“Why can’t I bring my own phone to use for work?”
In this modern technology-driven world, employees are often the driving force behind an organization’s allowance of the use of personal mobile devices like smartphones (iPhone, Android, and Windows phones) or tablets for business purposes. Ownership of personal mobile devices is now the norm, and the demand by employees for Bring Your Own Device (BYOD) becomes greater by the second.
Despite the recent clamor, there is still reason for caution on behalf of the employer. According to Gartner, “Bring your own device, or BYOD, is a disruptive phenomenon where employees bring non-company IT into the organization and demand to be connected to everything – without proper accountability or oversight.”
If your company decides to allow its employees to use their own smartphone or other device for business purposes, there are a number of things to consider when it comes to securing and managing your corporate data. Here are ten important BYOD concerns organizations must consider.
Top 10 BYOD Concerns for Organizations:
When company data moves around your organization it becomes more and more difficult to manage and even more difficult to protect. Adding an employee’s personal mobile device to the mix only magnifies this problem. How can you guarantee that the business data on the employee device will remain secure? Will you require employees to password protect their device? It is advisable that there should be an encrypted portion of the device on which only business data resides.
2. Records Management
In addition to the security and protection of the data on BYOD devices, if your employee is creating or consuming important business related data on their iPhone, some accounting of the data is also required. Depending on the industry in which you operate, different regulations require your business to govern the data on these new devices.
3. Legal Holds & eDiscovery
Documents created, read, or revised on employee devices are subject to legal hold and discovery. The Federal Rule of Civil Procedure (FRCP) states that a business must preserve and produce electronically stored data under its control. This means that if you become the target of a regulatory or legal action, your employees’ devices (and all the data therein) may be subject to legal hold. Are you prepared to deal with this sort of data management nightmare? Make sure your BYOD policy is clear on how this will be handled.
4. Device Control
Once a device contains business related data, it is advisable to install specific software or hardware controls that allow for remote monitoring, records management, and remote wipe capabilities in the event that the device is lost or stolen. Providing these devices with secure network access through a VPN is also a wise decision.
5. Policy Control
Device policy and procedures are extremely important in this type of environment. Your policies should dictate specific systems or data to which BYOD devices do and do not have access. These policies should also dictate that employees be required to immediately report lost or stolen devices so appropriate actions can be taken.
6. Employee Privacy
Your BYOD policy is important to the protection of your organization’s data, but you must also remember to protect the privacy of the employee as well. Your policy must be clear about the required amount of access needed to the employee’s personal data.
7. Data Backup
Most modern mobile devices and operating systems now include automatic cloud backup of at least a portion of the data contained on the device. There are a number of other cloud backup solutions that your employee may have installed on their phone or tablet. This backup process can be problematic once business data is present on the device, because the data may contain trade secrets or other important organizational information that shouldn’t be stored on personal cloud storage. Employees may need to advise the company of any cloud-based storage they use with the device, and employers may want to demand access to any cloud storage of company documents.
8. Termination Policy
When an employee leaves a company, whether on amicable terms or as a result of termination, the possibility of data theft is high. Once you have a departing employee with a device full of information, it becomes paramount that you have a clear policy in place that deals with this sort of situation. Preventing their access to systems and documents can take time. Make sure this task is managed before they walk out the door…with their device.
9. Plan Acceptance
Along with the development and implementation of a BYOD plan for your company, a written version of the plan should be presented to employees and written proof of their acceptance should be obtained. Your BYOD plan is important to the preservation of your organization’s data and trade secrets, but it’s worth nothing if it is not legally actionable because you did not sufficiently inform your employees of the ramifications—such as the company’s need to wipe the device’s data (personal and business related) if it was lost or stolen.
Policies are important, but training on your company policies is essential! Your BYOD policy will not be successful if you do not teach employees how they are or are not allowed to use their own personal devices for business activities. Train your employees on what files they can and can’t access with their devices and why. If you do not provide comprehensive training and refresher courses for your employees, they will lose sight of the rules and procedures and a data breach will be inevitable.
BYOD is here to stay. Employees will continue to request the use of personal mobile devices in the workplace. Most businesses will need to consider a decision to concede to these demands, or provide an adequate, modern, company-controlled device. Regardless of the direction your organization goes on this issue, taking note of the ten points provided above and creating a comprehensive BYOD policy will be essential to the success of the program.