Much of what’s written about making BYOD work focuses on the technology platforms and tools for securing company information in the context of BYOD, both critical components of a successful BYOD strategy. Even though BYOD is about formalizing personal mobile device usage for work, it should benefit the organization as well, or at least not compromise its information security.
Last June when Teksystems, a national staffing company, surveyed 3,500 technology professionals, almost three-quarters of the respondents reported they believe some sensitive company data is at risk due to employees accessing information from their personal devices. At least a quarter of the IT professionals surveyed weren’t confident that their organizations were compliant with government privacy mandates in the context of BYOD.
This is why the mobile risk assessment described in our last BYOD post can be so beneficial. This risk assesment helps organizations focus attention on addressing real risks, some of which are likely pre-existing and independent of any BYOD considerations. If the company’s information infrastructure is already adequately secured, the right mobile device management (MDM) tools will complete the picture.
Resources for comparing the features and capabilities of MDM software and services are readily available from both independent and industry sources. Once the MDM decisions have been made, implementing them is just another behind-the-scenes technology rollout. OK, maybe oversimplifying like that isn’t fair to the IT group, but it’s the people and policy implications that can actually be trickier to successfully implement.
We routinely help our clients get ESI identified and collected for litigation. More often than not, data on someone’s personal device will turn out to be relevant, which means this data and/or the device it lives on must be collected. Now, imagine collecting a personal device from an employee who has no idea this might be a consequence of using said device for work. Complicated much?
It’s your people who are the linchpin to both the security and success of your BYOD policy. A well informed workforce is the best way to ensure that a BYOD policy works – for both the company and its people. Today’s front-line employees are often as tech-savvy as their counterparts in IT, and chances are they can figure out ways to work around a policy that they view as impractical or inconvenient. Employees who understand and respect a company’s BYOD program are the very best protection for sensitive company data.
So, what’s the takeaway here?
First, give employees the opportunity to participate up front in discussions about your company’s BYOD policy and take their input into serious consideration. Secondly, provide your team with the communication and training they need to make the policy work. Finally, collect acknowledgment you’re your team in writing to make sure they know that it is part of their job to understand the BYOD policy’s provisions and their obligations.
In fact, in the Teksystems survey mentioned above, more than half of the IT professionals who responded reported that their employers don’t have BYOD guidelines, prohibit employees from using personal devices, or have guidelines that have not been communicated. But here’s the clincher:
[Even] among the organizations that have some form of BYOD policy in place, approximately only half of IT leaders (48%) and just a third of IT professionals (35%) believe the policy is crystal clear.
So what is the risk of not having a BYOD policy? It’s impossible to generalize risk levels, but it is fair to say that not providing clear expectations with regard to BYOD can result in all kinds of avoidable outcomes like data breaches and the significant hard costs and reputational dings associated with them. Yet the biggest risk of not having a BYOD policy may be the missed opportunity.
Building a workable policy requires thinking through all of the benefits, issues, and impacts of BYOD. Regardless of the type of BYOD approach your company ultimately chooses, this process is invaluable for making sure your organization is not blindsided by unidentified risks. It’s also beneficial for being able to show diligence, defend against claims, and protect your reputation.
And we won’t deny it — it’s tedious and time-consuming to come up with the right BYOD approach for your environment, but there are plenty of resources available to help sort it out. In the end, there’s no substitute for a clear, well thought out, and well communicated BYOD policy. Seeing that employees understand why your company has taken the BYOD position it has, what’s in it for them, and what’s required of them is key to making BYOD actually work.