Potential pitfalls of BYOD

Potential pitfalls of BYOD

Summary: On the face of it, the move to BYOD seems great. Employees get to fondle their shiny smartphones, tablets, and notebooks at work, while the employer gets to save money on hardware. But as with most things, there are pitfalls you have to watch out for.

SHARE:

BYOD — or bring your own device — is a buzzword that's currently sweeping IT departments. While on the whole it can be considered a good thing, as with most things there are pitfalls that both employers and employees need to keep in mind.

By 2017, it is estimated that 50 percent of firms will demand that employees make use of BYOD. So if you think it's big now, just wait a few years.

But is BYOD right for you? Whether you are an employee, the employer, or the IT admin who has to keep everything working, there are potential pitfalls to BYOD that need careful consideration.

For companies, the issues that need to be addressed are many and varied, and generally revolve around the creation of a workable BYOD policy that needs to encompass a variety of topics ranging from security and support to who pays for what, and what happens when an employee is let go or fired. Any company taking the BYOD route — large or small — needs to have a clear and easy-to-understand BYOD policy.

Making BYOD policies up as you go along (or, worse still, taking an "organic" approach) is a recipe for disaster.

If you're an IT admin working for a BYOD-friendly company, then you already know about creating and enforcing policies. If you're an admin at a company that's currently keeping BYOD at arm's length, then chances are good that over the next few years, you're going to have to come to terms with people bringing their personal hardware to work with them.

Employees also need to consider whether BYOD is right for them, because there's a lot more at stake here than whether they can take their shiny new smartphone, tablet, or notebook to work with them.

For example, there are issues of privacy, and whether the company can track an employee's movements using their device, and whether internet access is monitored. Most post-PC devices have built-in GPS, so they can be tracked pretty much the whole time. Endpoint security software is capable of polling the location of a device, and, as such, know exactly where the employee is any time they have their device on them, as well as what they are doing with their device. A good BYOD policy needs to clearly address issues of privacy, and systems need to be in place to prevent abuses such as workplace stalking and snooping.

Then there's the issue of security.

Most companies that adopt BYOD will demand that devices are set up so they can be remote wiped in the event that they are lost or stolen. But what happens if Little Jonny has one too many tries at guessing the passcode on your iPad in order to play Angry Birds, which sets off alarm bells in the IT department, and the endpoint software — or an individual — mistakenly interprets this as an intrusion attempt, and then goes on to remotely nuke the device?

Think this won't happen, or is so rare as to not be worth worrying about?

Think again. I've heard from dozens to people who have had their personal devices remotely wiped by overzealous BYOD security policies.

It happens. And it happens quite often.

Employees will also be able to do less with their devices once they swallow the BYOD red pill. There will likely be limitations on what apps that can be downloaded and installed, and being able to bypass OS-imposed limitations though jailbreaking and rooting will almost certainly be a no-no.

A BYOD device can, very quickly, start to feel like it's not yours anymore.

BYOD is definitely not for everyone, so much so that some employees working at companies that demand users "bring their own devices" to work choose to buy separate devices for home and work.

Employees should take responsibility for backing up their data. While most companies will have their ducks in a row when it comes to work-related data, personal data is the responsibility of the owner, and as such they need to make sure that it is safe.

While there's always a risk that a smartphone or tablet can be lost, stolen, or damaged, BYOD introduces a few additional risks that you might not have considered. Not only is there a chance that it might be remotely wiped, but there's even a possibility that it might be seized for legal examination in conjunction with a corporate litigation matter or other legal or security issue.

You could, at any moment and for any number of reasons, find yourself down your device and the data on it.

Again, make sure that you have a backup of your data in case you ever need access to it.

Topics: Mobility, Smartphones, Tablets, Bring Your Own Device

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

10 comments
Log in or register to join the discussion
  • Merging is not always better

    Merging personal and business assets, whether hardware, software, or both; is never a good idea. It is comparable to mixing "business with pleasure." Both sides will end up "losing." Can businesses afford to lose their information asset?
    TsarNikky
  • BYOD

    It is all nice and dandy when employees only have iPhones and Androids.
    But what if somebody has windows phone 8 ? Browsers are different, VPN support does not exist in WP8. Apps are different too.
    paul2011
  • As a requirement I'd have my own requirements of the company

    If they want to impose security features or remote wipe capability, the company doesn't get access to my phone. If they want similar features on my personal laptop, I will RDP to a client system they can maintain before I will give them that kind of control over my hardware. Those are my personal terms of use, and if the company doesn't like it, then I won't use a computer and I'll develop for the company via suggestions.
    SeanBlader
  • BYOD is foolish

    I have been screaming left and right that BYOD is too risky in terms of security. And supporting users in that kind of environment is an absolute nightmare. My company is still trying to do it but honestly, it is starting to look like a no go. We just do not have ability to support and security check every single type of phone and configuration for us to feel comfortable.
    Bronxboi
  • "Bring your own device, as long as it's exactly THIS phone"

    BYOD as a concept needs to include some kind of freedom for employees. Otherwise, the company should just buy the "standard" device for all their employees. E.g. a Blackberry.
    Smalahove
  • i wonder who

    is pushing for this notion . For the company security folks it probably means more job security. The cost centreoowner probably thinks the expense of procuring hardware is reduced, but forgets the higher IT levy on the business.
    For the user, who really wants to have their device resources consumed by work information.
    Blank Look
  • In most cases a just terrible idea

    For all the reasons outlined in the article and more, it just sounds like a lose/lose proposition in more cases than not. I am really glad that BYOD is not likely to happen where I work. With the really dismal proprietary software that we all have to access for various things, all the devices would have to be Windows and anyway, it would just be an IT nightmare. Also, a lot of our stuff is covered by confidentiality laws. That's true for a lot of organizations. Letting that out of the office would no doubt be a legal nightmare as well.
    posny
  • BYOD is Dead

    BYOD is dead.

    It was the hip thing 2 years ago but now, employees are running back to a corporate provided device. (if they can get one) It was almost rogue like to say "I'm using my own device for work email", those days are now going away.

    Why?

    Mobile devices can now be easier managed (controlled) and there are a host of solutions to limit, monitor and do whatever your security team decides is "required" to protect corporate data. So it's not really an appealing situation now for employees.

    You also have two major stumbling blocks that no one has figured out:

    1. Privacy concerns
    2. Financial model

    Employees do NOT like the fact you can control their device, they don't want you snooping on their txt messages, photos, the Apps they use etc. On top of this there are regulations in Europe around this (where BYOD has seen limited adoption).

    BYOD only really works if you shift all costs to the employee, which they now realize how expensive this can be. Why bother managing a subsidy and all the work that will entail, basically your shifting your mobile spend to an expense nightmare. There is still the non salary employees that no company wants to deal with due to compensation concerns. There is also the tax issues etc.

    This doesn't even touch all the other issues people list that get glossed over. Are there employees where BYOD works? Sure their the vocal minority, the 10-15% that (believe) know what their doing. Questionable how many actually adhere to SOX and other data governance policies but they will tout the "I'm productive" horn but show no proof other then they are using their device of choice. That's a preference not a proven operating model. They also wish to use a host of Apps that could potentially do all sorts of things to your corporate data that will make your legal and risk teams get all worked up. But it's all good, their PRODUCTIVE.

    The going opinion is the device doesn't matter, virtualize or contain the data and limit how and when it can be used. That's a valid approach but puts a huge dent in the reason they wish to use their own device as well often has usability impact. So it's a trade off.

    BYOD is dead.
    MobileAdmin
  • How Simple

    I'm sure it's happening already.

    People will have personal devices, AND secondary BYOD devices.
    louishelps
  • BYOD, really?

    What's the point of BYOD if the company all but owns your device.

    To me BYOD says, just that. You bring your own device to work, and use it. If the company has issues with controlling their data, then they need to specify in policy, that their data isn't to end up on their employee's personal machines. If the company demands control over the device to control their data, then it is no longer BYOD. It becomes a senario where you are paying out of your own pocket for the company's hardware.

    You either use your "own" device, or you use the "company's" device. There is no middle ground.
    blackepyon01@...