If your company is considering a BYOD policy, there are several key factors to consider. On the surface, it has the potential to be a win-win-win proposition. However, depending on how the policy is implemented and managed, it could present a major gamble.
Compliance mandates and security issues are two large hurdles businesses should be aware of when weighing the pros and cons of BYOD. While many organizations have decided the benefits are worth the risks, some either haven’t embraced the concept or have decided the risks outweigh the rewards.
To implement BYOD effectively, companies should have a clearly defined policy that outlines acceptable use and points out what uses or activities are strictly forbidden. Without an established policy, BYOD can be chaotic and confusing for both the company and the employees dooming the initiative to failure
What About Security?
One of the biggest concerns for companies considering a BYOD policy is security.
It’s often difficult for the top brass to accept the fact that devices outside of the control of their IT department might connect with corporate data and network resources.
The 2011 ISACA IT Risk/Reward Barometer found that more than 58% of U.S. security professionals view mobile devices owned by employees as posing the greatest risk their organization faces. While every organization has a duty to protect sensitive company and customer data, those controlled by industry or regulatory mandates face fines, even possible jail time, for failing to do so.
46% of companies that permit BYOD reported experiencing a data or security breach as a result of an employee-owned device accessing the corporate network, according to Trend Micro. Clearly, organizations need to take steps toward protecting themselves from the risks of lost or stolen mobile devices.
Organizations that implement BYOD should include minimum security requirements within the written policy. Mobile devices should be secured with a PIN or passcode of some sort, and data stored on the devices should be encrypted.
IT admins may want tools in place that enable the company to remotely lock a lost or stolen device. In most cases, the company could remotely wipe all data from the mobile device, but that gets tricky because the employer may not have the right to erase the employee’s personal data, unless it is included in an acceptable use policy.
Who Pays for BYOD?
When a company issues a laptop or mobile phone to an employee, it is understood the company bought the hardware and is accepting responsibility for any monthly wireless bills. When the burden for supplying devices shifts to the user, the financial waters can start getting cloudy.
Many organizations provide some sort of subsidy or monthly allowance to offset the costs. The amount is generally a set rate, which the user can apply toward their device of choice. Employees who choose hardware or a monthly service that exceeds the amount allotted from the company are responsible for covering the difference.
When employees have separate, company-issued devices they can simply turn them off or walk away during off hours or when they are on vacation. But it’s easy for an employee using the same device for both personal and business use to have work encroach on personal time.
It’s best for users to maintain a separation between their work day and their personal lives.
The same concern exists for privacy. Merging business and personal data on a single device raises concerns among users that the employer may have access to sensitive personal data.
What do you do when an employee leaves the company?
While the equipment supplied by the employee for BYOD belongs to the individual, you need to make sure your organization has all relevant data that belongs to the company, and that the user who is leaving doesn’t have proprietary or sensitive company data.
For more information: