The bring your own device (BYOD) phenomenon is an emerging trend in the workplace. Many workers, especially members of Generation Y, expect to bring their smart phones, tablets, laptops, e-readers, and other devices to work and access them anytime. With the right strategy in place, BYOD can provide benefits to a company, but it also raises questions. Nearly 200 chief information officers (CIOs) said that while they know this movement is inevitable, it remains their No. 1 area of concern. This article explores those implications.
Differentiation of data. When you institute a BYOD program, those devices will harbor a mix of personal and corporate data. Therefore, measures need to be in place to balance privacy needs of the user against security concerns of the organization. For example, if an employee downloads a content-sharing service like Dropbox, how can the organization make sure its confidential data is secure even if the user’s grocery list isn’t? If the device has GPS capabilities, employees shouldn’t worry that someone is tracking their whereabouts at 2 a.m. Users need to feel confident that their location, banking information, or personal documents aren’t being monitored. Let your staff know which data information technology (IT) is responsible for and which data IT isn’t allowed to access.
Security. Any device that’s incorporated into a BYOD program should have password guidelines. While a strong password is always advised, a key piece of protection for portable electronics is a limit on password attempts. There needs to be a balance between locking down a stolen device and allowing a user to reset her password if she simply forgot her security code. The enforcement of time-sensitive (monthly, every six months, etc.) password changes is something else for the organization to consider. Another significant point of concern is how to erase content from a device. This is important in the event a phone or tablet is lost or stolen or if an employee leaves the company but takes his personal device with him. Can you remotely wipe corporate data? What about personal data?
Policies. IT shouldn’t be the only party responsible for BYOD liability. It’s important that you work with HR and management to create an acceptable use agreement (AUA). Your policy should clearly explain the risks and concerns of BYOD. Education is critical. With BYOD, organizations are generously providing a degree of flexibility to the user. In return the user needs to do her part to be aware of the implications. Make the AUA a part of the employee onboarding process. Be upfront with employees about how BYOD is managed and be clear as to who’s responsible for certain parts of the phone or tablet as well as its contents. Also, ensure that if an employee departs your organization that corporate data and intellectual property are deleted from all personal devices. Departing employees should sign a release indicating that they no longer possess company information.
Support. With BYOD, employees are no longer solely using BlackBerrys. They’re using other Windows-supported devices along with Apple products, Android devices, and varying operating systems, software, and applications (apps). Your company must decide if any product is accessible on your BYOD platform or only specific devices. Support for myriad tools can overwhelm the Help Desk. A policy that advocates for employees using automated tools to configure their own devices can relieve the stress on your support team. Your policy should also stipulate what types of applications and data it will and won’t support when something goes awry on the device.
As with any other aspect of running a successful enterprise and managing a diverse workforce, communication is key. The CIO and the IT team need to work with human resources and all levels of management to clearly define their expectations of a BYOD program. You should also insist on a contract between your staff and your organization that clearly articulates how security issues will be handled, who is responsible for what, and how technological problems will be solved.
A successful BYOD program doesn’t mean that end users get the privilege of personal choice while IT is made to suffer with stress and overload. When organizations fully research their options before implementing BYOD, it can be a win-win for all involved. An organization that remains ahead of the curve can outperform the competition.
Plante Moran’s Approach to BYOD
In 2010, Plante Moran realized that in order to meet the expectations of its staff, a BYOD strategy was in order. Over the next several months, the firm explored a number of mobile device management platforms, ultimately selecting GOOD. “We chose GOOD because it’s a very secure platform and supports multiple devices,” says Brian Prascius, the firm’s IT security officer. “It creates an encrypted container on the device (which was advantageous because of HIPAA and personal identity laws), and it supports remote wipe capabilities for just the corporate data.”
Allowing BYOD meant that Plante Moran also had to create a personal device agreement for staff that specified how the firm would protect its data on these devices. This was important because firm data was now being stored on employee-owned devices instead of firm-owned equipment. The policy states rules such as:
- The firm reserves the right to withdraw anyone’s access privileges at any time.
- The firm won’t provide support in lieu of our staff’s phone carrier.
- Staff members must notify us if their device is lost or stolen.
- The firm doesn’t advocate using mobile devices while driving.
It’s essential that your organization’s policy considers all these factors.
“One significant benefit of the move to BYOD was that the firm got out of the hardware business,” says Brian. “It allowed staff to select the device they wanted while reducing complexity, as we’re now supporting only one version of software versus multiple versions, and we’re no long providing hardware support. It’s been a win-win for the firm and our staff.”