What to be wary of with the increasing BYOD trend!
You may know it as BYOD, or you may know it by its full name - Bring Your Own Device – either way it’s becoming an increasing trend as employees prefer to use their latest gadget packed toy for work, and employers believe this is a cheaper option. Whilst it can be a perfectly manageable option for some businesses, there are some pretty big things you need to consider before deciding if it’s suitable for yours.
Bring your own device (BYOD) refers to the policy of allowing employees to bring personally owned devices such as laptops, tablets, and smart phones to their workplace, and to use those devices to access company information and applications. Here is a list of the top topics you need to really look at first.
Security is one of the biggest issues with BYOD because allowing employee devices onto your business networks brings significant risks, and it should be a definite no-no for staff who deal specifically with sensitive, personal or commercial information.
Your IT team would need to set strict and enforceable guidelines for staff, and that means staff have to be vigilant about security at all times, whether they (or their family) are using their device for work or pleasure. The responsibility for security will very much be down to the employee to ensure their devices are patched, perhaps encrypted, and have up-to-date antivirus software running. For the individual user this can be something they don't prioritise as highly as you need them to, or an area that they don't have any knowledge in, and failure to do this could lead to the device being bounced off of your corporate network, or worse, data breach. You as an employer become reliant on your numerous BYOD staff to ensure these things are done, whereas if you deployed business devices this would be overseen by your IT department who are trained and experienced to ensure safety and security criteria are met and maintained.
Furthermore, various members of the family often share certain devices such as tablets; a child may play games on their parent's tablet and accidentally share sensitive content, or a toddler may start sending pictures of their nostrils to customers from their parents' phone - not very professional!
It's worth noting, and making clear to your staff, that business data, records and documents created, read, or revised on employee devices are subject to Legal Holds in the event of any business litigation, investigation, or audit. This means that if you become the target of a regulatory or legal action, your employees' devices may be subject to legal hold. Both parties will need to fully understand what this entails, that the device and all data on it, and accounts associated with it like dropbox or other cloud storage, will need to be confiscated and frozen to preserve all forms of relevant data and information in these circumstances. There are also other legal issues, for example it's unclear who would be liable if a device used both for work and at home was also used for illegal downloading.
Device Control -
Once a device contains business related data, it's good business sense to purchase software or hardware that allows your IT team to remotely monitor these devices, and have record management over them. This obviously comes at a price. You would also need to use these management systems to dictate specific systems or data to which BYOD devices do and do not have access (apps, games, browsers, websites etc ). Remote wipe capabilities would be needed in the event that the device is lost or stolen. And If your employee's device is lost or stolen, and they neither have the insurance or the money to replace it then whose responsibility is it to find another way? They can't work without a device, but the hardware was something they were responsible for maintaining?
Your employees will also upgrade their devices and their old devices may be sold or handed along to a family member, so you would be reliant on the fact that your employee would let you know as soon as this happened so your systems could be updated, the old device could be wiped and the new device set up with all the business requirements. This would be a reactive and often time-consuming way of working (imagine 30 employees all changing their devices at 30 different points in the year), rather than the smoother planned bulk deployment when working with business owned devices.
Software developers and device manufacturers are constantly releasing security patches due to the continuous increase of malware threats. Your IT departments must be prepared to have the necessary systems and processes in place that will apply the patches to the various devices that users may choose to use. Again, this is a reactive and costly way of working when you are having to support a potentially very broad variety of devices, whereas businesses without a BYOD policy have the benefit of selecting a small number of devices to support.
And what about the compatibility issues? If one employee has a Windows 7 laptop but everyone else on the team is using an Apple iPad they maybe won't be able to collaborate effectively. Or if your business requires a specific app or piece of software on a mobile device, is it going to be compatible with all makes, models and operating systems that your employees use? If this software or app requires a hardware tech upgrade (e.g. an app where the newest version no longer supports a Samsung 6, only a Samsung 7 or newer), who is financially responsible for this forced hardware upgrade?
Unease in the Workplace –
Allowing BYOD can unintentionally create an uneven playing field between staff in your organisation. If one employee spends a lot of money on a high-end device so they can get their work done quicker, this could lead to huge resentment, as your other employees find themselves having to spend more of their own cash to keep up with their colleagues. Not great for team playing or staff morale. Using business issued tech avoids this problem – like a school uniform, a bit boring but at least everyone is equal.
Data and GDPR -
When business data moves around within your business it is already sometimes difficult to manage, track and protect. Adding an employee's personal device to this data flow only magnifies this problem. How can you guarantee that the business data on the employee device will remain secure?
When you add to this the fact that most modern phones, tablets, laptops now include automatic cloud backup of the data contained on the device, because the data it's backing up may contain trade secrets or other important business data that shouldn't be stored on personal cloud storage, or outside of your business if it's written in your GDPR policies that this won't happen. All of a sudden, your GDPR obligations of keeping track of your data flows and keeping your data stored within your business can become much like trying to keep water in a sieve. That could be a big fine if your customer data is found to be stored outside of your business network!
Employee Privacy -
Your BYOD policy is important to the protection of your business data, but you must also remember to protect the privacy of your employee as well. Your policies must be clear about the required amount of access needed to the employee's personal data. IT departments that monitor usage of personal devices must ensure that they monitor only work-related activities or activities that access company data or information. You've also got to make it clear that their personal mobile number will become public to their co-workers and customers, making them accessible around the clock. It's easy to turn off a work device over the weekend and relax with complete separation of work from personal time, but not so easy when your work and personal device are one and the same.
When an employee leaves a company, whether on amicable terms or as a result of termination, the possibility of data theft is high. Once you have a departing employee with a device full of your business data, it is essential that you have a clear policy in place that deals with this sort of situation. Revoking their access to systems and removing data from their devices can take time and will need to be completed before they walk out the door...with their device.
With a mutual decision to part ways, the wiping of a device is a fairly relaxed process, however a less than happy split may result in a remote wipe of the device and there are grey areas as to whether this breaches personal privacy once the employee has left.
A key issue of BYOD when it comes to phones is the phone number, and more importantly the ownership of the phone number. When employees in sales or other customer-facing roles leave and take their phone number with them, which may have been a published number in a public domain, customers calling the number will then potentially be calling competitors which can lead to loss of business for you.
Plans, Processes and Training -
Another cost in time and money when it comes to BYOD is all the processes, policies and training you will need to plan, write and do as a business. A written version of the processes and policies will need to be presented to employees and written proof of their acceptance should be obtained. Any BYOD policy will not be successful if you do not teach employees how they are or are not allowed to use their own personal devices for business activities. You need to train your employees on what files they can and can't access with their devices and why. If you do not provide comprehensive training and refresher courses for your employees, they will lose sight of the rules and procedures and a data breach will be inevitable.
Business airtime contracts are designed to save money, and you can get great data and voice bundles to keep your costs down and more importantly keep control over them. You have no control over the personal contracts of your employees, and the costs of data and minutes and texts on their airtime contracts when they get charged back to you. Your finance team will also have additional work each month with all your employees invoicing you back separately, very time consuming if you have a large workforce and taking valuable time away from them.You will also need to have policies in place around working hours and overtime/antisocial hours, as the ability to do "work" at any hour of the day and night and weekend is now wide open to your employee. Policies and ground rules will need to be written and set in place if you are considering BYOD, to avoid overtime hours claims becoming an issue.
So, to summarise, BYOD may not be the nice easy time and money saving option you believed it was. Sorry about that.