1. Employee Satisfaction
BYOD is a simple concept. Workers prefer to work on their own devices, and many embrace BYOD policies even if they have to foot the entire bill for their purchase. It makes workers more productive and satisfied, since they are working on the devices they prefer. At the same time, companies enjoy cost savings since they do not have to purchase as many devices as they used to.
BYOD devices tend to be newer and technologically more advanced, thus further increasing productivity without requiring significant investments on part of the company. A study showed that BYOD increases productivity by 37 minutes per worker per week.
Not that it should be encouraged, but the same study reports that employees who use their own devices for work tend to check their work e-mails outside working hours, between 6 and 7 am, and 11 pm and midnight.
2. Resource Usage
However, what you gain in equipment savings, you lose in increased load on your IT personnel. Since BYOD devices are not uniform in the whole organisation – which is the point – troubleshooting takes more time as every case is unique in a way.
BYOD devices also create other costs, such as paying for data plans, calls and VPNs. Don’t forget other opportunity costs as well: BYOD devices are personal devices too, meaning it can be easy to get carried away on the Internet or installed games, but this misuse can occur on company workstations, too.
3. Legal Concerns
Data that ends up on the employee’s devices does not only present a security risk (see #5). If the data is considered personal in the eyes of the law – such as customer information or user accounts, then it also falls under the scope of those provisions.
In the EU, the main privacy legislation is the DPD, to be superseded by the General Data Protection Regulation (GDPR) on 25 May 2018. The GDPR affords plenty of protection to personal data, and you should ensure that the data is as protected on the BYOD devices as it is on your computers.
This is, of course, insanely more difficult, and we recommend you try to ensure as little data as possible ends up on BYOD devices. However, bear in mind that too tight access controls reduce productivity and create discontent among employees, who would have to jump over hoops in order to get to the data. Also, intrusive monitoring presents a privacy risk on its own, as employees are also protected under the GDPR.
Proper data safety measures and policies can help you stay compliant with the law. This is a must, since fines can be steep – up to EUR 20 million or 4 percent of your company’s annual global turnover. Read more on that in our dedicated article on GDPR and BYOD.
4. Proper Policies
A good BYOD policy is a great step towards ensuring good network and data security. It should clearly list the acceptable and unacceptable use cases, as well as requirements in order to use those devices. It can be a bit tricky – after all, you are effectively prescribing what the employees should do with their own devices – but as long as they have the option to use your equipment if they would prefer to do so, you are well within your rights to enact restrictive policies if required.
You could prescribe that regular updates and anti-virus programs are mandatory for connecting to the company network. Several monitoring tools are available, and you can require their installation before the device can connect. Storing of sensitive data (see #3) on BYOD devices can be allowed only under the condition that it is encrypted.
You can require the devices to be password protected and mandate the use of specific, vetted, e-mail clients and browser applications when on company time. IT check-ups, akin to a ‘MOT for laptops’, is often seen in larger companies.
A termination clause is a sound thing to have. You might want to delete your company’s data from the past employees’ BYOD devices, especially if it is confidential.
A data protection officer, who is mandatory under the GDPR, can help you draft a sound BYOD policy.
5. Data Security
Mobile device management systems are your best bet when it comes to data security. They can force certain required privacy and security settings on devices to be turned on before connecting to company networks (In other words, they force the employees to abide by the BYOD policy).
Good tools will also ensure strict on-device separation of private and work-related data. The latter may also be encrypted. Remote device wipes can be performed if the employee leaves the company or loses their device.
VPN systems are gaining traction as well. When properly implemented, VPNs reduce the risk of interception of sensitive data. This is particularly important, since research by HP shows that almost all apps (97 percent) contain some sort of vulnerability. Consider mandating that only safe apps are used on BYOD phones, for very sensitive data. IBM did, forbidding the use of Siri and Dropbox due to perceived risks.