Bring Your Own Device (BYOD) is all the rage these days with corporate IT departments. The fast pace of the march towards BYOD has surprised many. Led by the love that users have for their smartphones, iPhone and Android, it was executives first that told their IT partners to get their work email on their personal device. Why? Because that Blackberry doesn’t have Angry Birds. I kid, but there is truth in that statement.
So, let’s spend some time today talking about the risks of embracing this trend, both for the company and for the individual. Along the way, we can talk about some of the benefits, too.
For The Company Embracing BYOD
The first thing that IT departments face is the perceived lack of control that they must accept. There are many technologies out there to help mitigate this, but there is some control that you have to let go of. One of the major vendors in the BYOD space is Good. Good provides a secure container in which all your corporate information resides.
What about the user taking information out of this secure container? My quick response to that is what about your user taking a printed report or presentation out in their backpack and what do you do to prevent that. Mobile devices make this transfer easier, but if you don’t prevent the latter through searches when your employees leave like depicted in Mad Money, you are already taking risk. Using a secure container such as Good’s or MobileIron’s may actually provide better controls than you have today.
When implementing these technologies you need to do it with eyes wide open though and not put all your faith into the technology. One of the earlier security holes in Good is the screenshot capability. Your user could open their email, take a screen shot and then open that up on the unsecured side. If you have a large enough IT staff you can go through security audit, but much like water will always find a way downhill, there will always be security holes you hadn’t thought of. Bad actors will also find a way.
Just because you implement BYOD and do your security audit doesn’t mean that all the other associated laws and regulations do not apply, or are applied differently. Do your employees handle health information, well then HIPAA laws still apply? If you hande credit card transactions, PCI regulations still apply. Oh, and privacy laws, in all their variety and splendor, also apply.
The litigation attorneys also have begun to sit up and wonder about the risks with BYOD. If you are involved in a lawsuit, and let’s use patent as an example, what about the information that might be contained on the personal device. Yes, you told your employees not to store any information outside the container, and that might be a great response, but there is still a good chance that you will have to put some sort of litigation hold on that person’s personal device. That might even mean taking that person’s device. Let’s talk about that more on the employee side, but this is something you need to think about as well.
Outside the security and litigation implications that you need to think of, what about the employment implications. For a while, it was only your executives that were clamoring for this, now every level of your organization wants this type of access. For some, I wonder if they should really want it, but leaving that aside, there exists some thorny issues here. For those in California I would suggest you really get with your employment lawyers and look at the issue of compensable time. There exists very little safe harbor there, so beware. Even outside of California I would recommend you look into that issue, especially when you consider what some have been doing when implementing BYOD, stipends for participation. I think those that have offered webmail type access outside the corporate network may have some of the beginnings of the policies and click-throughs you may need.
Given some of these issues and other issues, you might wonder why you would ever go this way. Your employees don’t need access when out of the office, right? Probably a good answer for a portion of your employee base, but for knowledge workers that is not a good answer. So, why not issue a corporate owned device to every employee? Follow the money and you will see the real reason why companies are embracing BYOD. As much as I like to think that companies are about engaging and empowering their employees, in this case look at the cold hard numbers. Companies are saving hundreds of thousands of dollars by allowing employees to use their own device, and that is even when all the other risks are taken into account. Remember what I said the other about something being free, it applies here as well.
For The Employee
On the employee side, apart from the litigation concerns expressed above, this is mostly a practical discussion. Do you really want 24/7 access to your work resources? For some, this is just a fact of work. For others, they want to unplug and if you can be accessed 24/7/365, an expectation may be created that you will be. And if you can do work related correspondence anywhere, you need to consider where you are when you do it. It’s one thing to be on the beach and answer a quick question, what about Friday night at Happy Hour after two cold ones and you are asked something over email. Should you respond, are you impaired? If you were at work you obviously wouldn’t be, but now you have the chance to say something that you wouldn’t say where you at work.
As for the litigation concerns expressed above, you do need to consider what right your employer has to take your device or to direct your use of it. In a litigation hold, you may be told to not delete any information on the device. If your device is taken, are their provisions to provide you a replacement device while you don’t have it. Since this is your personal device, you might miss that call from Mom inviting you over to Saturday dinner. What about that personal email you have in your inbox from a competitor trying to get you to move companies?
BYOD, New Opportunities, New Problems?
I think BYOD is the future, to be honest. The money will drive it more than anything, in my opinion. It is a bit humorous to think that the company that has been the most hackneyed in it’s pitches to corporate customers, Apple, has been the one that drove this wedge. Employees having iPhones and wanting them to use them has pushed IT down this path, it definitely wasn’t IT looking at the technology and thinking about what can be done. Now, with Android and the other mobile platforms, the consumerization of IT is inevitable.
Technology may provide some answers to the problems above. An argument can be made that if I have a secure container and I advise employees not to use the personal side that requiring employees to turn over personal devices is just too much of a burden for too little of a gain. Samsung’s SAFE technology has tried to take the secure container one step further. At the end of the day, employees are still employees and some will always find a way. Look at all your other processes and update them for this new paradigm.