Like it or Not, You Need a BYOD Policy

Bring your own device (BYOD) is an increasingly common business policy that encourages employees to use their own smart devices, including phones, tablets, and laptops, to access company data. Executives consider BYOD "the gateway to greater business benefits," according to a 2012 Cisco study. However, while more than 76 percent of the IT leaders surveyed categorized BYOD as somewhat or extremely positive, this group still sees significant IT challenges.

What then are the steps companies should take to ensure they reap the benefits of BYOD, including increased employee accessibility, productivity, collaboration, and innovation, while ensuring the integrity of their data?

"Whether they realize it or not, many organizations already have a BYOD program," said Fred Purdue, CEO of Axiom Technology Group, a full-service IT integration firm. "The question is how are they protecting themselves?"

Smart Devices and Their BYOD Implications

With the explosion of applications and cloud access, the range of uses for smart devices continues to expand well beyond checking emails, searching the Internet, and accessing work files. New apps and activities for both enterprise- and employee-owned smart devices include time sheets and punch lists, site check-in/check-out, MRP (material resource planning), and customer relationship management (CRM).

In addition to answering the basic use question -- "What can (or can't) a smart device be used for?" -- Purdue told Tech Trends Journal that companies should focus on three areas when developing a formal BYOD policy: human resources (HR), finance, and data governance.

Personnel Matters

It is important to spell out who is authorized to use their own smart device. The critical nature of certain operations may preclude some from using their personal devices, while other roles may not require "all or nothing" restrictions. Consequently, organizations may choose to develop acceptable use policies to clarify device and data ownership and cover issues like the ability of the company to destroy all or some of the data on an employee's personal smart device. (Mobile device management tools like MobileIron's can enable and help manage the use of personal smart devices in the enterprise.)

Policy development should likewise consider areas not directly related to company products or services, such as HIPAA (Health Insurance Portability and Accountability Act) and EEOC (Equal Employment Opportunity Commission). "The rules [regarding HIPAA vary wildly by state," said Purdue.

"Transferring an employee's information using a handheld device can be illegal "¦ PII [personally identifiable information and PHI [protected health information cannot be stored in a handheld device," he noted.

Similarly complicating matters is the retroactive data collection requirement for EEOC. Companies may need to retrieve data from an employee they no longer employ, as was the case for one of Axiom's manufacturing clients. The client had to defend itself against an EEOC claim from a former employee who, with his departure, deprived the company of access to necessary information housed on his personal smart device.

Financial Implications

BYOD can help companies save money. Cisco estimates the savings from BYOD range from $300 to $1,300 annually per employee, depending on the employee's role. However, some of those savings may be offset by new expenses, such as the cost associated with managing individual employee reimbursement requests instead of an invoice from a single corporate device supplier.

Other areas of financial consideration include defining acceptable reimbursable expenses, and identifying the parameters for personal device use during international travel. In some countries, for example, it can be cheaper to rent or buy a local smart phone than to use a U.S.-based device. And what of the employee who does not want to invest his or her own money in a personal smart device? How will such situations be addressed?

Data Governance and Technology Management

"Employee-owned devices will be compromised by malware at more than double the rate of corporate-owned devices through 2014," predicts Gartner, an IT research and advisory company. With proper planning, implementation, and management, security risks related to the use of employee-owned devices in the enterprise can be mitigated by managing and controlling access to data with encryption, password protection, and authentication by role and profile.

A well-thought-out BYOD policy must be rooted in an assessment of current company networks as well as the ability to handle the influx of traffic that comes with the incorporation of employee-owned smart devices. Help desks may, for instance, require additional processes and training to handle the range of support calls.

"Organizations need to have in place the proper redundancy, disaster recovery, and business continuity plans that include BYOD," said Chris Chodnicki, co-founder and CTO of R2integrated, a digital marketing and technology firm. "With a reliance more on secure Internet access and SaaS (Software as a Service)/cloud-based applications, organizations must ensure connectivity first and foremost."

A BOYD policy must also address data distribution and the ability to support multiple device types, operating systems, and browsers. Office 365, for example, is a cloud-based service that works across platforms, but other applications may be specific to such platforms as Apple, Android, and BlackBerry. How will those applications, as well as those developed in-house, be managed across a wide array of employee-owned devices?

Beginning the BYOD Conversation

The first step to building an effective BYOD policy is to have a conversation with senior management. "It's already happening, so it's time to talk about where it's occurring and what the implications are," said Purdue. This means answering questions such as:

  • How many employees are accessing company data using devices that are not company owned?
  • What kinds of smart devices are employees using to access data?
  • How are employees sharing data in ways that are not company controlled and could introduce outside security risks? If programs such as Dropbox, Go to My PC, and Log Me In aren't being actively blocked, Purdue noted, "employees are using it, and information is leaking all over the place."

Because some employees may not be entirely comfortable with the idea that an employee-owned smart device contains information that belongs to an employer, BYOD "opens up Pandora's box, with many variables and tangents to consider," said Chodnicki. A strong, dynamic BYOD policy can nonetheless help minimize confusion and eliminate undesirable effects.

All Topics