IT’s Arab spring

WILLEM EELMAN, the chief information officer (CIO) of Unilever, an Anglo-Dutch consumer-goods giant, recounts the reaction of young employees when they first come across the complicated and often confusing ways in which many big corporate IT systems still present information to staff. “They take a look at a business-application screen and they scream in horror,” he says. The youngsters are even more horrified when presented with tomes of instructions through which they must plough before getting down to work.

Like many other companies, Unilever is recruiting from a generation whose expectations of technology have been profoundly shaped by Facebook, mobile apps and other innovations. But it isn't just “digital natives” who are shocked by the state of some of the technology in their workplaces. The rapid spread of tablets and smartphones, and the magnetic attraction of social networks and other online tools such as Twitter, mean that people of all ages have grown accustomed to having powerful yet easy-to-use technologies at their fingertips. Many of them want the same stuff at work too.

Their demands are also being fuelled by changes in society. Among these is the increasing mobility of the workforce, whether commuting or visiting clients, which has made smartphones and tablets especially popular with corporate road-warriors. There has also been a gradual blurring of the lines between personal and business lives, which means that people rely on technology much more to allow them to work or play anywhere at any time.

The effects of these changes are being widely felt. A survey of 3,000 workers in nine countries carried out by IDC, a research firm, for Unisys, an IT company, and published in July found that their use of personal devices to access business information had grown sharply, partly because of the arrival of tablets (see chart 1). The study also noted that IT departments often greatly underestimate how much employees are using their own technology, including social networks and other web services, for work. And it accused internal tech teams of frequently using security concerns as a “figleaf” to justify keeping tight control of decisions about which devices workers may and may not use.

How far firms are affected by all this will largely depend on the nature of their business. Those with a highly mobile workforce are already seeing swift changes. Accenture, a consulting firm whose staff often work at clients' offices, is a case in point. Frank Modruson, the CIO of the company, which has 223,000 employees, says that less than two years ago 30,000 smartphones and other mobile devices were connected to its network, most of them bought by the firm. Today there are 85,000, less than a third of which were provided by the company.

Other companies are seeing a more gradual influx of employee-owned gadgets. At Unilever, Mr Eelman says that of the 90,000 employees who use a computer for their jobs (out of a total of 160,000 staff) about 5,000 have so far brought in a mobile gadget of their own. But he expects that number to grow as the company rolls out a new IT infrastructure that will allow people to work more easily from different places.

War of the IT worlds

The arrival en masse of personal technology in the workplace is causing waves. “Historically many IT departments have treated people as tech automatons who should do what they are told,” says Bob Tinker, the boss of MobileIron, which helps firms manage mobile devices. For years that has involved restricting people's choice of mobile gadgets to a few devices such as the BlackBerry smartphones made by Canada's RIM.

One rationale for this was that strict standardisation saved money. By limiting choice to a few gadgets, companies could buy them in bulk and streamline their maintenance in much the same way that, say, budget airlines reap big savings by buying just one or two types of aeroplane. At the same time, standardisation made it easier to ensure security. A big reason why BlackBerrys have proved so popular with companies has been that RIM also provides software that lets IT departments maintain a firm grip on the way the devices are used.

Rather than a few geeky rebels, there are now entire armies of employees equipped with smart mobile devices

Now, however, IT teams are facing a challenge to their authority. Much of what workers are demanding, including the right to use their own smartphones and tablets for work, to mix business and personal data on them, and to personalise them with their own apps, is anathema to IT departments used to running digital dictatorships. Often it is senior executives who insist on being allowed to use their own technology for work, which makes it hard for IT folk to say no. “This really is the end of the nanny state of IT,” says Doug Neal of CSC, a consultancy.

CIOs who try to ban the use of personal technology at work risk a proliferation of “shadow IT”, which arises when employees surreptitiously use their own devices and software to get things done. This is not new, as the example of the people who sneaked the first PCs into offices shows. What is different is the sheer scale of the consumerisation movement this time. Rather than a few geeky rebels, there are now entire armies of employees equipped with smart mobile devices. Left undetected, their do-it-yourself efforts could cause sensitive corporate data to leak and open digital doors to hackers.

There is some debate about just how big a threat this is. Earlier this year Verizon, an American telecoms firm, published a report that reviewed numerous corporate data breaches that had occurred in 2010. It concluded that most of these were due to direct attacks on corporate servers, not to mobile devices being compromised. Moreover, many smartphones and tablets now include features such as the ability to erase, or “wipe”, the content on them remotely and to track their location using their inbuilt GPS systems. The same cannot be said of most PCs. And some operating systems such as later versions of Apple's iOS include ready-made encryption capabilities that protect data on devices. This helps explain why so many companies are embracing iPads. Apple has said that most members of the Fortune 100 list of America's largest firms are either buying the gadgets or running trials with them.

Nevertheless there are grounds for concern. The Verizon report predicts that threats to mobile devices will grow as more are sold. And another study published in August by McAfee, an IT-security firm, found there had been a steady increase in mobile “malware”—software such as viruses and “Trojans” designed to disrupt or steal data (see chart 2). Google's Android system is an especially popular target. One piece of malware disguised as an Android calendar app sent SMS messages to a premium-rate number without users' knowledge. Another, masquerading as an update for “Angry Birds”, a mobile game, deleted browser histories and bookmarks on phones.

Popular web services have also had security hiccups. In June a software update at Dropbox caused a temporary security breach that allowed unauthorised access to data held by the online-storage service for about four hours. According to the company's blog, fewer than 100 accounts were compromised, but the episode nevertheless shocked those who had assumed that the service was perfectly secure. The firm has since taken steps to prevent a recurrence.

Lock up your devices

Perhaps the biggest risk of all, though, is employees themselves. Numerous studies have shown that although people lock their cars and their homes, many do not secure their mobile devices. A report in March by the Ponemon Institute, a research group, for AVG, a security firm, found that less than half of the 734 Americans surveyed had set up passwords on their smartphones, even though most had used them for work. Other studies have found that when people do protect their phones, they often choose codes that can be cracked easily, such as “password” or “12345”, rather than more secure combinations of letters, numbers and other symbols.

Many CIOs recognise that trying to stamp out the use of personal gadgets at work is not only futile but also risky. “I'd rather know about a device and put reasonable security on it than stick my head in the sand and pretend it's not there,” says Accenture's Mr Modruson. To manage the risks, companies have been installing systems from firms, such as MobileIron and Zenprise, whose software lets IT departments manage a wide range of mobile devices. These can detect the kinds of gadgets that are gaining access to a firm's network and wipe data from those that are lost. “Virtual desktops” from companies like VMware and Citrix that let people use devices but keep data on a remote server behind a firewall are another popular means of limiting risks.

All this costs money. So there is much debate in the IT world about whether or not consumerisation leads to savings too. Mr Modruson says that Accenture's employees have spent $4.25m of their own money on tablet computers that they use for work. But Cesare Garlati of Trend Micro, an IT-security company, gives warning that companies also need to take into account the cost of managing many different kinds of devices running on various telecoms networks. “It's a nightmare of complexity,” he says.

Yet even if IT perestroika is pricey, the investment may still be worth it—and not just because it minimises the risk of a disaster caused by shadow IT. For a start, firms that embrace consumerisation are more likely to attract technologically minded workers at a time when IT is becoming ever more crucial to corporate success. Those people are also more likely to give their employers early warning of innovations in the personal-technology world that could affect their business. And they are probably better at conversing with customers who are themselves adopting many of the same technologies.

Such considerations help explain why even companies in heavily regulated industries are letting people bring their own gadgets to work. “Previously we just said no to people using non-standard devices,” says Robert Cockerill of Thames River Capital, a British fund-management company. Now the firm lets employees use a range of phones and tablets as long as sensitive data on them are encrypted and activity is logged in order to comply with regulations.

Pfizer, a big pharmaceuticals company, is also embracing consumerisation cautiously. “We have to find a balance between flexibility and protecting the intellectual assets that are the lifeblood of the company,” says Jeff Keisling, the firm's CIO. The company allows workers to use various kinds of devices and operating systems, but to get access to its network they must agree to load an encryption agent on their gadgets and to allow Pfizer to wipe part or all of the information on them if necessary.

At the other end of the spectrum, some companies are giving their employees stipends to encourage them to buy their own devices. One of these is Citrix, which requires staff to use its own virtual-desktop product on the gadgets they purchase and to install antivirus software prescribed by the company. The firm says that about a fifth of its 6,500 employees have taken advantage of the policy.

Mr Eelman of Unilever sees consumerisation as part of a broader shift in what companies expect of their IT departments. Not so long ago, he says, many internal tech teams were focused on installing gigantic software systems to handle such things as accounting and human resources. Most of these are now in place, though they require maintenance. This means IT now has more time to be a partner supporting firms' business divisions. Enabling workers to use the gadgets they consider best for their jobs is part of this strategic realignment. Wise companies are not just embracing the consumerisation of IT. They are also turning innovations from personal technology to their advantage.