Mobile devices are valuable business productivity tools for
companies and their employees. And,
because mobile devices increase productivity, many organizations have administered and
paid for their employees’ devices. In a
quest for financial efficiency, organizations shift the cost and administration
of cell phones to the employees. An
employee’s use of a personal mobile device for business purposes is Bring Your
Own Device (BYOD).
Overall, how do you want BYOD to benefit your business? Is the set of goals clear and
measurable? How do you measure the cost
efficiency, progress, and performance, in your BYOD program?
A First
Look at BYOD
BYOD shifts the responsibility and cost of cellular devices
from the employer to the employees. The
gains for the employer are reduced costs, reduced support, and reduced
administration. The gain for the
employee is broader choice of mobile devices.
Also, if the employee was carrying two phones, one personal and one
business, he or she can now carry one phone.
For an organization to transition to BYOD: 1) Install
security, and 2) Have employees sign policies and procedures. Easy, right?
Good control is good business. Careful planning for mobile device management is essential for a
successful BYOD implementation. Unfortunately,
many companies migrate to BYOD without careful planning.
Risks of BYOD
What's your risk by migrating to BYOD, and how do you
quantify it?
Anthony Diana, partner at the law firm Mayer Brown,
addresses the risks of BYOD: "There are legal risks, such as the ability
to access information responsive to document requests for preservation or
production. There are regulatory risks
associated with information on those devices that may be subject to regulatory
retention and supervision requirements.
There are information security risks associated with lost or stolen
devices, as well as many different devices having access to the organization’s
networks. There are data privacy risks
associated with the mix of personal information with business information on
one device. The question for any organization is how to best mitigate and
balance these risks in light of the business demand for BYOD flexibility.”
If your organization is associated with the health care
industry, inappropriate use could cause you to violate rules and regulations of
HIPAA. Something as obvious as having
records in an unsecured place, like an unencrypted device, or on someone’s
kitchen table, would violate HIPAA regulations. Confer with your compliance officer. Violations are not worth the risk.
How much do you want to avoid risks, and will your efforts
interfere with employee productivity?
Cost of BYOD
The payments for the mobile device become the responsibility
of the employee. The employee pays for
the monthly cost of the service plan, overages, downloads, device upgrades,
accessories, international long distance, roaming, text overages, and the
additional taxes. Corporate discount
plans are not available to individual plans.
A potential revenue leak is employees who expense cell phone
costs in creative ways. This is counter-productive to the principle of
BYOD saving money for the employer. Address this problem in your policies
and procedures.
The costs to the organization are security and support, if
offered. How much money needs to be
allocated to support BYOD? Will you use
a Mobile Device Management (MDM) provider?
How are future costs contained?
Every company culture is different. If you are on a BYOD program, does your
company offset the employee’s cost with a stipend? Are employees happy with the arrangement? Productivity increases when employees are
happy. Will they conform to the new
policies and procedures? Are your
employees spending company time on maintaining and trouble shooting their mobile
devices? Is your organization saving
hard-dollar costs under BYOD?
Managing Mobile Devices Owned by Employees
The employee’s use of a personal mobile device becomes
subject to restrictions of the organization’s policies. How much authority does your organization
have over an employee’s personal property?
Prepare employees with clear communication for the transition to their
responsibility of the cost and policy restrictions.
Anthony Diana also states that BYOD imposes risk in that, “…
organizations find themselves almost entirely dependent on policies and their
employees’ compliance with such policies to manage the considerable risks
associated with electronic data.” An
organization “…is forced to rely more heavily on employee participation and
compliance with policies to manage risk.”
Diana highlights the need for clear policy, and also audit
procedures, “Because an employee’s use of his or her personal device is largely
outside of the employer’s control, critical components of any BYOD program
include a clear, concise policy that is developed with the input of all the
relevant stakeholders, together with audit procedures that validate and ensure
compliance with that policy.” The
organization should set policies and enforce its policies.
Your employees expect to use their devices and applications
at all times. How much support will you
offer to your employees? Is your help
desk ready to assist with the variety of devices? Many companies find that centralized management and support of
BYOD is not practical, because of the variety of devices and carriers,
therefore each employee becomes responsible for his or her own device and
technical support.
Employee Productivity – some staff need more support than
others. Are there employees who have
less ability to fix his or her cell problems?
Should fixing cell issues be considered company time or personal
employee time? You will rely on
employees to be responsible for lost, stolen, and malfunctioning devices. You want your employees to invest time to
trouble shoot problems and manage invoices?
BYOD is easier without corporate applications, because the
corporate applications add a layer of complexity. Your applications must meet the demand of employees. Will applications cause technical
constraints and difficult deployment?
Do corporate applications work on all devices and platforms? What limitations are there on applications? How well defined is the company’s
policy?
What are the side effects of BYOD, if any? For example, think about telephone
numbers as a company asset. Would you
port-out your main corporate phone number to one of your former employees? How about the number to your purchasing
department? The point is that a mobile
number used for business is your organization’s property. Whatever that employee does for your
organization, the employee may be terminated, and the phone number is property
of the employee, not your business.
Clients and vendors will use the mobile number to contact the employee,
terminated or not.
Overall, how much accountability to you expect from your
employees? What are your audit
procedures that validate to ensure compliance with the policies?
Security
Security and data loss
remain top concerns for companies that allow BYOD.
A recent statistic
from Canada reveals that 58 per cent of Canadian organizations are losing
corporate information through laptops, smart phones and tablets used by
employees.
Ensure that basic
security includes: Requiring employees use a complex password, or better, a
pass phrase, if the device can accommodate it.
Use encryption. Enable GPS
tracking to help find lost devices.
Wipe business data from lost devices, ask the employee if he
wants the personal information wiped from the lost device.
If unmanaged, BYOD can
allow hacker access to your network resulting in data loss. You need effective
network access controls and policies to secure your data. One part of
policy is to require employees to install mobile security solutions on their
personal mobile devices. But, how will you recognize and fix data
leaks? What do you say to an auditor if information is compromised?
How do you protect against malware and viruses entering your network?
An issue as simple as
forwarded emails to personal accounts opens the risk of corporate information traveling
outside your organization. Can you limit the ability to forward a
corporate email to a personal account? How can you ensure that company
data is encrypted and deleted according to policy you set? Do you have a
plan to keep your corporate data and network secure? What if the plan
doesn't perform as intended?
The good new is that
there are many resources for security related to your BYOD program.
Professional
Help is Available
Like every project, know what you want, how you will measure
it, and how you will reach your objectives.
Assistance from outside your organization can increase your
success. A Mobile Device Management
(MDM) provider is an important component of any successful BYOD program. Your
MDM provider enables you to achieve the right balance between providing
enterprise security while maintaining employee convenience and privacy. An MDM provider can supply functional and
flexible MDM tools that addresses the fundamental concerns about your BYOD
program.
Thank the
Experts
The law firm of Mayer Brown served as a resource from an
article titled, ”Electronic Discovery & Information Governance – Managing
the Risks of Bring Your Own Device” by Anthony Diana and Therese Craparo.
Click
here for article.
Anthony Diana is a partner at Mayer Brown, and focuses his
practice on commercial litigation, electronic discovery, internal and
regulatory investigations, and bankruptcies.
He is a co-leader of Mayer Brown’s Electronic Discovery &
Information Governance practice.
Click here for
Anthony’s bio.
Therese Craparo is an experienced litigator at Mayer Brown, whose practice
focuses on complex commercial litigation, including technology and
telecommunications and electronic discovery.
Therese is a member of Mayer Brown’s Electronic Discovery &
Information Governance practice.
Click here for
Therese’s bio.