People like their own devices. They've usually chosen them for themselves, perhaps after extensive comparisons. That's one reason why many organisations have been following the bring-your-own-device (BYOD) route. But, as Brian Runciman MBCS explains, that is evolving.

BYOD could be morphing into a whole new set of four-letter abbreviations: CYOD (choose-your-own-device), BYOT (bring-your-own-thing), BYOA (bring-your-own-anything) and another BYOA (bring-your-own-application).

The sheer number of devices available has meant that organisations have had to change their approach, not only for those people who would be given a mobile device for their job, but for those who just want to interact in the ways they’ve become used to with their consumer devices. Today a standard device cannot just be thrust on a workforce, barring specialist tech.

As reported on, Fortinet did some research recently among 3,200 young people across 20 countries. Of those aged 21 to 31, fifty-one per cent said they would ignore policies banning use of their own devices at work.

Of course this presents issues. Security is an issue in just about everything digital. Organisations need to agree a strategy, codify policies, address multiple-platform issues and keep their IT team happy.

Businesses can improve BYOD security through mobile authentication services, mobile application management, and unified services, says SC Magazine. But there are still multiple issues to deal with: data privacy; keeping company data confidential; establishing ownership of intellectual property created using a non-company device; licensing and so on.

For the IT team the challenges include not being able to develop fast enough to keep up with a user’s BYOD demands. Very few companies have standardised on a mobile platform and, as things often stand, each platform has different application program interfaces and need different skill sets from the IT team.

eWeek recently reported on a survey from Boston in the US, which found that 65 per cent of businesses allow end users to bring their own device into work and access organisational data, but 45 per cent have no designated BYOD security policies.

Policies are vital to balance the needs of the business with those of the employee, while maintaining respect for privacy and protecting company IP.

To introduce a BYOD programme into a company requires establishing the objectives of the programme, working out your baseline, defining the allowed devices, securing applications, setting parameters, training staff and testing before roll-out - as suggested by Chris Preimesberger recently in eWeek.

Gartner defines BYOD as an applications strategy rather than a purchasing policy and suggests designing systems and architectures to extend computing processes to consumers, mobile workers and business partners accessing data from a variety of devices. They set the simple-sounding goal of using applications and services that are more flexible and inclusive, simple and inexpensive.

BYOD and security issues spill over into legal issues: What is the risk inherent in losing data that is relevant for litigation by employees? Employee behaviour is always a concern - whether that be ignoring a policy, misunderstanding the risks and attendant mitigating activities or simply how they behave when move jobs. What happens to the data they have on personal devices if an employee leaves?

Interestingly some types of organisation are ahead of others. Many educational establishments, for example, have accepted students bringing in their own devices and could have lessons to teach enterprise.

This BCS paper looks at BYOD from the point of view of strategy, policies, security and more. It points to current thinking from analysts and points toward library resource available free to BCS members.