Allowing employees use personal IT devices requires strict guidelines
BYOD (bring your own device) is a hot topic in the boardroom and for IT managers. BYOD involves allowing employees to use their personal mobile devices for work purposes.
Mobile devices include smartphones, tablets, storage devices (such as USB keys or harddrives) and laptops.
People manage their lives more and more through their personal devices. BYOD policies recognise that many employees will use personal devices for work purposes, regardless of whether or not they are authorised to do so.
A 2013 Virgin Media Business survey of 500 chief information officers in the UK found that over half of the surveyed business IT networks were compromised in 2012 by employees using their personal devices at work. Only a fifth of the large firms surveyed had a BYOD policy.
Implementing a BYOD policy in an organisation can make sense operationally and financially; it can also increase employee satisfaction and productivity. Allowing employees to use their own devices can reduce technology refresh costs, training costs and software costs.
Yet there are hazards inherent in granting official approval to BYOD: the legal and risk profiles of an organisation could be affected. Such exposure can be managed, but careful consideration needs to be given to the BYOD policy.
If an employee loses an unencrypted or unsecure personal device that holds confidential information relating to his employer then this creates a business risk and a legal issue.
The organisation may not even be aware that business data is missing or has been compromised because it is not in exclusive control of the device.
This is a key concept: control. A BYO device compromises the level of physical control that an organisation has over business information contained on these devices. BYOD policies address that loss.
Lost business data may attract unwanted publicity and lead to the erosion of customer confidence in the organisation's ability to manage its business. If the lost data includes personal data, the organisation may receive unwelcome attention from the Data Protection Commissioner, who is charged with policing data protection compliance.
Data protection laws in Europe impose legal obligations on those that collect data relating to people. Personal data must be kept secure.
Those responsible must also take appropriate technical and organisational measures to prevent unauthorised processing and against accidental loss or destruction of personal data.
What happens when an employee wants to sell the device that s/he uses at work? What should happen if an employee loses the device? Does the organisation have the right to buy the device from the employee on termination of the employment? Can the organisation wipe a device remotely?
Can the organisation back up data on the device? Can the organisation access the employee's private data on the device? Can an employee be disciplined for not protecting the device?
Who owns intellectual property created using the device? BYOD policies are introduced by organisations to answer these questions, to manage these risks and to anticipate the life cycle of a mobile device that is used for personal and private purposes.
BYOD policies – like other employee policies relating to discipline, internet use and health and safety – introduce conditions into the employee's contract.
The policy incentivises the employee to use his or her dual-use device responsibly. Employees often gain by receiving funding to purchase and run their personal devices and they're happier using the device that they prefer rather than having their employer's preference foisted on them.
When introducing a BYOD policy, organisations should make sure that it's relevant and addresses how devices are really used in that particular business. Consider the business uses employees should be able to make of personal devices.
For example, perhaps employees should not access very sensitive data on the device.
Some commentators talk about BYOD as a new trend. In many ways BYOD policies simply reflect the fact that organisations are dealing with the challenge of the reality that employees are using their own devices for work purposes already.
Where an organisation relies on devices to do its business, personal or otherwise, it must deal with the organisational, legal, security and business risks appropriately.
If it doesn't manage these risks by implementing clear policies, it's only a matter of time before the business will have the unpleasant experience of trying to limit the damage when these risks materialise.
Deirdre Kilroy is head of intellectual property and technology in Dublin law firm LK Shields. firstname.lastname@example.org