A few months ago, a Hungarian man got a hold of a business executive's personal mobile device containing corporate customer data. The man called up the company asking for $50,000 to not expose the information. What did the company do? It called Websense, an enterprise security company.

"We were so impressed, we offered him a nice paying job," says CSO Jason Clark at Websense. But that job offer was a ruse to catch a thief. "Then we helped track down the guy, and he got arrested."

Clark related this story to me during a broader discussion about security risks and costs related to the latest wave crashing on the enterprise: Bring-your-own-device, or BYOD, whereby employees want personally-owned tech gadgets hooking up to the corporate network and trafficking in confidential data.

Companies with BYOD policies see some upsides. For starters, BYOD makes employees happy because they can now use technology of their choosing, blending personal and work lives in a single device - and happy employees are productive employees.

BYOD also takes companies out of the hardware purchasing game, or at least offsets it, because employees now use their hard-earned dollars to pay for work-related computers and mobile devices.

The downside is the risk of receiving a call from a Hungarian man trying to extort $50,000. There are other issues, too, such as management headaches and hidden costs to support BYOD employees. In other words, BYOD is not a free lunch.

BYOD security - A moving target

Without question, BYOD is spreading quickly in the enterprise. Mozy, an online backup service provider, and Compass Partners recently completed a survey that found a growing number of professionals working remotely and relying on personal devices. Cisco Systems has seen its BYOD programme grow 52% in 12 months, with employees collectively carrying 8,144 iPads and 20,581 iPhones.

Nevertheless, Cisco is a behemoth company that lives on the bleeding edge of technology; most companies are in the early throes of BYOD, which usually begins life in the enterprise as part of a larger mobile strategy. Giant pharmaceutical company AmerisourceBergen, for instance, recently kicked off its BYOD programme for some 1,000 employees in its corporate and drug business units.

"It's really a combination of technology and policy," says John DeMartino, vice president of IT infrastructure and technology at AmerisourceBergen.

For CIOs, BYOD can be a nightmare. Avanade, a business technology services firm, which surveyed more than 600 IT decision makers late last year, discovered something rather alarming: More than half of companies reported experiencing a security breach as a result of consumer gadgets.

Truth is, BYOD puts control into the hands of employees who don't really care about security until it's too late. The Mozy survey found that 78% of lawyers, for instance, were either not at all concerned or only somewhat concerned about the security of their company or client data they carry on their devices.

It's important to note that BYOD is often used synonymously with "consumerisation of IT" and even mobility. But BYOD differs because of its "personal use" nature. That is, employees own the devices and thus feel empowered to download and visit whatever apps and websites they choose.

The good news is that Apple has made big strides to make iPhones and iPads - the preferred devices of BYOD employees - secure in the enterprise, as opposed to reportedly leaky Android devices. Consider Bank of the Ozarks, a 100-year-old community bank headquartered in Little Rock, Arkansas, which is working to shore up security on the iPad before following through on a BYOD programme.

Other vendors and service providers have recently jumped into the BYOD security fray. This week, Druva introduced inSync, an endpoint data protection solution. Last month, IronKey, an enterprise management software vendor, unveiled IronKey Trusted Access, a cloud service that lets users access corporate applications and data over the web on their BYOD laptops.

BYOD savings - Fact or fiction?

Along these lines, Virginia Bank is using IronKey Trusted Access to make sure remote access for BYOD employees is secure. Some 60 Virginia Bank employees remotely access the network, with the heaviest users being sales people on their own mobile devices and laptops (although no iPads yet).

By allowing BYOD, Virginia Bank is partially getting out of the hardware procurement business. "Instead of providing staff with laptops to work outside the office, they'll use Trusted Access with their own personal computers to use the bank's public and private cloud apps," says Sharon Moynihan, senior vice president of IT and project management at Virginia Commerce Bank.

Moynihan credits the cloud component of Trusted Access for delivering the cost savings. Minus the cost of the device itself and, more importantly, related network support, management and security software and services, Virginia Commerce Bank stands to save roughly $1,500 per device.

But cost savings can be tricky, another moving target in the BYOD space. For instance, if a CIO chooses to deploy a virtual desktop infrastructure (VDI) model to deliver apps and data securely on BYOD computers, then he is really just shuffling costs. Instead of spending money on endpoint hardware, the CIO is buying servers and network upgrades and hiring staff to maintain and monitor VDI.

One often overlooked cost is in the area of help desks. While BYOD employees are usually on their own to fix their broken devices, a CIO will need to provide some level of support. A CIO simply cannot expect executives to run to the Apple Genius Bar whenever their iPad or iPhone is malfunctioning, especially when there's a mission-critical task on the BYOD device that needs to get done.

AmerisourceBergen doesn't let all employees into the BYOD programme, mainly because there is a cost associated with every device.

"It's a nominal cost but still a cost," DeMartino says. "If you're looking for a hardware return on investment, you'll be really hard pressed to see that benefit. It's more of the intangible, such as having end users feel that they can drive their own destiny."