BYODs Blurred Lines
The Risks and Rewards of Using Personal Technology for Work
Getting the latest technology has become a bit of a sport. Tech-savvy individuals keep a close ear to the ground on new launch dates, strategize on store selection, pitch tents and brave long lines for days to be one of the first to snag the newest technology. When Apple launched its seventh iPhone on September 20, for instance, the lines wrapped around stores in all parts of the world, from China to New York to London. Just three days after the launch, Apple announced it sold a record-breaking nine million new iPhone® 5s and iPhone 5c models.
Lots of people love new technology. They like to have the coolest devices in their possession as soon as they can. Just as many businesses look to streamline operations and be more efficient, individuals are streamlining their personal operations as they are able to navigate, shop, bank and communicate with one hand-held device. That means that a growing number of employees are going to work wanting to use their own personal devices to access corporate resources and information. They certainly do not want to be weighed down with excess technology, like a company-issued device.
This is prompting more and more companies to develop Bring You Own Device (BYOD) programs in response to workforce demand. While employees can deploy the newest gadgets and technology advances in every aspect of their life, it often takes time for their employers to do the same. Rolling out new technologies company-wide often requires testing and adapting new technologies to meet their business needs - especially data protection requirements. With the quick pace that newer operating systems and new technologies emerge, it’s a much bigger and costlier task for companies to roll-out to their entire workforce. So why not let individual employees use their own devices for work?
Risk vs. Rewards
BYOD advocates say that such policies promise many benefits such as better work-life balance, increased employee morale, and improved productivity while, at the same time, offering a chance to reduce expenses for the business. Plus, for the next generation of workers, who have grown up using the latest technology, many feel that BYOD can even attract new talent. Not all employees, however, are won over by using their own devices. Many like keeping their personal and work life separate and have concerns about their privacy when giving their employers some access to their personal devices.
There's no question BYOD blurs the line even more between work life and personal life for employees and presents significant data security and IT challenges for employers as well. Among concerns for employees:
- Personal Data Loss:
Many companies rely on built in features and software tools to secure and manage the data on an employee owned device, giving the employer the ability to enforce password protection and remote wipe and lock. Others employ sophisticated Mobile Device Management software to allow corporate IT access to any application and the core functionality of the employee owned device. In case of unauthorized access, job termination or other scenarios, these tools have the capacity to delete the entire content, including personal photos and videos, of a device or render the device unusable.
- Tracking Whereabouts:
A feature of Mobile Device Management software is the ability to track in real time the location of the device. This feature helps determine whether a device is lost rather than stolen before initiating a remote lock or remote wipe. Essentially though, using these tools, IT departments may be able to track an employee’s whereabouts anywhere and anytime.
- Phone Number Ownership:
Often overlooked, this issue becomes most apparent when employees in sales or other customer-facing roles leave the company and take their phone number with them. Customers calling the number could potentially be contacting competitors which can lead to loss of business for BYOD enterprises.
- Give it Up to Discovery:
From a legal standpoint, the fact that that you own the device may be irrelevant in case of litigation. If a company is involved in litigation, employees might be surprised to find out that their smartphones, tablets and laptops may be subject to discovery requests which could lead to a request to surrender their personal devices.
From the corporate IT perspective, there are also some serious challenges including security, risk, infrastructure, and operations. Additionally, for companies with multinational operations, there is the added challenge of developing a fair and uniform policy across the globe when privacy laws differ significantly by country. Other company concerns include:
- Data breaches:
Any time a phone is lost, stolen, or even simply sold or exchanged, there is a significant potential for corporate data loss. For instance, what if an employee uses a smartphone to access the company network and then loses that phone? It leaves a company’s unsecured data on the phone vulnerable. Another type of security breach occurs when an employee leaves the company, they do not have to give back the device, so company applications and other data may still be present on their device.
According to a report by the Boston-based research firm, the Aberdeen Group, a company with 1,000 BYOD smartphones spends an extra $170,000 per year, on average. It cited one big BYOD hidden cost -- processing all those additional expense reports. Another cost is Help Desk support to provide assistance for the myriad of devices that an employee might choose.
- Licenses Limitations:
Software licenses often place restrictions on the type or number of devices from which software can be accessed and used and it is not uncommon for the license to limit access and use to devices owned by business. Such limitations could prevent an employee from accessing the relevant software from a personal device. Or force the business to pay more.
- Liability Concerns:
When an employee’s Smartphone data – which may include songs, videos of their children and family pictures – is wiped for corporate security reason, can a company be held liable? Certain aspects of a BYOD program may fall outside the scope of traditional insurance policies, and it is important for a business to clearly understand whether its insurance protection will cover work conducted on devices that are not directly owned or leased by them.
If You Can't Beat 'em...
According to Gartner research, 70% of mobile professionals will conduct their work on personal smart devices by 2018. Most businesses are realizing they must embrace this growing trend, especially among the newest generation of its workforce. Therefore, they have to develop effective policies, protocols and procedures; employ the latest device management systems and tools and assure that their cyber risk management efforts and insurance policies adequately protect their BYOD risks.
- Require employees sign the BYOD policy. Companies need to craft a strong BYOD policy that clearly defines not only what sensitive company information can be contained on the device and needs to be protected, but how a company intends to control access, and what rights they have to do so if employees choose to access this information on personal devices. Employees should be required to sign an acknowledgement that they have received, reviewed, understand, and agree to comply with the BYOD policy. The policy can also outline disciplinary action for employees who fail to comply.
Minimize Risks with Mobile Device Management Solutions:
To limit access to some applications and control business’ data stored on mobile devices, corporate controls are a clear necessity. For most, that means investing in a Mobile Device Management (MDM) platform that inevitably gives companies some control over employee devices that can access their network. Today, available MDM solutions can also carry out activities such as:
- • device provisioning and configuration
- • software distribution
- • encryption and passwrod management
- • remote wipe and lock
- • blacklisting/whitelisting applications: Whitelisting involves the organization’s pre-approval of an application for use, allowing the employee to download to the device while blacklisting involves the opposite where organizations either block a particular app or inform employees that they may not download it.
- • separating business use from personal use (containerization)
- Establish Protective Protocols:
Employees use many devices and they expect to use any device or application anytime, anywhere. But companies need to manage growing workforce expectations around mobility. Establishing protocols help manage those expectations. Protocols can include allowances and policies for reimbursement of costs related to using personal devices, roaming time, etc on company business to how a company handles the deletion of company data and programs on a personal device when an employee leaves. Such practices need to be clearly communicated and followed.
John Coletti is an underwriting manager for XL Group’s Cyber Liability business. He helps companies address their technology risks. Tom Dunbar is XL Group’s Chief Information Risk Officer and manages our network and security risks, including our BYOD policy.