Regardless of how you feel about the ‘Bring Your Own Device’ philosophy when it comes to the workplace, it’s now a reality. The cat’s out of the bag, and there’s no way to persuade it to go back in there with all the fish in the Atlantic Ocean. BYOD is here to stay, and any company that works with technology is going to have to start creating rules and regulations that go along with it. If you don’t, you’re leaving yourself open to confusion, criticism, and possibly even lawsuits.
There are obviously some concerns that come along with allowing a BYOD policy in your organization. While some companies say that BYOD is cheaper because you’re not spending on laptops or mobile phones for your employees, most research indicates that this isn’t necessarily the case. You’re still paying for software installation and support for the devices regardless of whether you own them, and as you have less control over when and how the devices are used, you’re more likely to be paying IT staff to fix them, too. There are two main reasons that companies really allow BYOD if they’re honest; convenience, and inevitability. It’s convenient because you’re not having to stockpile equipment so new employees can come and take it, and it’s inevitable because whether you like it or not, some of your staff are going to hook their company email account up to their personal phones and computers.
Because it’s inevitable, you should have some guidelines about what is and isn’t acceptable conduct for your employees – and also for yourself. We’ve given the matter some thought, and we think the suggestion below should act as a starting point.
Make BYOD Optional, Not Compulsory
We’ve already said above that you won’t have full control over your employee’s device, even if it is full of your software. For that reason, you should never make BYOD compulsory. Offer employees the chance to use your equipment, and hopefully, they’ll take it. They should have the freedom of using their own equipment, but only if they want to. Because they’re making that choice, they should be more accepting of any limitations you then place on them.
Decide Who Owns What
The moment the business data is being stored in an employee’s device, there’s a debate to be had about who owns what. If the security and confidentiality of your data are of vital importance to your business, then you should have a contractual agreement stating that any business data downloaded onto any device owned by an employee remains the property of the company, and must be surrendered or destroyed by the company upon request.
Don’t Share Everything
You probably have either a server, or cloud storage, which your employees log into to access the programs and information they need. It’s highly unlikely that they need access to absolutely everything all the time. If there’s vitally important data on your systems which you wouldn’t want a thief to have access to if your employee’s device was stolen, lock it down. With very few exceptions, your most important data should only be available to the staff you have in your office, using your equipment. People working from home and people using their own devices should only have access to what’s necessary. Set up a tiered access system. Otherwise, you could end up paying huge fines when things get lost or go missing, like the hospital in Massachusetts which had to pay $1.5m when a doctor lost an unencrypted laptop.
The moment business information starts arriving on a personal device, the device is now at once both business and person. You’re in an ethical quandary about the level of monitoring you can and should do on their activities, but you also want to keep an eye on what they’re doing on work time. If they’re supposed to be working overtime from home, you want to know they’re not looking at NSFW material or playing at online casinos and their sister sites, but at the same time, there’s nothing in the law (or probably your employee handbook) that says they can’t look at NSFW material or play casino games on their own devices. They might enjoy taking a gamble, but you don’t want to be gambling on where you stand from a legal point of view if you try to interfere with what they’re doing!
The easiest way around this is to partition the device completely. This is the same process you’d go through if you were setting up a computer or phone for two different users at home; it means two accounts, two usernames, and two separate areas on the computer. If they’re supposed to be working, they should be logged into the ‘work’ account, and you should have full rights to monitor it.
Insist On Encryption
This is a common debate that companies have with employees using their own gear; they don’t like having it encrypted. It slows the machines down, and the encryption process comes with risks to the data stored on it. Usually, the debate ends with both sides agreeing a strong password will be implemented, and that’s as far as it goes.
It’s absolutely essential that valuable company data is encrypted. Hacking has never been more sophisticated than it is right now, and it’s not going to become any less advanced in the future. Encryption exists for a reason, and in some cases, it’s required by data protection regulations. Going back to our online casino metaphor from earlier on, you can’t afford to gamble with data security. If your staff want to use their own devices for work purposes, they have to encrypt those devices. No ifs, and no buts. If they don’t like it, they can use the equipment you supply them with instead.
Naturally, there will be more things than this to think about, and some of those things will be specific to the industry you work in. We think BYOD is the way of the future – even if some elements of it are undesirable right now – and so having a robust policy in place will save time on arguments and headaches later. Make peace with the idea, and start drawing a framework up today!