Print this chapterPrint this chapter

Risks Associated with BYOD

Introduction and research objective


What started several years ago with employees using their own personal computers to access their organisations' networks via dial-up and virtual private networks has changed dramatically in recent years. With the increased number of smartphones and tablet computers in the market place, more and more employees are using their personal mobile devices to connect to their organisations' networks. The concept where an employee uses his or her own personal mobile device to connect to the organisation's network is known as Bring Your Own Device (BYOD). It has been embraced by a large number of organisations of various sizes and in various sectors. Some employees use their mobile devices to perform basic tasks such as syncing their work emails and calendars with their mobile devices, whereas other employees use their mobile devices to perform specific work-related tasks such as compiling Excel spread sheets and accessing sensitive corporate data. This trend is driven by the number of mobile devices employees have access to. Gupta et al. (2013) indicated that global smartphone sales reached 225 million units in the second quarter of 2013. It is predicted that approximately 50% of all businesses will introduce a BYOD environment and even though many organisations will not permit BYOD, employees will still use their own devices . Deloitte (2013) indicated that there are over 10 million active smartphones in South Africa. Although allowing employees to use their personal devices results in organisations deriving various benefits (such as cost savings and improved employee satisfaction, which result in increased productivity), it exposes an organisation to new risks. Failure by the organisation to implement sound internal controls and governance policies to address the risks could lead to the organisation suffering negative consequences. These consequences include, inter alia, significant financial losses as well as the leaking of sensitive client data into the public arena as a result of negligence or data theft. Sensitive data can also be leaked where malware infiltrates the network and corrupts the data or causes the information technology (IT) system to shut down.

The governance of the incremental risks related to BYOD should not only be of interest to those charged with governance of the organisation, but also to the external auditor. The auditor would need to understand which incremental risks have arisen as a result of the adoption of the BYOD programme because the control risk is no longer limited to the client's system, but each and every device connected to the network. An organisation that adopts or deploys a BYOD programme will be faced with increased incremental IT strategic and operational risks. These organisations will need to identify suitable internal controls in order to reduce the incremental risks to an acceptable level. The objective of this research is to develop a framework to identify and manage the incremental IT strategic and operational risks which arise when an organisation adopts a BYOD programme. The study will focus mainly on the incremental strategic risks and to a lesser extent on the incremental operational risks. This research will be of value to management, people who are considering to adopt a BYOD programme, or are currently running a BYOD programme, as well as external auditors. It will assist in the understanding of the risk dynamics and how to mitigate the risks on devices not under the control of the organisation. The majority of the research conducted to date on BYOD programmes have investigated the benefits of adopting such programmes (Anderson 2014; Pelino 2012) and to a lesser extent the incremental risks associated with its implementation. Most of the research related to BYOD has been conducted by private organisations, such as IBM, Gartner, ISACA and Forrester. Prior academic research tends to focus on specific risks. Rose (2012) highlighted the security implications which arise as a result of BYOD. Markelj and Bernik (2012) indicated the threats that arise as a result of using mobile devices and the impact on corporate data security. Most of the research investigating the risks do so in an ad hoc manner, without relying on the available IT governance frameworks. A practical, integrated framework that will assist those charged with governance at the organisation to mitigate the risks associated with the adoption and deployment of a BYOD programme to an acceptable level has not yet been developed.

The research commences in the following section by describing the research methodology. The 'Literature review and findings' section contains an extensive literature review to identify the incremental IT strategic and operational risks which arise as a result of adopting a BYOD programme. It also presents the findings on the IT strategic and operational risks which arise when an organisation adopts a BYOD programme, as well as recommending mitigating controls. The 'Conclusion' section concludes the article.