IBM has bitten the Bring Your Own Device (BYOD) policy bullet, and you might be forgiven for thinking that the media fallout has left it somewhat bloodied and bruised. However, when you look behind the 'IBM bans Siri' and 'IBM bans Dropbox' headlines, and start to consider what's really happened here you have to ask yourself whether it's fair to suggest that Big Blue has turned into Big Brother.

Pretty much everyone who writes about the information security space has been warning about the inherent dangers to corporate data that arise from the BYOD revolution. And, make no mistake, BYOD is nothing less than that. Indeed, recent statistics suggest that 95 per cent of businesses allow BYOD in some form and 50 per cent don't specify the actual device types that are allowed to connect to the network. Meanwhile, two-thirds of employees want to use their own devices at work.

This, in turn, throws up all sorts of security questions that need to be answered. How do you secure devices which you do not own? How do you prevent insecure devices from infecting the network? How do you ensure sensitive data remains secure when being accessed by such a device? The answer, at least in simplistic terms, is by applying a sensible mix of usage policy and technical defence measures.

When Symantec researched the subject last year, it discovered that only half of the enterprises it questioned had put some kind of specific BYOD policy into action. If that research was repeated now, I'd like to think that the percentages have moved up a few points in favour of introducing BYOD into the AUP arena.

When I hear that a large enterprise is taking the matter seriously it saddens me to also hear an echo of complaint from the online media suggesting that there is some kind of dictatorial restriction of freedom going on that should be stopped.

Was IBM really so wrong to introduce a policy which forbids some 400,000 or so employees from using specific applications across the corporate network in a move to mitigate some of the risks introduced by the BYOD model? Of course not. Nor was it wrong, having assessed the risks and come to a reasoned conclusion, to ban access to the Apple iCloud and to Dropbox: a Bring Your Own Cloud (BYOC) user policy if you like.

Untethered access to sensitive data is never a good idea, and when it comes to governance, compliance and just common sense there has to be a line drawn in the sand. That line is the use of consumer-grade cloud services, whether accessed by corporate or user owned devices, where mission critical or confidential data is concerned.

You might be happy to rely upon a free anti-virus solution to protect your home computers, but you wouldn't want to run the risk of entrusting corporate data to it. There is an argument that, at least at the smaller end of the business rainbow, the consumer-grade cloud pot of gold is fine and the security enhancements that are built-in are sufficient. This argument falls down if that SMB is in a regulated industry sector where compliance is more than just a decent score in a game of buzzword bingo. And it evaporates altogether when you move into IBM-sized territory.

Rather than focus on why IBM is wrong to ban 'any cloud but ours' the canny folk out there will be looking at why it is right. As long as the enterprise is providing a secure and easy to use alternative to the consumer cloud, why should employees need to be looking anywhere else?

The main problem that IBM faces, and where I think the focus should be, is in how it can actually enforce this policy.

It's relatively easy to do within the boundaries of the corporate Wi-Fi network, but as soon as an employee using a mobile device switches to 3G then all bets are off. With around 120,000 of the 400,000 strong IBM workforce apparently using smartphones and tablets, and a good many of these will fall into the BYOD category, it's a very real problem. Especially as IBM has admitted that the change to its two-year-old BYOD policy came about partly as it discovered employees were unaware of the risks they were introducing into the business by downloading third party apps, forwarding documents to webmail and consumer cloud storage services and the like.

Guidelines and policy are fine as far as it goes, but the truth is that's not very far. Enforcement will be an issue, but education is a far more important one. It's no use telling tech-savvy employees that they have to use the IBM MyMobileHub cloud storage service and are banned from using Dropbox or iCloud unless those employees understand why.