It isn’t surprising that the proliferation of mobile devices and tablets is increasingly blending our professional and personal lives. Text message updates about a school closing interrupt a midday meeting, while business partners on the West Coast expect a prompt response to a 5:00 pm email even though it’s 8:00 pm on the East Coast.
While employers see the benefit of supplying staff with smartphones and tablets, they also know this benefit brings added expenses and risks, such as company-issued equipment being used to play Angry Birds, listen to music, or stream movies on the weekend.
The bring-your-own-device (BYOD) movement attempts to thread the needle by allowing employees to use their own devices—i.e. smartphones and tablets—as tools to help with job responsibilities and increase productivity. As Michael Osterman, IT analyst and president of Osterman Research, recently presented in a BYOD Best Practices webinar, BYOD can improve employee productivity, offer anytime/anywhere access to customers and team members, increase employee satisfaction, and lower corporate costs.
While at first glance this may sound like the perfect solution, BYOD usage must be carefully planned and managed to avoid confusion and backfiring. This article discusses several important considerations for establishing a BYOD policy at your company.
Start With the End in Mind
Educator and author Dr. Stephen Covey famously wrote to “start with the end in mind.” When it comes to establishing a BYOD policy for your company, the first place to start is documenting what you want to achieve and what you want to avoid.
For example, common BYOD business objectives include empowering employees, improving communication and collaboration, facilitating business processes, controlling costs, and protecting your network and data. This simple exercise of documenting what BYOD must accomplish can help guide decisions about your policy and which technology and procedural solutions to use.
Technology Solutions
Although by definition BYOD means the employee has purchased and owns the device, it is important for the device to be equipped with technology solutions that manage, secure, and facilitate its use while achieving business objectives.
A primary BYOD concern relates to the device being compromised; that is, either lost or stolen. Osterman cautions, “Content retention and management is more difficult. A lot of corporate content is sitting out on a mobile device and employers don’t have access to it.”
Michael Toms, director of IT at HMC Farms in Kingsburg, CA agrees: “Allowing data to leave the network is always a risky proposition. With leaks at even the highest level of government, it is close to impossible to lock all information up; employers must balance the realities of easier access to corporate data with the benefits that BYOD provides.”
It isn’t surprising that the proliferation of mobile devices and tablets is increasingly blending our professional and personal lives. Text message updates about a school closing interrupt a midday meeting, while business partners on the West Coast expect a prompt response to a 5:00 pm email even though it’s 8:00 pm on the East Coast.
While employers see the benefit of supplying staff with smartphones and tablets, they also know this benefit brings added expenses and risks, such as company-issued equipment being used to play Angry Birds, listen to music, or stream movies on the weekend.
The bring-your-own-device (BYOD) movement attempts to thread the needle by allowing employees to use their own devices—i.e. smartphones and tablets—as tools to help with job responsibilities and increase productivity. As Michael Osterman, IT analyst and president of Osterman Research, recently presented in a BYOD Best Practices webinar, BYOD can improve employee productivity, offer anytime/anywhere access to customers and team members, increase employee satisfaction, and lower corporate costs.
While at first glance this may sound like the perfect solution, BYOD usage must be carefully planned and managed to avoid confusion and backfiring. This article discusses several important considerations for establishing a BYOD policy at your company.
Start With the End in Mind
Educator and author Dr. Stephen Covey famously wrote to “start with the end in mind.” When it comes to establishing a BYOD policy for your company, the first place to start is documenting what you want to achieve and what you want to avoid.
For example, common BYOD business objectives include empowering employees, improving communication and collaboration, facilitating business processes, controlling costs, and protecting your network and data. This simple exercise of documenting what BYOD must accomplish can help guide decisions about your policy and which technology and procedural solutions to use.
Technology Solutions
Although by definition BYOD means the employee has purchased and owns the device, it is important for the device to be equipped with technology solutions that manage, secure, and facilitate its use while achieving business objectives.
A primary BYOD concern relates to the device being compromised; that is, either lost or stolen. Osterman cautions, “Content retention and management is more difficult. A lot of corporate content is sitting out on a mobile device and employers don’t have access to it.”
Michael Toms, director of IT at HMC Farms in Kingsburg, CA agrees: “Allowing data to leave the network is always a risky proposition. With leaks at even the highest level of government, it is close to impossible to lock all information up; employers must balance the realities of easier access to corporate data with the benefits that BYOD provides.”
Equipping devices with applications like Apple’s iCloud Find My Phone, Lookout, or Air-Watch can assist users or IT managers in locating a lost or stolen device and remotely “wiping” a device of all its data if necessary. While this is an important feature, it comes with risks which need to be properly documented in the BYOD policy and communicated to end users.
Toms recommends that employers “ensure that access to corporate data can be easily discontinued and business policies are adhered to. Most modern email systems allow remote wipe and other security policies to be applied to the phone when emails, contacts, or calendar functions are synchronized with corporate resources.”
As we’ll discuss with procedural solutions, employees need to understand that in the event the device is lost, all of their own personal items on the device (such as music, pictures, documents, and applications) will potentially be wiped from the device. As an extra measure, Mike Dodson, president and CEO of Lotpath, Inc. in Fresno, CA, comments, “Companies should carry sufficient commercial insurance to cover employee devices being stolen, damaged, or lost.”
Installing and using virtual private network (VPN) software or similar encryption solutions when accessing company resources, such as customer relationship management (CRM), enterprise resource planning (ERP), or sales applications, should be a mandatory requirement of every BYOD policy according to the sources we interviewed.
Another concern relates to malware protection. “If you have an employee with a personally-owned Android device, you have another potential entrance point for malware,” Osterman states, adding, “most malware out there is directed at Androids.” Mobile device management solutions, such as Lookout, help protect against viruses or malware being installed on the device.
Procedural Solutions
For employee-owned devices, no technology solution will completely eliminate the risk of company data or networks from being compromised. Thus, a company BYOD policy needs to be established, communicated, and understood so employees are able to benefit from this offering. As Toms explains, “Before giving employees access to business resources, employers should clearly communicate that business policies will be enforced. Even though the devices are owned by the employees, the data belongs to the employer.”
The BYOD policy can begin with a list of suitable devices. The list can be a combination of devices with reasonable built-in security (such as locking tools) and devices the IT team can quickly configure because they are familiar with the device and operating systems. Dodson reports that employees at Lotpath use a variety of devices including Android phones, iPhones, iPads, and Kindle Fire tablets.
The policy can also list specific applications which should be installed on the device (such as a VPN app or mobile device management app) as well as applications that cannot be installed (such as file sharing). Industry or governmental partners may also guide these decisions—if a partner has certain security or trade requirements for viewing, using, or storing data on mobile devices, this should be outlined in the BYOD policy.
The policy should clearly communicate to the employee what would trigger the company to completely wipe the device remotely. These measures should be carefully considered, such as if it makes sense to completely wipe a person’s own device if he/she leaves the company or is terminated. Toms advises, “In the event of termination, all company data should be remotely deleted from the device. There should be proper documentation that this policy was given to the employee.” Likewise, expectations must be set for the employee to report to the company if the device is lost or stolen.
Additionally, your BYOD policy must specify who is responsible for recurring fees. At Lotpath, for example, employees are provided a monthly expense reimbursement for business use of their personal devices. Based upon his experience, Dodson finds employees are often at risk of depleting their cellular carrier data plan allowances when using their personal device for business purposes. He strongly suggests a company’s BYOD policy “address data plan usage and the allowance or reimbursement schedule.”
Finally, the IT manager should review the BYOD policy with any employees who desire to use their own device for business reasons. Business owners are also encouraged to consult with their human resources and legal team for advice about requiring employees to sign a BYOD policy, or incorporating it into their overall employee handbook.
Bring Your Own Device (BYOD) Policy Snippets
The National Association of Realtors (NAR) has a BYOD policy employees are required to sign. Following are policy excerpts you may find useful.
The following modifications may be made to your mobile device:
• Installation and configuration of necessary software, including security software, such as a VPN client, upon employee request
• Implementation of remote erase capabilities, which will give NAR the ability to completely erase your mobile device if necessary
• Set the mobile device to lock after ten failed login attempts.
You must immediately notify the company:
• If your mobile device is lost or stolen
• When you stop using the mobile device
• When you give notice or terminate your employment.
If remote erasing is deemed necessary, the company will attempt to only erase NAR data, but reserves the right to completely erase the contents of your mobile device, which will result in the loss of any personal information (e.g., contacts, photos, music).
Unless eligible for and on a corporate plan, NAR is not responsible for payment of any portion of your mobile device service contract or for your mobile device.
Source: National Association of Realtors.
Tapping the Benefits
While some have joked that BYOD really means “Bring Your Own Disaster,” the trend toward BYOD and mobile apps does not appear to be a passing fad. According to Dodson, “Lotpath foresees a future where most produce companies have employees carrying various types of devices from various vendors.” And, there are plenty of BYOD success stories.
For Toms, the pros outweigh the cons at HMC Farms: “The majority of our sales, accounting, and operations employees have access to our ERP system, email, and other strategic information 24 hours a day, seven days a week, 365 days a year. This allows our company to constantly react to the variable nature of fresh produce. Our employees enjoy the freedom of not being tied to a desk.”
Before simply opening up corporate content and networks to employees, however, employers need to carefully evaluate the risks and proactively implement sound technology and procedural solutions.
