating in a secure and controlled fashion, so viruses or malware aren’t being introduced to the network,” Whitmore says.
Carlson’s IT leaders also will be watching closely to see if BYOPC reduces the costs or challenges associated with technology support, something that proponents claim is a natural result of employees assuming more of the burden to maintain their own hardware and software systems.
“We’ll be looking at whether BYOPC actually saves money, or simply shifts costs from what we used to spend on end-user desktop support to spending for increased security and network-related support,” Whitmore says. “Just because it’s no longer an organization-owned PC doesn’t mean it won’t require a lot of continued support from IT.”
Security and Support
Answering such questions is crucial to IT leaders whose jobs depend on keeping corporate networks free of damaging viruses, malware, and unauthorized users. And there are a handful of other issues surrounding BYOPC that can keep IT and legal departments up at night. For example, if employees place illegally obtained material on computers purchased for work purposes—say, for example, a manager’s teenage son downloads illegal music files—does liability then extend to the corporation? On the support side, what happens if an employee downloads a program from the Web that causes an application communication conflict with corporate software? Since it’s an employee-owned computer, does the IT helpdesk still have a responsibility to fix that, or should the employee be expected to call the laptop vendor’s IT support team or seek out self-service fixes on the Web?Those are among the concerns that have kept Marty Enerson, vice president and director of technology for Martin Williams, the Minneapolis advertising firm, off the BYOPC bandwagon. Because the company uses largely state-of-the-art Apple hardware and operating systems—updating Macintosh laptops every two and half years, and desktops every three—it tends to receive fewer requests from frustrated employees to move out of the technological stone age, Enerson says.
“We currently don’t allow employees to use their personal laptops in the workplace or on our network,” Enerson says. “One reason is we don’t want someone to plug in an unknown laptop that has a virus, connect to our server, and infect that server.” Company-supplied computers, on the other hand, are each set up the same way with similar software, “and we’ve done testing to know what runs and what doesn’t, whereas a personal computer could have virtually anything loaded on it,” he says.
Like most companies, Martin Williams has a policy covering use of smart phones that enables employees to use VPNs to connect to the company’s e-mail server. Some use company-purchased phones for that purpose, either iPhones or Windows-based devices, but those using non-standard smart phones often need to rely on their own support.
“If someone comes to us with a Palm phone and says it’s not working with our e-mail system, we will try to help them up to a certain point, but we can’t support them fully,” Enerson says.
The good news is that the maturation of security tools has turned BYOPC from a once-heretical proposition to something more companies will implement in coming years, experts say. Encryption technology, cloud-based data backup solutions, user authentication, “remote wipe” programs that can eliminate sensitive corporate data on smart phones if lost or stolen, data leak prevention tools, and more will all help companies provide a new layer of security for employee-owned devices.
Yet it’s clear that technology alone won’t solve IT’s security concerns about BYOPC. As the authors of a January 2010 Forrester Research report wrote, technical enforcement remedies “must be supplemented with effective BYOPC policies seasoned with a dash of common sense.”“BYOPC is a frightening concept for many IT managers because of the control they give up, so you need very clear policies that ask employees to sign agreements promising they will back up data, use the latest anti-virus software, keep firewalls on, comply with policy regarding software, and more,” Putzier says.
Whitmore says the success of BYOPC rests on an assumption that busy employees will become good “self maintainers” of their personally owned hardware and software. He points to Microsoft’s Live Update service, which regularly issues a patch kit to users to repair system vulnerabilities, as an example. “As we consider BYOPC, how can we in information technology ensure Live Update is on, patches are being applied by employees on their personally owned computers, or that patches for Adobe and Java systems are also being applied?” Whitmore asks. “Today, we can do that from a central position. But with BYOPC, we would rely much more on employees to be prudent and timely in doing these things, and would still have a need to audit compliance.”
Kieffer believes the security required for BYOPC isn’t radically different from what companies should already be providing when employees remotely access corporate networks from home offices or coffee shops, or when independent contractors log onto their networks.
He is among a growing chorus of IT consultants and practitioners who believe widespread adoption of BYOPC in some form is only a matter of time. “Our view is that companies might as well embrace it now and make it a competitive advantage,” Kieffer says, “because the blurring of personal and work life is happening, and BYOPC is coming.”