Good control is good business. Total Control is great.

Wednesday, March 26, 2014

BYOD Summarized - It's a Mobile World

Mobile devices are valuable business productivity tools for companies and their employees.  And, because mobile devices increase productivity, many organizations have administered and paid for their employees’ devices.  In a quest for financial efficiency, organizations shift the cost and administration of cell phones to the employees.  An employee’s use of a personal mobile device for business purposes is Bring Your Own Device (BYOD). 

Overall, how do you want BYOD to benefit your business?  Is the set of goals clear and measurable?  How do you measure the cost efficiency, progress, and performance, in your BYOD program?

            A First Look at BYOD

BYOD shifts the responsibility and cost of cellular devices from the employer to the employees.  The gains for the employer are reduced costs, reduced support, and reduced administration.  The gain for the employee is broader choice of mobile devices.  Also, if the employee was carrying two phones, one personal and one business, he or she can now carry one phone. 

For an organization to transition to BYOD: 1) Install security, and 2) Have employees sign policies and procedures.  Easy, right?

Good control is good business.  Careful planning for mobile device management is essential for a successful BYOD implementation.  Unfortunately, many companies migrate to BYOD without careful planning.

            Risks of BYOD  

What's your risk by migrating to BYOD, and how do you quantify it?

Anthony Diana, partner at the law firm Mayer Brown, addresses the risks of BYOD: "There are legal risks, such as the ability to access information responsive to document requests for preservation or production.  There are regulatory risks associated with information on those devices that may be subject to regulatory retention and supervision requirements.  There are information security risks associated with lost or stolen devices, as well as many different devices having access to the organization’s networks.  There are data privacy risks associated with the mix of personal information with business information on one device. The question for any organization is how to best mitigate and balance these risks in light of the business demand for BYOD flexibility.”

If your organization is associated with the health care industry, inappropriate use could cause you to violate rules and regulations of HIPAA.  Something as obvious as having records in an unsecured place, like an unencrypted device, or on someone’s kitchen table, would violate HIPAA regulations.  Confer with your compliance officer.  Violations are not worth the risk.

How much do you want to avoid risks, and will your efforts interfere with employee productivity?

          Cost of BYOD

The payments for the mobile device become the responsibility of the employee.  The employee pays for the monthly cost of the service plan, overages, downloads, device upgrades, accessories, international long distance, roaming, text overages, and the additional taxes.  Corporate discount plans are not available to individual plans.   

A potential revenue leak is employees who expense cell phone costs in creative ways.  This is counter-productive to the principle of BYOD saving money for the employer. Address this problem in your policies and procedures. 

The costs to the organization are security and support, if offered.  How much money needs to be allocated to support BYOD?  Will you use a Mobile Device Management (MDM) provider?  How are future costs contained? 

Every company culture is different.  If you are on a BYOD program, does your company offset the employee’s cost with a stipend?  Are employees happy with the arrangement?  Productivity increases when employees are happy.  Will they conform to the new policies and procedures?  Are your employees spending company time on maintaining and trouble shooting their mobile devices?  Is your organization saving hard-dollar costs under BYOD? 

          Managing Mobile Devices Owned by Employees

The employee’s use of a personal mobile device becomes subject to restrictions of the organization’s policies.  How much authority does your organization have over an employee’s personal property?  Prepare employees with clear communication for the transition to their responsibility of the cost and policy restrictions.

Anthony Diana also states that BYOD imposes risk in that, “… organizations find themselves almost entirely dependent on policies and their employees’ compliance with such policies to manage the considerable risks associated with electronic data.”  An organization “…is forced to rely more heavily on employee participation and compliance with policies to manage risk.” 

Diana highlights the need for clear policy, and also audit procedures, “Because an employee’s use of his or her personal device is largely outside of the employer’s control, critical components of any BYOD program include a clear, concise policy that is developed with the input of all the relevant stakeholders, together with audit procedures that validate and ensure compliance with that policy.”   The organization should set policies and enforce its policies.  

Your employees expect to use their devices and applications at all times.  How much support will you offer to your employees?  Is your help desk ready to assist with the variety of devices?  Many companies find that centralized management and support of BYOD is not practical, because of the variety of devices and carriers, therefore each employee becomes responsible for his or her own device and technical support. 

Employee Productivity – some staff need more support than others.  Are there employees who have less ability to fix his or her cell problems?  Should fixing cell issues be considered company time or personal employee time?   You will rely on employees to be responsible for lost, stolen, and malfunctioning devices.  You want your employees to invest time to trouble shoot problems and manage invoices? 

BYOD is easier without corporate applications, because the corporate applications add a layer of complexity.  Your applications must meet the demand of employees.  Will applications cause technical constraints and difficult deployment?  Do corporate applications work on all devices and platforms?  What limitations are there on applications?  How well defined is the company’s policy? 

What are the side effects of BYOD, if any?  For example, think about telephone numbers as a company asset.  Would you port-out your main corporate phone number to one of your former employees?  How about the number to your purchasing department?  The point is that a mobile number used for business is your organization’s property.  Whatever that employee does for your organization, the employee may be terminated, and the phone number is property of the employee, not your business.  Clients and vendors will use the mobile number to contact the employee, terminated or not.  

Overall, how much accountability to you expect from your employees?  What are your audit procedures that validate to ensure compliance with the policies?  


Security and data loss remain top concerns for companies that allow BYOD.

A recent statistic from Canada reveals that 58 per cent of Canadian organizations are losing corporate information through laptops, smart phones and tablets used by employees.   

Ensure that basic security includes: Requiring employees use a complex password, or better, a pass phrase, if the device can accommodate it.  Use encryption.  Enable GPS tracking to help find lost devices.  Wipe business data from lost devices, ask the employee if he wants the personal information wiped from the lost device.

If unmanaged, BYOD can allow hacker access to your network resulting in data loss. You need effective network access controls and policies to secure your data.  One part of policy is to require employees to install mobile security solutions on their personal mobile devices.  But, how will you recognize and fix data leaks?  What do you say to an auditor if information is compromised?  How do you protect against malware and viruses entering your network? 

An issue as simple as forwarded emails to personal accounts opens the risk of corporate information traveling outside your organization.  Can you limit the ability to forward a corporate email to a personal account?  How can you ensure that company data is encrypted and deleted according to policy you set?  Do you have a plan to keep your corporate data and network secure?  What if the plan doesn't perform as intended?

The good new is that there are many resources for security related to your BYOD program. 

            Professional Help is Available

Like every project, know what you want, how you will measure it, and how you will reach your objectives.  Assistance from outside your organization can increase your success.  A Mobile Device Management (MDM) provider is an important component of any successful BYOD program. Your MDM provider enables you to achieve the right balance between providing enterprise security while maintaining employee convenience and privacy.  An MDM provider can supply functional and flexible MDM tools that addresses the fundamental concerns about your BYOD program.

          Thank the Experts

The law firm of Mayer Brown served as a resource from an article titled, ”Electronic Discovery & Information Governance – Managing the Risks of Bring Your Own Device” by Anthony Diana and Therese Craparo.  Click here for article.

Anthony Diana is a partner at Mayer Brown, and focuses his practice on commercial litigation, electronic discovery, internal and regulatory investigations, and bankruptcies.  He is a co-leader of Mayer Brown’s Electronic Discovery & Information Governance practice.  Click here for Anthony’s bio.

Therese Craparo is an experienced litigator at Mayer Brown, whose practice focuses on complex commercial litigation, including technology and telecommunications and electronic discovery.  Therese is a member of Mayer Brown’s Electronic Discovery & Information Governance practice.  Click here for Therese’s bio.