BYOD -- or bring your own device -- is a buzzword that's sweeping IT departments. While on the whole it can be considered a good thing, as with most things in life there are pitfalls that both employers and employees need to bear in mind when embarking down this avenue.
By 2017, it is estimated that 50 percent of firms will demand that employees make use of BYOD. So if you think it's big now, just wait a few years.
But is BYOD right for you? Whether you are an employee, the employer or the IT admin who has to keep everything working, there are potential pitfalls to BYOD that need careful consideration.
Employees also need to consider whether BYOD is right for them because there's a lot more at stake here than whether they can take their shiny new smartphone, tablet or notebook to work with them.
For example, there are issues of privacy, and whether the company can track an employee's movements using their device, and whether internet access is monitored. Most post-PC devices have built-in GPS, so they can be tracked pretty much the whole time. Endpoint security software is capable of polling the location of a device, and, as such, know exactly where the employee is any time they have their device on them, as well as what they are doing with their device. A good BYOD policy needs to address issues of privacy clearly and concisely, and systems need to be in place to prevent abuses such as workplace stalking and snooping.
Then there's the issue of security.
Most companies that adopt BYOD will demand that devices are set up so they can be remotely wiped in the event that they are lost or stolen. But what happens if Little Jonny has one too many tries at guessing the passcode on your iPad in order to play Angry Birds, which sets off alarm bells in the IT department, and the endpoint software -- or an individual -- mistakenly interprets this as an intrusion attempt, and then goes on to remotely nuke the device?
Think this won't happen, or is so rare as to not be worth worrying about? Think again. I've heard countless tales from people who have had their personal devices remotely wiped by overzealous BYOD security policies.
It happens. And it happens much more often than people in the industry want to admit that it happens.
Reasons for wiping can be varied, but here are some of the top reasons:
- Loss or theft: The most common reason for wiping devices is loss or theft. While this acts as a way to prevent company data falling into wrong hands, it also nukes any personal data. On top of that, if the device later reappears - perhaps it fell behind the sofa cushions - then it means more work for the IT gang.
- Jailbreaking or rooting: Mess around with the security features built into your device and expect it to get wiped.
- Irregular activity: Little Jimmy gotten hold of your device and tried to get into it to play Angry Birds? Entering the wrong passcode too many times can trigger a wipe.
- Installing an unauthorized app: If you're lucky, only the banned app will be deleted, but don't count on this.
- Exit wipe: Some companies carry out an "exit wipe" on devices when an employee leaves the company. Sometimes users are made aware of this, other times it just happens.
- Accident/malicious wipe: Yes, it does happen.
Employees will also be able to do less with their devices once they swallow the BYOD red pill. There will likely be limitations on what apps that can be downloaded and installed, and being able to bypass OS-imposed limitations though jailbreaking and rooting will almost certainly be a no-no. Devices will also over time become obsolete, and that will mean having to keep up with an upgrade cycle that might not be to their taste.
A BYOD smartphone or tablet can, very quickly, start to feel like it doesn't belong to the owner any more. And with good reason, because it doesn't totally belong to them any more.
BYOD is definitely not for everyone, so much so that some employees working at companies that demand users "bring their own devices" to work choose to buy separate devices for home and work. Increasingly you see people walking around with a "smartphone stack." It's not an ideal solution, but it does allow employees to create a firebreak between work ad home, and this limits work intrusion into their personal device while at the same time making it harder to do something dumb like send a joke text to a boss or colleagues.
Employees should take responsibility for backing up their data. While most companies will have their ducks in a row when it comes to work-related data, personal data is the responsibility of the owner, and as such they need to make sure that it is safe.
While there's always a risk that a smartphone or tablet can be lost, stolen, or damaged, BYOD introduces a few additional risks that you might not have considered. Not only is there a chance that it might be remotely wiped, but there's even a possibility that it might be seized for legal examination in conjunction with a corporate litigation matter or other legal or security issue. At this point an employee can expect everything on their device to be examined, which is likely to be an unpleasant experience.
Employees can, at any moment and for any number of reasons, find themselves down both the device and the data on it. For most this is likely to be the single biggest downside to BYOD. While you shouldn't expect to be inconvenienced or left out of pocket as a result of this, it is a hassle when it happens.
Again, because of this it is vital to have a backup of any data in case of loss - assuming that the BYOD policy allows users to do a personal backup that it.
For companies, the issues that need to be addressed are many and varied, and generally revolve around the creation of a workable BYOD policy that needs to encompass a variety of topics ranging from security and support to who pays for what, to what happens if a device is confiscated or seized, and what happens when an employee is let go or fired (remember that it's not just the data on the device to worry about, but also any backups made of it). Any company taking the BYOD route -- large or small -- needs to have a clear and easy-to-understand BYOD policy, a policy that everyone needs to be aware of, agree to, and to an extend, be happy with.
Making BYOD policies up as you go along (or, worse still, taking an "organic" approach) is a recipe for disaster. Also, just allowing employees to bring in devices - for example, you might allow devices that support Exchange ActiveSync, or allow iOS or Android devices - is not the same as having a policy in place.
An effective BYOD policy should cover the following:
- Acceptable use
- Authorized devices
Think you're OK just winging it? Think again. If the likes of IBM can get burned, you can.
If you're an IT admin working for a BYOD-friendly company, then you already know about creating and enforcing policies. If you're an admin at a company that's currently keeping BYOD at arm's length, then chances are good that over the next few years, you're going to have to come to terms with people bringing their personal hardware to work with them.
You're also going to have to get comfortable tracking everyone's talk, text, and data usage in order to prevent misuse, bolster security, and keep costs at bay. Don't expect this sort of stuff to police itself because it won't, and things will degenerate into a mess in no time at all.
On top of this, you'll need to take the reigns over apps. This means pushing mandatory apps, blacklisting rogue apps, and possibly putting the brakes on timewaster apps. It might seem draconian, but it has to be done.
Finally, you have to get comfortable banning devices. Banned devices can range from jailbroken iOS devices, rooted Android devices, or even just obsolete hardware and operating systems. You have to set out very clearly what is and what isn't allowed, and you have to be able to communicate this to clearly to employees, and given them a heads-up about things such as devices that will become unsupported ahead of time to prevent disruption.
The bottom line is that BYOD can and does work, but it is, at best, a pre-prepared compromise struck between employer and employee, with the employer holding the upper hand in most cases. A clearly defined BYOD policy helps everyone know what's going on, and is a vital tool in smoothing relations between both sides.
- Employees: Make sure you understand the BYOD policy so you know exactly what you are getting into.
- Employers: Draw up a comprehensive BYOD policy and make sure everyone understands it.