Uh?
Now all my emails to and from senior management and production departments – I can be dead important at times, I’ll have you know – can be picked out of the air by anyone planted in the next room or even sitting outside on the steps and looking up at the street sign on which someone has so conveniently printed the company’s Wi-Fi password.
Well, they can pick up the data stream, but if they can read your email just like that you really ought to reconsider your provider. The last time I used any email connection that was not SSL protected was probably 15 years ago - no, I tell a lie, I have used cold SMTP for a test but that was via the old "telnet mailhost 25" route and issue the HELO command manually. Before you're impressed, I was only trying to get some data onto a network sniffer - the last Access All Areas hacker conference in London I was at (which is MANY years ago), I was watching a 12 year old girl do that. She must have gone far. But I digress.
Secondly, the use of Wifi is more or less foisted upon us by certain manufacturers who don't even provide ethernet ports anymore. New Apple kit, for instance, seems to pretend that there never was a wire involved, slightly spoiled by the fact that they are instead permanently hanging off a power supply cable instead because people don't know how to train a battery.
I even recall an experiment at a very large oil company which I'm not allowed to name but whose name involves remarkably few characters where in one department simply *everything* was on raw Internet - that is doable insofar you make sure you use decent VPNs. At the time the complexity made it too costly to continue, but now the tech is there to actually do this reasonably easy.
The latter approach has one massive advantage for company devices: they are always subject to a reasonable degree of transport security, in the office of on an airport Wifi (which is always intercepted since 9/11 gave some people all the excuses they needed), and it enforces a security policy on Internet use. However, a BYOD device is in principle untrusted and should in my opinion never come near a core network.
Setting up a dirty LAN or a DMZ that proxies a limited set of open standards (umm, oh, Android doesn't support carddav or caldav?) and giving certificate based VPN access to that, OK, but not on the internal network. I like my layers, thank you, and giving an untrusted device access to a network that's one layer removed from the financial and personnel network is not going to happen on my watch.
I agree with the rationale of some of the BYOD demands, though. Sometimes, IT is indeed not that good in choosing devices that users actually want to work with (a massive understatement if you ever worked in a somewhat staid government department), but there is a business case to be made, and security to be imposed. Without that, I am happy to be Mordac the preventer.