Bring-your-own-device (BYOD) policies allow employees to use their own personal devices for work activities in the corporate environment. The BYOD trend empowers employees to use technology they're familiar with and can free organisations from providing support and equipment. However, there are some risks associated with BYOD that organisations might not consider until they have to deal with the consequences.
The popularity of BYOD
Traditionally, organisations provided employee devices with an eye towards economy and functionality rather than style. To the baby boomer workforce, a computer was just a tool to use at work. The tail end of Gen X and millennials have a different view. Computers aren’t something you put down when work is finished. Technology to these demographics is something you use during work and personal time, and it needs to be more than just a functional, utilitarian device.
When PCs became more powerful, more functional and more stylish than the bare bones corporate machines they dealt with in the office, people naturally wanted to use their own computer rather than the one assigned to them by the business. Some organisations, responding to this desire, developed policies to accommodate these users. This shift was dubbed BYOD.
Why organisations like BYOD
While organisations might position BYOD as being about empowering staff, the practice also allows businesses to push much of the cost of supporting computers on to employees. When the organisation owns the computer, there is an implied responsibility that they are responsible for maintenance. If you have a problem, the organisation provides some level of support to help you resolve it.
If the computer belongs to the employee, some or all of the responsibility falls to them. Should a component fail, it’s likely going to be the employee’s responsibility to get it fixed, including paying for such a service. Some organisations that implemented BYOD have substantially reduced their spend on IT support simply because employees are now responsible for maintaining their own computers. What is billed as user empowerment actually turns out to be about organisational cost cutting.
Why IT departments don’t like BYOD
Some IT departments are against BYOD, and not simply because organisations might use the reduced costs as an excuse to downsize the IT department. When IT manages a computer, it can lock down that device and limit the activities the user can perform. In many organisations, no such restrictions apply if the employee manages their own computer. The employee is also likely to be reluctant to grant someone from the office power over the configuration of their computer.
There are many reasons organisations need the power to lock down computers. While some employees might think that configuration lockdown is to block them from playing games or surfing social networks, there’s also a more pragmatic reason. Employee computers interface directly with sensitive organisational infrastructure. If malware compromises an employee's device, that infection can spread directly from the employee across the entire organisational network.
Some employees are good at keeping their computers secure, diligently applying software updates and making sure their anti-malware is up to date. But the vast majority have the same enthusiasm for applying software updates as they do for visiting the dentist. IT departments tend to be better at locking down computers and keeping them up to date simply because that’s what they are paid to do – and they are the ones who will face repercussions if an infection sweeps the network.
One of the main challenges that BYOD introduces is the possibility that data will end up in places it shouldn’t. When organisations are able to lock down computers, they can restrict where users store data. When workers manage their own computers, they tend to use software for work they find useful without necessarily thinking about the risks it poses.
Cloud storage technologies are a good example of this. While they are often useful, many employees don’t think about the potential ramifications of storing confidential documents in the cloud. The data these services store can often be spread across any device that is synced with the platform, which multiplies the risk of the user exposing the organisation's confidential information.
BYOD also presents a challenge during internal investigations. Normally if a person is subject to an investigation by the HR department for any reason, the business can confiscate and check their computer for evidence. Things become far more complex when the computer belongs to the employee and the organisation’s ability to seize it is subject to the owner’s whim.
A final BYOD challenge involves what to do when employees leave an organisation. In non-BYOD environments, the computer remains the property of the organisation, so the employee hands it back when their employment concludes. Any material stored on the computer remains on the returned computer. When a person leaves an organisation and the computer belongs to them, they may be reluctant to allow someone from the business to check whether all the organisational data stored on the computer has been removed.
How to make BYOD work
The key to a functional BYOD workplace is to develop detailed policies that explicitly spell out the conditions under which employees can use their own devices.
This involves educating users about the risks of putting organisational data in cloud storage services and ensuring they keep devices up to date with anti-malware, operating system and software updates.
It also means organisations have to come up with a method of dealing with employee-owned devices during investigations and documenting steps that need to be taken to clear employee-owned devices of organisational data when the employee leaves the organisation.
Essentially, a successful BYOD initiative requires transparency. Make sure employees understand their devices are a bridge to the organisation and ensure they know how they can and can't use them.