The Rise of BYOD Workplaces
Bring your own device (BYOD) to work is a growing trend across all industries. The idea that an employee, customer, or partner will access your network with any device they choose was unheard of only a few years ago it wasn’t long ago that companies had strict policies on what devices could and couldn’t connect to the company’s network. Today many companies still try to enforce these policies without much success. Now the tables are turned, when executives or partners want to use their iPads or smart phones on the corporate network, IT is forced to adjust so that it is easy to use those devices. Case in point, when the newly elected President-elect Obama decided that he wanted to use a mobile email device, IT had to find a quick and secure way to enable this.
There is no doubt that the movement to BYOD will continue. The two main drivers for the growth of BYOD policies are:
- Streamlining process — Organizations that used to purchase and control devices for employees are getting out of the business. It costs far less to decommission Blackberry servers and get out of the cycle of purchasing new hardware for employees. (I have had direct conversations with companies who have saved thousands of dollars per a decommissioned Blackberry, but there is some debate as to the real cost savings: http://www.cio.com/article/703511/BYOD_If_You_Think_You_re_Saving_Money_Think_Again).
- Supporting employee choice — At the same time that management wants to save money, employees want a single device based on their preferences for both personal and corporate use.
A generational divide for mobile device management expectations
In a BYOD environment, companies must balance corporate needs, such as compliance with HIPPA and PCI DSS, with employee expectations of privacy and independence. A new generational technology divide has emerged in the workplace. Early Blackberry users were given the company owned device by their employer. Although the device may have been used for some personal calls or email, it was clearly a corporate asset. Today, new employees have been using a smart phone for years. Younger employees expect to control their own device. These same employees would be horrified to learn that many current acceptable use policies (AUP) give employers virtually all control over a device. With changing employee expectations, organizations will be compelled to adapt the way they manage mobile devices.
BYOD software solutions and corporate policies must address the following issues:
- Device wiping. Most current mobile management platforms allow an organization to fully wipe all of the data and applications from handsets. An employer must have good procedures in place to not mistakenly wipe handsets or delete personal data. Full wipe policies are commonplace however because corporate data could be stored in different areas of the phone, for example the onboard memory or on the SD card. A theoretical case study of the implications of device wiping is as follows:
An employee is hired and is told that he can use his personal mobile device for work. He downloads the appropriate apps and his device is now on the corporate network. Unfortunately, after several months the employee is fired. Through an automated process, human resources decommissions the employee’s credentials. As a part of this automated process, the employee’s mobile device is fully wiped and restored to factory presets. Although upon hiring, the employee might have signed a contract that in small print permitted the device wipe, he was unaware that it would happen. He loses valuable personal pictures and data that can never be replaced and had nothing to do with his employment. The employer may face a costly lawsuit for destroying the data.
- Jail broken and rooted devices. Jail breaking an iPhone or rooting an Android allows device users to gain functionality that may be disallowed by a handset carrier or manufacturer. Online guides and free software make this process straightforward and easy for people with moderate technical know-how. Many current endpoint management solutions allow companies to ban jail broken and rooted devices from the corporate network. A full ban is an easy policy decision, but may fail to increase security and could only alienate tech savvy, valuable employees. Organizations and vendors should investigate the full implications of a blanket ban.
- Web traffic, geolocation and activity monitoring. Traditional lines of what an employer can and can’t monitor are fairly straight forward and understood. An employee using a corporate owned mobile device understands that their web traffic and other activities might be monitored. In a BYOD mobile environment, when does the monitoring end? It is in both the employer’s and employee’s interest to prevent 24/7 activity monitoring. Collecting mobile device web, relocation and other activity information could expose a company to liability or drag them into other legal proceedings. At the same time, employees have a right to shield purely personal activities from their employer.
- Illegal content. If an employee stores or downloads copywritten material on a corporate device they can clearly be disciplined and reported to authorities. With BYOD, companies risk employees connecting devices that contain illegal content to the network. Does the company have an obligation to report the content if they find out about it, or so long as corporate resources were never used, does the employee have a right to privacy? Organization will need to create unambiguous policies on how they will treat these situations in order to limit risk.
The reign of the corporate owned Blackberry has clearly fallen and creating consistent policies to address device management and governance of BYOD devices is still evolving. Most current software device management solutions are either monolithic and destroy the native device experience, or are point solutions that lack full security or compliance capabilities. Corporate risk must be reduced through new offerings while at the same time meeting the expectations that employees have for privacy and control over their device.