Bring Your Own Device (BYOD) refers to the phenomena of employees bringing personal devices to work for work purposes. Employees may use these devices to access organizational networks and to potentially share sensitive or confidential business data.
Personal devices include laptops, tablets, smartwatches, USBs or other electronics. The policies are not generally limited to phones. When such policies are limited to phones, organizations may chose to refer to the program as a bring your own phone policy or as a mobile device security policy.
Organizations differ in their approaches to BYOD. Some organizations embrace the concept, while others are wary of corresponding security and productivity concerns. Some CISOs view personal devices as part of “shadow IT”, or hardware that the organization is not responsible for.
How has BYOD evolved?
Twenty years ago, C-levels began using Blackberries or similar early-stage phones, for work purposes, both at work and elsewhere. As the convenience of checking email on a personal phone became clear and smartphones grew more ubiquitous, other employees began to follow suit. These days, it’s nearly impossible to stand in the way of the working-from-a-phone trend, so many employers accommodate or embrace it.
What are the stats around BYOD?
- By 2022, the BYOD market is projected to reach nearly $367 billion, up from $30 billion, in 2016.
- Among Gen Y employees, over 60% believe that their personal devices are more effective than devices available through their places of employment.
- The use of employee-owned devices saves employees 58 minutes per day.
- Employee-owned devices can increase productivity by as much as 34%.
- Sixty-seven percent of companies have endorsed BYOD, while 33% remain hesitant to adopt it.
What are the benefits of BYOD for employers?
- Improved employee morale.
- Improved productivity.
- Possible cost-savings.
- Potentially more efficient communication.
- May help attract talent in high-growth markets.
What are the drawbacks of BYOD for employers?
- Devices must be secured in a way that’s on-par with other devices in the ecosystem.
- Cyber security risks.
- Expanded attack surface.
- Malware and viruses.
- Malicious insiders could download corporate data, leave the company and then weaponize the information.
- Accessing unsecured wi-fi connections.
- Potential loss of company privacy.
- More complex IT support due to diverse devices and operating systems.
- In litigation situations.
- Enforcing legal hold.
- Legal discovery.
What are the benefits of BYOD for employees?
- Employees can carry one phone rather than two.
- Can use device/s that they are familiar with.
- Potentially improved work-life balance.
- Potentially improved morale.
- Can empower workers to perform better (ex. customer service roles).
What are the drawbacks of BYOD for employees?
- Some employees may not have devices.
- Potential loss of personal privacy and anxiety about personal privacy.
- Employees may worry that employers have access to their financial data or health data.
- Removal of separation between work and personal life.
- Distress and burnout when employees feel that personal time must be used for work purposes.
The legal implications of BYOD?
If an employee’s device is lost or stolen and contains organizational data, the organization is responsible for any data loss or data leakage. Employees often retain company credit card numbers within ride-sharing apps, or otherwise have company information on-hand for assorted legitimate reasons. Mobile Device Management (MDM) solutions can be integrated into devices in order to minimize risk and to preserve the integrity of an organization’s assets.
Further legal implications of BYOD?
Potential violations of the Fair Labor Standards Act (FLSA) may occur. According to the FLSA, non-exempt employees must be correctly compensated for all work activities completed outside of scheduled work hours.
State laws dictate whether or not organizations must compensate employees for use of personal devices on behalf of work. For example, California Labor Code Section 2802 places the onus of at least partial cost-coverage on employers.
Something to be aware of in this situation: If an employer covers an employee’s phone bill or other device-related costs, but then factors these costs into the wage-rate, bringing pay below minimum wage, employees are liable to file a class-action lawsuit over inadequate pay.
Should my organization establish a formal BYOD policy?
Organizations should consider their unique business needs and determine whether or not a BYOD policy makes sense. Review these strategic business considerations:
- Which devices your IT team can support through a BYOD policy.
- What type of data you expect/need employees to access through their devices.
- Whether or not an employer has the legal right to access, monitor and/or delete data on an employee-owned device.
- Whether or not to include GPS tracking on devices. If so, this is important information that needs to be clearly communicated to employees.
- Whether or not you’ll use MDM solutions to partition data and to minimize risk.
- How your organization will protect employees’ personal information from misuse.
Be sure to offer employees formal, written information about exactly how your policy operates. If people have questions or concerns, ensure that you can direct them to a knowledgeable individual who can investigate unique situations, and make decisions that align with company priorities.
BYOD raises many questions, such as:
- How do you obtain visibility within a device, and gain control over it, when you don’t own it?
- To whom does the information on an employee-owned device belong?
- Are files that are viewed on the device also downloadable onto the device?
- Can company data or files be wiped or deleted remotely, without harming the user’s personal apps, files or data?
- What happens when an employee leaves the organization?
How can organizations address BYOD security?
Organizations should ensure that they have policies and best practices in-place around BYOD. Employees need to clearly understand whether or not they can use personal devices for work purposes, and if so, how to do so in a secure way. Managing the BYOD risk is a foundational aspect of workplace security.
All BYOD security measures should be integrated within the overarching IT security program. It’s critical for information technology leaders to determine how much support they can provide for employees’ devices. In providing security, they must also ensure that the organization does not overstep or intrude on personal privacy.
For more on BYOD security, be sure to visit Cyber Talk.