Employee hardware ubiquitous but BYOD policies remain weak, finds survey

Bring your own device (BYOD) policy remains patchy despite near 100% prevalence and instances of data loss

The BYOD (bring-your-own-device) trend is not a theoretical concern for IT leaders. Nearly all organisations now have corporate data on employee hardware and in the UK nearly one-fifth have suffered some data loss from mobile devices.

But while most IT departments are happy for employees to access business data despite patchy BYOD policy, many worry about keeping data in the cloud due to concerns over security, manageability and compliance.

Those are the findings of an exclusive ComputerWeekly.com survey into BYOD policy.

The survey was carried out for cloud provider EVault in association with ComputerWeekly.com and questioned 200 IT decision makers in the UK, with 22% of those surveyed representing organisations with 3,000 staff or more. The survey questioned 650 IT leaders in the UK, France, Holland, Germany and the US, so the survey compares the UK with other countries’ practices on some issues.

BYOD near-ubiquitous, but BYOD policy patchy

The survey confirmed that employee devices increasingly hold corporate data. Nearly all (96%) of those questioned said some employees now use BYOD devices for work. In the UK, the average percentage of employees using their own devices for work is 25%.

A sizeable majority (68%) of those questioned said retention, protection, security and deletion were their main concerns with BYOD devices. Nearly the same amount (61%) is concerned that access to corporate data may compromise legal compliance.

Despite such widespread concerns about protecting corporate data on BYOD hardware, BYOD policy is patchy. Some 32% said they have no plan for BYOD data protection at all, while 39% see it as part of their overall existing disaster recovery provision. A sizeable chunk (45%) said it is company policy that the user is responsible for BYOD data protection, although 21% provide anti-virus software for BYOD users.

That’s despite the survey indicating that BYOD policy and data protection is by no means a theoretical issue, with 17% admitting they have lost data on a personal mobile device and that 33% of those lost business-critical files.

When asked about the solutions they’d like for such BYOD concerns, 57% said they’d like policies that would enable deletion of data and 55% wanted to use encryption.

While BYOD proliferates, the cloud still isn’t trusted

Use of the cloud presents an altogether different picture to that in BYOD. With the latter, access to corporate data is commonplace via employee-owned hardware and controls on it appear lax. Meanwhile, there is a marked reluctance to entrust data to apparently more secure cloud environments.

What do respondents do with the cloud? The most popular use case reported by those questions is for cloud disaster recovery provision (28%), and this probably means use for online backup and archiving.

Meanwhile, some 23% of respondents see the cloud as a secure repository for data and 19% see it as a way to extend storage capacity, although what type of storage service level this corresponded to was not specified in the survey results.

Currently, cloud storage services are best suited to use cases where data recovery and response times are not at a premium, which means it is best suited to archiving and backup and much less suitable for primary production data.

Cloud is still held back by negative perceptions among users that go beyond performance limitations, however. The key objection to use of the cloud storage for organisations’ data is security (68%), but cost of adoption/migration (36%) and general lack of confidence (36%) were also big considerations. Worry about contract lock-in was a concern for 27% of those questioned.

Data loss widespread, but so is disaster recovery best practice

The survey also questioned respondents on data loss, disaster recovery and the growth of data.

It found nearly half (45%) of UK organisations had suffered some form of data loss over the past 12 months, with 7% saying it had happened more than four or five times. The same survey in 2011 found only 30% of organisations had suffered data loss incidents.

The average cost to UK organisations of data loss came out at £34m, which is 3% of revenue. Other effects included reduced employee productivity (44%), loss of customer confidence (32%) and delays in developing new products or services (23%).

Remote disaster recovery provision widespread

The survey found the overwhelming majority (80%) have disaster recovery provision based on use of a remote site, which is recognised as best practice.

The UK lags behind other countries in terms of disaster recovery testing, however. The average gap between tests in the UK is around five months, where the average internationally is two.

Just under half (45%) of those with remote disaster recovery provision expect data to be recovered in four hours, 33% expect it on the same working day and 2% want it back in half an hour.

Data volumes still growing

The average amount of data managed by UK respondents is 2.72TB. Two thirds (66%) of respondents manage more than 2TB, up from 60% in 2011. More than half of data managed (61%) is structured data and 46% say that total volumes are more than they had to deal with last year.

Read more on Storage management and strategy