Bring Your Own Device has been one of the biggest trends in the workplace for years. As more employees rely on smartphones and tablets to review data on the go, stay in touch and work remotely, the concept of using a personal device for work purposes is certainly here to stay. In 2013, Gartner predicted that half of employers would require employees to use their personal devices for work by 2017. A recent report from Tech Pro Research revealed 74 percent of respondents are already utilizing BYOD or plan to do so in the future. Only 62 percent said the same when identical research was conducted two years ago, indicating BYOD continues to gain ground.
As BYOD becomes a more critical part of business operations and keeps contributing to employee engagement, it's essential both employers and staff members know what rights each party has and how to protect themselves.
What can an employer really see on an employee's device?
There's often confusion about what the management team can do with a worker's smartphone or tablet – the staff member does own the device, after all. Plenty of controversy surrounds this issue, as employees may have photos, records or other data of a personal nature on their devices that they don't want their employer rifling through.
According to Privacy Rights Clearinghouse, it is possible, but not necessarily likely, for an employer to access the following depending on an individual company's BYOD policy:
- Phone records and contact information
- Internet browsing history
- Location information
- Social media accounts
- Messaging histories
In an interview with CIO magazine, MobileIron's president of strategy, Ojas Rege, largely corroborated this information. Rege said that a company can't see personal videos, photos, email or texts that aren't sent over a company messaging app. However, employers do have access to information about an employee's location, data storage use, battery level, corporate email and corporate data.
In the unlikely event of business litigation, an individual's device could be subject to search and review as evidence.
One of the things employees are most concerned about is their device being wiped if they leave the company or lose their smartphone. Seventy-one percent of respondents to a Zix Corp poll said they wouldn't use a personal gadget for work if they knew their employer could wipe it remotely.
How can employers protect themselves?
Your employees may have extremely sensitive business data on their devices, meaning the last thing your company wants is to lose track of that information. Unfortunately, smartphones and tablets do get misplaced, and when they do, your organization needs to know it's protected from data loss. Human resource solutions that help mitigate data theft with employee concerns are critical.
Any company considering allowing employees to bring their own devices needs to first create an airtight BYOD policy that workers who want to use their personal devices must sign off on. The American Bar Association's "BYOD Policies: A Litigation Perspective" report notes that a strong BYOD policy must consider the following elements to effectively mitigate risk:
- Training and employee buy-in
- Ownership and cost of the device
- Striking a balance between employee privacy and employer data security
- Maintaining confidentiality of trade secrets or other confidential information
- Policy synergy
One of the more important elements will include gaining consent to wipe a device that is lost or stolen. As this is a major concern for employees who bring their own smartphones or tablets to work, it needs to be addressed clearly and both parties need to understand exactly what will happen if the device goes missing – and in what timeframe. If policy calls for devices to be wiped immediately when reported lost or stolen, regularly encourage employees to back up any contacts, photos or other personal data they wouldn't want to lose and could not recover.
Governing BYOD within the company
For nearly as long as employees have been using personal devices on the job, there's been a dispute over which department is in charge of the BYOD policy – HR or IT?
This uncertainty continues today, and this is a significant business risk. A policy that's ineffectively governed can create confusion or lead employees to take unnecessary risks with corporate information stored on their devices. What elements does each department need to consider to create a cohesive strategy that both sides have a role in creating, implementing and carrying out?
First and foremost, the IT department needs to have security in mind. IT professionals need to detail exactly what antivirus protection devices must have and which applications are risky and should be banned. Similarly, they need to have any other relevant elements of data protection considered. For example, requiring passwords, explaining what happens in the event a device is lost or ensuring all employees are up to date on which devices are permitted all fall within the IT spectrum.
HR will have other considerations in mind. One major task is balancing an employee's privacy concerns and legal issues with the company's needs and ensuring everyone knows what's in the BYOD policy. Similarly, it may be HR's responsibility to make sure everyone knows who pays for new devices or upgrades when they're necessary.
The risks of BYOD are numerous – and they're not all security related. Lawsuits are another drawback of BYOD, though not a very large one.
However, as of early March 2015, California employers are gearing up for class action lawsuits over BYOD expense reimbursement policies. This was expected, as last year a state court decided that companies had to reimburse employees for calls they took on their mobile phones that were work related. This will present new challenges for the BYOD realm and could change how many employers allow workers to use their personal phones for work.
If this class action suit does move forward, it will doubtless change the world of BYOD and policies companies put together for their employees. This will require both HR and IT departments to stay up to date on the latest developments in BYOD and ensure their policies are not only sound from a security standpoint, but also not in violation of any local legislation.