Making BYOD work: The art of compromise

Making BYOD work: The art of compromise

Summary: The bottom line is that BYOD can and does work, but it is, at best, a pre-prepared compromise struck between employer and employee. A clearly defined BYOD policy helps everyone know what's going on, and is a vital tool in smoothing relations between both sides.


BYOD — or bring your own device — is a buzzword that's sweeping IT departments. While on the whole it can be considered a good thing, as with most things in life there are pitfalls that both employers and employees need to bear in mind when embarking down this avenue.

By 2017, it is estimated that 50 percent of firms will demand that employees make use of BYOD. So if you think it's big now, just wait a few years.

But is BYOD right for you? Whether you are an employee, the employer, or the IT admin who has to keep everything working, there are potential pitfalls to BYOD that need careful consideration.

Corporate considerations

For companies, the issues that need to be addressed are many and varied, and generally revolve around the creation of a workable BYOD policy that needs to encompass a variety of topics ranging from security and support to who pays for what, to what happens if a device is confiscated or seized, and what happens when an employee is let go or fired (remember that it's not just the data on the device to worry about, but also any backups made of the device). Any company taking the BYOD route — large or small — needs to have a clear and easy-to-understand BYOD policy, a policy that everyone needs to be aware of.

Making BYOD policies up as you go along (or, worse still, taking an "organic" approach) is a recipe for disaster. Also, just allowing employees to bring in devices – for example, you might allow devices that support Exchange ActiveSync, or allow iOS or Android devices – is not the same as having a policy in place.

Think you're OK just winging it? Think again. If the likes of IBM can get burned, you can.

If you're an IT admin working for a BYOD-friendly company, then you already know about creating and enforcing policies. If you're an admin at a company that's currently keeping BYOD at arm's length, then chances are good that over the next few years, you're going to have to come to terms with people bringing their personal hardware to work with them.

You're also going to have to get comfortable tracking talk, text, and data usage in order to prevent misuse, bolster security, and keep costs at bay. Don't expect this sort of stuff to police itself because it won't, and things will degenerate into a mess in no time at all.

On top of this, you'll need to take the reigns over apps. This means pushing mandatory apps, blacklisting rogue apps, and possibly putting the brakes on timewaster apps. It might seem draconian, but it has to be done.

Finally, you have to get comfortable banning devices. Banned devices can range from jailbroken iOS devices, rooted Android devices, or even just obsolete hardware and operating systems. You have to set out very clearly what is and what isn't allowed, and you have to be able to communicate this to clearly to employees, and given them a heads-up about things such as devices that will become unsupported ahead of time to prevent disruption.

Topics: Mobility, Hardware, Bring Your Own Device

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • "a pre-prepared compromise struck between employer and employee"

    In the vast majority of cases, that simply is not true. BYOD is almost invariably a cost-saving control imposed by the employer, on the employee, even when it's dressed up as a free choice.

    Aside from that, a fine article - but in missing the point of BOYD, it also misses the point that employees can rare;y escape from the control and imposition on their privacy that BYOD can bring.
    • In Europe

      there are also a lot of legal implications, in many jurisdictions it is illegal to put corporate data on a privately owned device, making BYOD a non-starter.

      If they do let that through, you can pretty much kiss goodbye to sharing that device with your spouse and kids. After the corporate data is put on the machine only employees of the company will be able to use it; so no little Billy playing Angry Birds on it in the evening or at the weekend.
      • Same in the US

        It depends on the kind of data it is. Is it medical data (HIPAA/HITECH)? Is it criminal data (CJIS)? Is it credit card data (PCI-DSS)? There are plenty of laws in the U.S. that, whie not making it illegal to have the data on the phone, goven what would happen if your telephone would be lost or you didn't report it. Stolen portable devices, including laptops cost a fottune for every business as the cost of notifying (required by law in many states) the consumer (who technically OWNS the data) can be expensive. We had one laptop stolen and it cost the department half a million dollars in postage costs alone.
  • This is why I don't think BYOD really works or has any benefit.

    After reading your article - this is why I don't think BYOD really works or has any benefit. It's far too restrictive. It ceases to be a personal device when an employer tells me what I can and can't have on the device, and has the ability to remote wipe it.

    At that point, I might as well get a company phone or buy a separate phone.

    I'm sorry, you just proved to me that BYOD doesn't work. You can claim it does until you're blue in the face. You can't make me believe a lie.
    • It Can Work

      It's not too restrictive at all. It is far better to be a bit restrictive than to lose the phone and data. Besides, a remote wipe is meaningless, if you think about it. You lost or had the phone stolen. It is no longer in your possession so why would you care? If you find it later, you have a backup, right?
  • BB Balance?

    The new BlackBerry 10 phones have the "Balance" feature, which I understand can make your personal content and work features totally separate. Does anyone know if this addresses the concerns in the article?

    My company is moving over to BES 10; guess I'll have a chance to find out for myself soon!
    • If I Remember Correctly

      Some people where I worked looked at the BES 10 server software and said it does support this compartmentalization. I'm not equating this to the Blackberry either as it works with other hardware. I think they decided, at work, to go with Symantec though.
  • My Experiences

    I worked at a large organization spread across 100,000 employees and spread geographically over an area the size of a small state (almost). BYOD came up as a financial solution and was called "the $50 Stipend Solution". Provided that the employee needed "mobile" in their jobs, the enterprise would pay the employee a $50 stipend per month for them to use their mobile devices. It didn't work out for many reasons:

    First, the employees would bring their own devices anyway, so the individual departments did not want to pay a stipend for the employee to do this. Eventially, the stipend amount came down to $35/month. Next, having a plan involved rules and regulations and security that must be maintained. Nobody wanted the rules especially if any loss or theft of a smartphone (for example) would require the employee to report the loss to the enterprise and have the device completely wiped. There was some software coming that would have made a wipe of "personal" areas unnecessary, but that wasn't in the plan yet. For some strange reason, employees were totally against have photos of Grandma wiped out. I personally don't understand this as most smartphones and tablets can be easily restored from backup. People are backing up their devices, aren't they?

    Here is why I'm concerned about this and how we can all relate. Suppose we are neither the employee nor the employer. However, jome programmer wants to work from home and takes about 200,000 elements of REAL data home with him or her and the device gets lost or stolen. Everyone loses out. The company will appear in some nasty headline. The employee can have this used against him or her especially if not authorized to bring the data home. But the biggest loser is the person who's data is on the device. Let's face it. I would NEVER shop at Niemann-Marcus since their breach.

    So, if a device like this scenario is lost or stolen with that data, let's look at what happens:

    If the data was medical patient information, the federal government steps in and the company is fined more than $1 million. If this is criminal data and violated federal CJIS rules, the company gets a visit from the FBI and another fine and is now on a watch-list. If the data loss is not reported but the information is used against the "consumer", that can be traced back and now there may be criminal charges and people being fired. In most states, there are laws such as California SB 1386 or AB 1149 that dictate who has to get notified and how quickly. Maybe credit protection would also have to be given. If you are a manager or an employee, you probably don't like this... UNLESS, you were the person whose data was compromised. Then you'd be upset. When the Target incident came up, many bloggers were outraged. But what if practices at their workplace did not allow for proper security?

    So, you really want to do BYOD? Most of the employees that were offered the monthly stipend turned it down. The question is, are they taking information home anyway and without the rules?
  • Compromise?

    It does not appear to be a compromise between the employer and the employee. There are other parties in this, including the person whose data is on any of these devices. Don't they get a say in this? Technically, they do. It is called laws that many states have as to what happens when data gets lost. OK, so you lose a jump drive with 800,000 medical case records on it and you get a fine of about $12 million. That comes out of the employer's pocket and, I'm willing to bet, comes out of the employees' pockets as well in a tight-budget organization.
  • There is One Comprehensive Solution

    That allows for the integrity of personal data and security for corporate data by keeping them in separate, exclusive sandboxes, and offers the following:

    • Lowest TCO
    • Only EMM solution that's FIPS 140-2 Certification
    • Only EMM solution that's Full Operational Capability by U.S. Defense Information Systems Agency
    • Highest Regulated-level EMM – compliance control and advanced security (up to 100% lockdown)
    • End-to-end data encryption through a single outbound port for all communications - no need for additional VPNs.
    • Secure Work Space for iOS and Android
    • BlackBerry Balance for BlackBerry devices.
    • Full Enterprise app control

    BES 10