Companies mixed on letting employees use their own gadgets for work

Like many employees these days, Kim Gibbons uses her own smartphone and tablet for her job at Cisco Systems. That way, no matter where she is — including weekend soccer matches with her children — “I’m still very much connected with everything at work,” she said.

Hers is one of a number of companies that encourages this bring-your-own-device trend. But the practice is causing consternation among executives nationwide. While loath to alienate employees by being too restrictive, many fear their companies’ confidential or critical business data could be accessed from poorly secured gadgets by hackers, who are attacking firms with increasing ferocity.

As a result, rules regarding the use of personal devices vary widely. Some companies permit it with tight controls that include having the ability to remotely wipe the gadgets clean of all data — personal or otherwise — if the machines are lost or stolen. Others bar employee-owned devices altogether or haven’t figured out what to do.

“The world is going mobile,” said Bob Worrall, chief information officer at Santa Clara chipmaker Nvidia, which recently decided to let employees use their phones and tablets at work. But how to adapt to that shift while protecting company secrets, he added, “has really become a question that legal and security teams have wrestled with across the industry.”

For many workers — particularly the young — having to use a clunky company-issued phone or laptop is unthinkable. A Cisco survey of 2,853 adults younger than 30 last year found 70 percent preferred to use a work device of their own choosing. And among those in college, 81 percent expressed that preference.

Still, recent research by McAfee and the National Cyber Security Alliance has found that nearly three out of four adults fail to protect their smartphones with security software. Moreover, people often use their phones, tablets and laptops to frequent social media or other websites that tend to attract cybercrooks. Consequently, many business executives aren’t keen on the idea of letting their employees use such devices for work.

The practice was forbidden by 48 percent of the 1,500 information technology managers Cisco queried in January, although 57 percent added that some of their employees disregard the ban.

In another study this year by Check Point Software Technologies of Redwood City, 65 percent of 768 information technology professionals contacted allowed employee-owned gadgets to connect with their corporate networks. But 71 percent blamed such mobile devices — both personal and company-provided — for contributing to “increased security incidents,” such as risky Web browsing and “corrupt applications downloaded.”

Some companies are secretive about whether they allow personal gadgets or not. Oakland-based Clorox would only say “it’s not our practice to discuss security issues publicly.” Others embrace the idea, which can be a big cost savings for companies.

“It’s working very well,” said Steve Martino, vice president of information security at San Jose-based Cisco, where a little less than half of the company’s employees use their personal devices. He said the gadgets are connected to Cisco equipment to block spam and some of them can be remotely wiped of sensitive information.

“Our primary concern is protecting Cisco’s and our customers’ data,” Martino said. But, he said, the company also wants to make its employees “happy with the kind of device they have.”

Among those pleased with the policy is Gibbons, who joined Cisco in 1999 and is marketing director for its global government solutions group. Equipped with a company-issued MacBook Pro as well as her personal iPhone and iPad, she much prefers this arrangement to her previous job, where she toted both a company phone and one she owned.

“That’s very difficult when you’re carrying around two phones,” she said. “It just makes you less productive.”

Other local firms that let employees use their devices include Hewlett-Packard and Intel. The Santa Clara chipmaker also allows workers to put family photos or other personal data on their company-issued laptops, said Malcolm Harkins, Intel’s chief information security officer. Noting that the policy gives employees more incentive to take care of their machines, he said the company suffers few lost or stolen laptops.

But A10 Networks of San Jose, whose products help speed Internet traffic, doesn’t permit employee-owned devices, said spokeswoman Kelly LeBlanc. And while the practice is allowed at Santa Clara-based LumaSense, which sells thermal-imaging instruments, CEO Vivek Joshi said he needs to set rules for it because “we are very worried about security in the form of unauthorized access to company email.”

Of more than 9,600 executives surveyed this year by PricewaterhouseCoopers and two trade magazines, just 43 percent had security procedures governing use of personal devices. Hashing out such rules can be complicated. Companies need to consider whether to reimburse employees for using their own devices, how to deal with lawsuits demanding access to the personal gadgets and who owns the email or other information on the devices.

Then there’s the matter of how to keep from losing company data, which can be an added headache for an executive if “you are already staying up at night worrying about protecting your network,” said Patrick Bedwell, a vice president at Sunnyvale network security firm Fortinet. But given how employees feel about their beloved iPhones and other personal gadgets, he added, “you’d be hard pressed to tell people you can’t bring your own devices to work.”

Contact Steve Johnson at 408-920-5043.