Allowing employees to use their own devices or to “bring your own device” (BYOD) to work often makes them more productive. Employees are more mobile. They can work from home, while traveling, or during off-hours. BYOD is great — at least until the security vulnerabilities make themselves known.
While it may seem natural to assign BYOD responsibility to IT, with their tools and technical restrictions, the job actually belongs to HR. A Gartner survey predicts that by 2017, half of employers will require employees to supply their own device for work purposes. CIOs named higher employee satisfaction, new mobile workforce opportunities, and reduced costs as reasons BYOD will only grow into the future.
The task of officially introducing this BYOD trend to the workplace begins with HR managers. Policy is at the heart of BYOD, because setting policies is the first step an organization makes to recognize this employee practice. Within BYOD policies, the limits of personal devices at work are often responses to security concerns.
Here are the major considerations HR managers should be of aware of when creating their own BYOD policies:
BYOD Policies: Nice To Have or Necessary HR Evil?
BYOD policies aren’t always necessary. If there are already restrictions against using personal devices, a BYOD policy is probably superfluous. Organizations also don’t need BYOD policies if workers can only use company equipment for company work or if workers simply never use their own devices for work. For instance, a coffee shop usually does not need a BYOD policy for its baristas.
All other HR departments should consider a BYOD policy if they don’t already have one in place. And even if an organization does not currently need a BYOD policy for whatever reason, they may want to consider how to put one into place in the future.
Having a BYOD policy does not make BYOD mandatory — for either the employee or the organization. What the policy does, instead, is outline expectations for employee conduct in explicit terms. It tells the employee that BYOD is allowed, but it also makes the responsibilities and potential consequences of using BYOD clear.
BYOD Policies: Viruses, Malware & Thievery, Oh My!
Of the many security woes employees can expose an organization to through BYOD, viruses and other nefarious entities are the most common. With BYOD, employees increase the chance of bringing more of these dangerous influences into contact with their organization. These nuisances can become full-blown disasters if they spread.
Devices that employees use in their personal lives are more likely to encounter these digital dangers. Websites employees visit for personal use or entertainment are often less secure than professional websites. Using the same device for both work and personal use increases the chances of transferring viruses and malware to their company’s technology architecture.
At the same time, thieves of physical devices are more likely to steal devices that employees carry around. Instead of leaving work devices with work data at work or home, now (in the case of smartphones and tablets), employees are carrying that data with them everywhere.
Designers of BYOD policy should recognize these dangers and make them clear to their employees. Policies should also spell out what the impact and consequences are for failing to avoid these risks. An individual whose non-work device contracts a virus or is stolen must deal with an annoyance. Much more seriously, a company-wide virus or a stolen device containing company data can mean devastating harm to a business, in the form of lost work, lost intellectual property, and damage to customer confidence.
Being Sensitive to Sensitive Information In BYOD Policies
Some information is highly sensitive and must be treated as such. While correspondence between employees is private, a breach in that kind of data is less severe than a breach in credit card information. BYOD policies should be clear about varying levels of information sensitivity.
An organization may want to instate different policies depending on information sensitivity levels. Employees may only handle less sensitive information from their personal devices. Or, employees must follow more secure protocols for more sensitive data.
Technical (In)compatibilities with BYOD Policies
Organizations usually already have security systems in place for their technology. They have vetted and chosen everything from virus and malware prevention and detection software to firewalls and encryption. Another snag in allowing BYOD is aligning these security systems with personal devices.
When employees BYOD, they bring a wide variety of consumer devices to work. Not all these devices will be compatible with the organization’s existing security infrastructure. Different operating systems, makes, and models may each create their own issues.
Organizations need to know what security software is mandatory. Compatibility with this software will determine which devices are permissible for BYOD. If organizations want or need to allow BYOD for devices that cannot support their security software, they should address that as well.
The Limits of BYOD Policies
HR departments should also recognize that policy can only do so much. Policy can create expectations and a system for reprimands when employees stray, but it cannot fix mistakes. If data leaks, or a thief takes a device, the policy isn’t going to prevent or contain the aftermath.
HR departments need to work with IT services and outline detailed BYOD strategies to protect from security woes. A BYOD policy is the first step to outlining a BYOD strategy, but a solid first step lays a solid foundation for your entire strategy.
About the Author: Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools. In this role, Cam is responsible for all corporate and product marketing strategy and success. Most recently, Cam led Beachhead Solutions through a complete corporate relaunch, including new product development and relaunch, corporate brand and messaging makeover and continuing to build the Beachhead Partner Program of resellers to broaden Beachhead’s market presence.
A graduate of San Jose State University, Cam began his career as a product manager in Apple Computers before launching Business Graphics Group, which he built from inception to the 15th largest advertising agency in the San Francisco Bay Area. Follow Cam on Twitter @BeachheadMDM or connect with him on LinkedIn.