When it comes to technology trends in the workplace, the evolution of bring your own device (BYOD) is like no other. IT leaders with corporations, school districts, hospitals and every other kind of business have had to find appropriate ways to accommodate smartphones, tablets, laptops and related accessories brought in by employees and the people they serve.
This is a part of a larger trend as the lines between our work lives and personal lives have become more blurred, with users seamlessly transitioning at any time of day or night. Users now have devices of their own choosing that are not part of any standardized set of equipment. While this gives them power to perform important authorized work tasks on familiar equipment, it also allows them to switch instantly to personal or unauthorized activities. As a result, organizations now have to take proactive steps to protect their critical business data, limit unproductive time and prevent inappropriate use of their IT infrastructure or violations of labor laws, which can lead to costly legal problems.
Ironically, employees who are able to utilize their own devices for work are often more productive, and in some cases they can actually reduce the IT spend for their employers. They also tend to view a company that allows BYOD as more forward-thinking. More than 60% of millennials, the fastest-growing segment of the workforce, tend to use personal devices for work. This population also tends to value opportunities to work with organizations they perceive to be more technologically savvy.
Because these devices are not selected or controlled by the organization, IT leaders have little ability to choose what security measures are implemented, how often they are updated, or if those measures are even turned on and used correctly. Like USB drives, these devices can bring malware in or carry critical data out of the organization.
Users may elect not to use lock codes or timeout features on their devices, or they may share devices with others or use them on unsecured WiFi. All of this creates opportunities for unauthorized people to access confidential information on that device. Beyond the obvious threat of leaking proprietary information, there is also the risk of lawsuit for losing your customers’ personal financial or HIPAA-protected medical information.
While wireless connectivity was originally limited to senior management or those with specific work-related needs, now almost every organization must accommodate wireless devices for many employees, as well as customers, visiting vendors and others.
Once you have determined that it makes business sense for you to support BYOD, you will need a set of policies and procedures for your employees, as well as a disclaimer for other users. The IT, legal, operations, risk management and HR departments will need to collaborate to determine the specific needs of your organization and the legal protections needed. Your policies will help you ensure that users understand in advance what is expected of them.
Employees may also be concerned about their privacy, as their devices may contain their personal health and financial information. They may be concerned about co-workers inappropriately accessing their personal photos, videos, contacts, etc. They may worry the company could inadvertently wipe their personal data after their employment ends.
Some employees may feel more comfortable engaging in inappropriate behavior such as harassment, stalking, defaming on social media, visiting inappropriate websites in the workplace, etc., when using their devices than they would on their company-issued machines. Again, stating the expectations and consequences clearly in advance can help you avoid problems and costs in the future.
Your BYOD policy should also address compliance issues. For example:
Fair Labor Standards Act: If non-exempt employees are using their personal devices to perform work-related tasks “off the clock,” your organization may be in violation.
Expense Reimbursement: In some states, employees must be reimbursed for the costs of a voice and data plan and other expenses if they are permitted or required to use a personal device for work.
Litigation Discovery: If your organization is required to keep business records for a period of time, you need to ensure that relevant data is stored using company-controlled infrastructure and never lost with a personal device.
What to Consider When Developing a BYOD Policy
- Are there certain apps that your team prefers or your company has adopted? If so, are they available across operating systems?
- Should you implement SSL VPN to protect data when an employee is using an unsecured WiFi connection? Should you encrypt all corporate data?
- Should you use Mobile Device Management (MDM) technology to segment your data on employees’ devices? This would allow you to utilize your own security measures during employment and to wipe only relevant data afterward.
- Which devices will you support and to what extent? Will you offer training? Reimbursement?
- Will any classes of employees be excluded from BYOD or have limitations in place?
- Have you clearly stated the employer’s right or intention to access, monitor and delete information? Will the company use employees’ personal devices to monitor their location or behavior?
- In what ways will personal information be protected?
- What will happen at the end of employment? Will employees be asked to temporarily hand over their devices at any time for upgrades, installations, security, or termination?
- What security measures will be required? Strong passwords, auto lockout, antivirus software, regular backups and plans to deal with lost or stolen devices all become concerns for the company when employees BYOD.
- Are there any other issues or departments specific to your organization that must be considered? For example, in some organizations, marketing employees have their personal social media profiles connected to your company accounts and use their personal devices for posting or monitoring. Access to those social accounts can be difficult to regain when employment ends. Lost, stolen, or hacked devices can also create opportunities for malicious users to post inappropriate content on your organization’s social accounts.
- Would it make sense to create a representative user group to help provide feedback, evaluate opportunities and guide the evolution of BYOD in your workplace?
Bonus Tip: Have all of your management stakeholders been consulted? A successful BYOD policy takes into consideration the wishes and concerns of executive, operations, HR, risk, legal and IT leadership, as well as users. A high-quality Managed Services Provider (MSP) can help you determine your readiness and implement your BYOD plan. BYOD can have many cost and productivity benefits if implemented properly.