How can your business manage its BYOD needs and risks?
Bring-your-own-device (BYOD) policies give organisations a way of allowing employees to use their own devices for work tasks while in the office. Rather than issue each worker with a phone to conduct their business, such as responding to emails, BYOD lets employees use their personal devices to connect to the organisation’s servers.
Instead of worrying about managing a fleet of smartphones, organisations just give people permission to use their personal phones for work activities. Similarly, rather than being responsible for managing a fleet of company laptops, organisations reduce support costs by having people use their own laptops. More insidiously, moving work activities to personal devices further blurs the barrier between work and home, allowing organisations to boost productivity.
Initially, this sounds fantastic. At a high level, it looks like everyone wins. It’s only after most organisations adopt a BYOD policy that a few realities sink in.
What happens if someone loses their device?
When an organisation owns a laptop, it will be clear when a device is lost because the user will report it. If a person loses their own laptop, however, and it contains confidential company information, the organisation may or may not find out about the loss.
It’s important for IT departments to have some way of tracking which devices employees are using for work. If a device is lost, there needs to be a mechanism that allows the IT department to determine which data could be exposed to the public.
This mechanism is important. The biggest cost for an organisation when a laptop or mobile device goes missing is determining what data may have been publicly exposed – it can run into tens of thousands of dollars.
What happens if someone leaves the organisation?
When someone leaves a role and they have been using a company-owned device, they return it, and all the information stored on the device returns to the organisation. The device can be wiped and issued to someone else.
Things get more complicated in BYOD scenarios, as many employees will be reluctant to give the IT department permission to review the contents of their personal devices when they leave a role. While an employee may be willing to allow such an examination if the parting is amicable, a staff member whose employment is terminated may be less willing to allow the organisation to examine their personal devices. When organisations develop BYOD policies, they need to have a way of ensuring they can control the data that workers store on their devices, even if they don’t have a way of controlling the devices themselves.
Ensuring devices are secure
One of the nasty secrets of BYOD is that when an organisation manages computers centrally, it can be sure that software updates and antivirus programs are installed and up to date, and that problematic applications aren’t installed. If you’ve ever had to provide technical support for non-technical people’s personal devices, you’re likely aware that most have an ad-hoc approach to ensuring their devices remain up to date. Organisations that allow BYOD need a way of ensuring that user devices are kept updated without having IT managers peer over employees’ shoulders on a regular basis.
Knowing what data is stored on devices isn’t just an academic exercise in protecting an organisation’s intellectual property. While company secrets are definitely important, in most jurisdictions there are special rules governing how an organisation treats certain types of data, such as medical records or personal information. When this data is on a device that is lost or stolen, legislation often dictates that a public disclosure be made to the appropriate authorities.
Compliance legislation also often dictates how data is stored, such as requiring specific access controls, use of encryption and keeping devices up to date. As privacy legislation becomes more stringent, organisations may need to treat data such as personally identifiable information (PII) or sensitive personal information (SPI) in a special manner.
Organisations that allow BYOD need to ensure they aren’t inadvertently breaching compliance responsibilities by allowing users to store or access special categories of data on devices that aren’t properly managed.
The drawbacks of an organisation not keeping up with its compliance responsibility vary by industry. They can include very large fines and other legal sanctions. IT departments can be skittish about BYOD because they realise that breach of compliance could put their jobs on the line, even if they have no direct control over the respective users’ devices.
The key to successfully implementing BYOD is to understand the drawbacks and benefits going in. What can seem like a user-empowerment measure may end up being a noose around the IT department’s neck.