”Bring Your Own Device” or BYOD is quickly becoming a workplace technology trend. Essentially, BYOD is the policy of allowing employees to bring their personally owned devices such as smartphones, laptops and tablets to work and using these devices to access private company information, systems and applications. Wait, hold on; what happened to the fear of virus intrusions because of the apps sitting on your mobile device or fear from unsecured devices? Yes, times are changing and today, this practice is not only okay, but it’s gaining traction – and introducing a new set of risks.
What, Why and How?
Although the term BYOD was not fully recognized until 2011, its origins can be traced to 2009 at Intel, when it recognized an increasing number of employees bringing their own devices to work and connecting them to the corporate network.1 There is a lot of talk suggesting BYOD will be the next big shift in corporate computing. And yet there is a lot of confusion about potential implications for the IT department. How would data security be managed? Would IT be tasked with supporting every conceivable computing device? How would they keep track of personal devices and would this overtax the IT group? On the other side of the spectrum, organizations see this as an opportunity to increase employee productivity on devices they love, while reducing the company’s mobile expenses.
Many organizations are implementing a BYOD policy with varying approaches – and varying results. Some companies with BYOD models require employees to cover all costs (purchase, monthly fees, etc.), while others may partially reimburse employees. Businesses that embrace a BYOD policy are seeing a reduction in their mobile expenses as mobile device costs become the employee’s responsibility. Organizations in the technology space are more likely to adopt a liberal BYOD strategy while those in healthcare, government, security and finance may take a conservative approach.
It is predicted that by 2017 half of the world’s companies will implement BYOD programs and will no longer provide computing devices to employees, according to a recent Gartner report. The report also predicted that about 15% of companies will never move to BYOD and about 40% will offer employees the choice of BYOD or company-provided devices.2
Research conducted by HDI in November 2013 indicated an increase in the implementation of BYOD programs for both tablets and mobile phones. It also noted that organizations have implemented improved mobile device management systems with well-defined polices, and are better able to keep up with the pace of mobile device innovation. This evidence reinforces overall industry maturing in support of mobile devices.3
Why has this phenomena gained traction? First and foremost are the personal and productivity benefits. BYOD is “fueled by users who expect total flexibility in managing their professional and personal business wherever they are, on their device of choice.”4
- Employee Satisfaction - Employees love their own devices and prefer to use them. Furthermore, the familiarity with their device is likely to increase the employee’s motivation and productivity levels.
- One Device vs. Two - For an employee, the BYOD process eliminates the need to carry both a corporate and personal mobile device, making day-to-day activities more manageable. However, some employees may prefer to have strict boundaries between work and personal matters and are likely to maintain multiple devices. Companies see a great benefit from this single-device approach as employees are “always available.” Since their personal device is typically nearby, they are likely to respond more quickly to customer and corporate requests such as emails, texts and social
- Cutting- Edge Devices - Since BYOD devices are personal resources, they tend to be more cutting edge, so the company gains the benefit of the latest features and capabilities, without having to pay for these upgrades. Employees also tend to upgrade their personal devices to the latest hardware more frequently than most organizations.
Unfortunately, not all that glitters is gold. A recent survey by InformationWeek yielded some startling statistics regarding BYOD matters:5
- 7% of BYOD environments do not have password-based access control, simply relying on the company’s BYOD policy.
- Only 53% require password lengths greater than four characters for primary access on the mobile devices.
- 42% do not scan personal devices for malware.
- 45% have had a mobile device where enterprise data came up missing in the past year.
- 13% do not require encryption on devices containing enterprise data.
- 28% stated they were not subject to data protection regulations (e.g., SOX, HIPAA, PCI and State-based), even though they likely were.
- 68% support BYOD but only 39% currently have a mobile device management or MDM solution.
There are several risks and challenges that must be addressed before an organization implements BYOD.
- Data Security - security on the device may be compromised from infected data, attachments or apps, which can possibly lead to infections or attacks on the rest of the corporate network. With the increased use of smartphones, cybercrime has also gone up.6 Some of the data on the phone could seriously compromise the company’s security if that information fell into the wrong hands. Passwords stored inappropriately on the mobile device, or a device with weak password could give a hacker or criminal direct access to the company’s corporate systems.
- e-Discovery - This refers to an employer’s legal obligation to access and present critical data in the event of pending litigation. The data may reside on either the corporate or personal device. Attempting to access its corporate data on an employee’s personal device may result in additional legal obstacles due to the employee’s privacy rights. A recent federal case Lazette v. Kulmatycki, (June 5, 2013 in the northern district of Ohio), the U.S. District court denied a motion to dismiss the plaintiff’s complaint for invasion of privacy. In this case, the former employee, who was allowed to use the company-issued mobile device for personal email, alleged that after her employment ended her supervisor accessed 48,000 email messages and shared some personal information with third parties. The court found that a company’s search of private employee data on a mobile device violated the Stored Communications Act because such a search was “unauthorized” even though in this case, the device was owned by the company.7
- BYOD presents four primary challenges for e-discovery8:
- Access and control of data and the device since the company does not own or physically control the devices.
- There are multiple categories of data to consider, such as personal and corporate, which are stored in the same environment.
- Data may reside in various locations and it is possible that critical corporate data exists solely on the personal device
- The employer may find it difficult to safeguard and retrieve the data from personal devices.
- Personal Injury - What if an employee files for a claim such as repetitive motion associated with using their own mobile device; is this compensable? There have already been a few such cases where employees have filed a claim that resulted from the use of their personal devices.9 In a regular work environment, employers can manage their cost and risk through workplace safety training, providing ergonomically designed equipment, etc. But what if the employee gets “BlackBerry thumbs” from their own device? Can they take action against their employer? Who is responsible? How much of this stems from personal versus corporate use of the same device?
- Data Corruption and Deletion - BYOD devices can include laptops, netbooks and ultrabooks in addition to smartphones and tablets. These devices need to be updated to meet company’s network security requirements, such as software patches and revisions. Imagine if the employee is working on an important personal project – the great American novel – and it ends up being deleted or becomes inaccessible due to a company required software update or patch. Can the employee take legal actions against his employer for this information loss? What recourse does the employee have, if any?
- Device Sharing - An employee could be sharing the device with someone else, such as a spouse or child. Due to multiple users, they could inadvertently violate corporate policies or procedures regarding apps or sites that can be loaded, used and viewed on the device. They may also establish insecure – but easy to remember – passwords on the device. This could result in potential issues, including corporate data loss or security breaches. There is also a potential for third-party legal liability against the company if there is loss of data that is owned by the spouse or person sharing the employee’s device. An example would be a spouse who used the personal device to photograph an important one-time life event. The company, in the course of routine device management, deletes the photos, which are the only copies. How does the company protect itself against claims from the third-party since the company does not have any policy or
contract with that individual?
- Revoked or Lost Devices - What happens when an employee sells or recycles a device after an upgrade, or their device is stolen or lost? Or what if an employee is terminated or leaves the company? The mobile device contains company information but employees clearly retain their own personal device. Unless the company has a policy in place, this presents potential data breach exposures.
- Compensation Issues - The BYOD program makes it easier for employees to work outside of normal working hours thus presenting some issues under the Fair Labor Standards Act (FLSA). FLSA requires employers to pay non-exempt employees at least minimum wage for all compensable time worked, and to further pay these employees overtime pay for hours worked in excess of 40 hours a week. Generally, compensable time includes work performed for an employer such as responding to emails, time spent on tablets, smartphones and laptops to complete a project, etc. This may constitute compensable time for FLSA purposes which, if not paid, can lead to liability.
Employers who allow non-exempt employees to participate in the BYOD program can minimize this risk by incorporating timekeeping policies in their BYOD program to limit and capture time spent outside of the office or normal business hours and state that employees are expected to report all time worked.10
Is BYOD the way to go for your company?
Adopting BYOD is a company-specific decision that must align with the balance of the corporate culture and practices. Some organizations may thrive while others may see it is as a detriment. A survey conducted by Logicalis concluded that employees in high-growth markets are not only willing but embrace the possibility of having constant access to work data and applications even when outside of normal business hours. These employees demonstrate a willingness to do whatever it takes and work whatever hours are required in order to advance their careers.
To date, BYOD adoption is most common in companies with revenues between $500 million and $5 billion, but with geographic differences, according to Gartner. The highest rate of adoption is in India, China and Brazil, with U.S. adopting at twice the European level.11 If you are thinking of implementing BYOD, here are some questions you need to consider.
- Is mobile access a must?
- What are the goals and benefits of BYOD? (Improved productivity? Better business processes?)
- Which group of your workforce needs mobile access?
- Which data or systems will employees need to access via BYOD?
- What sensitivities are there around these systems and data?
- Are there any other benefits BYOD can offer for your organization?
- Have you done a full risk assessment including assessing the legal issues?
- Will BYOD require the company to establish new HR policies?
If your organization decides to implement BYOD, risks will need to be managed effectively, including employee privacy. Adoption requires striking a balance between the company’s right to monitor, access, review, data-wipe, and disclose company information and the employee’s expectation of privacy and safeguarding of personal data.
Historically, devices resided within the corporate network and were trustworthy. Now with personal mobile devices and an ever-increasing number of malware and hackers, security and management concerns are at the top on the list. How can we trust and ensure that these mobile devices will behave within the corporate network?
Luckily we can counter these risks.
- Mobile Security Expert – Designate a specialist who “educates users on social and behavioral security risks, sets appropriate use policy and helps develop strategies for mobile security and risk mitigation, mobile data protection, mobile OS platform review and, mobile application threat management.” 12
- BYOD Policy & Procedures - Document and publicize a BYOD policy. According to a recent study, 57.1% of full-time employees partake in some form of BYOD, but only 20% have been asked to read and acknowledge a BYOD policy. Another study found that 78% of firms that moved to BYOD do not have a policy at all.13Without a policy in place, organizations cannot exercise control over the fine line between corporate and personal use, and adequately protect both parties. Remember, BYOD policies are somewhat complex and require collaboration between HR, Legal and IT functions.
- Access Control – Consider the use of strong and robust passwords to access and log on to both the device and the network. The security system should clearly establish the identity of the user and device accessing the network, with a defined policy governing access levels and data that can be accessed and saved or transferred. Lastly, the system should be able to maintain logs on who accessed the system, when they logged on and the type of data that was viewed and transferred.
- Malware and Antivirus - There are some effective technologies available to protect corporate data and keep malware off the company network. Anti-malware software is available and should be installed on personal devices to protect them against the very latest viruses, Trojans, spyware, worms, bots and other malicious code. Other types of software will also include anti-spam technologies to filter unwanted calls and texts on the mobile device. Another feature to consider is anti-phishing tools and policies to help prevent inadvertent visits to fraudulent websites that may try to steal information.
- Geofencing - Some companies have also put into place “geofencing,” which creates a virtual perimeter or boundary that will let employees use and/or play games but just not during company time. This can also prevent employees from downloading high definition videos on their tablets that could clog up the company network.
- MDM or Mobile Device Management – With the variety of personal devices available, it may not be practical to manage these through internal IT. Consider software tools to manage mobile devices through a variety of vendors such as Airwatch, MobileIron, Citrix, Good Technology, IBM and others. These companies provide services and solutions that will help facilitate controlling these risks. These companies can deploy security agents onto each device; implement security policies on the devices, separate personal and corporate data and also enable “selective wiping” of corporate data without deleting the employee’s data. They can also enable encryption on the devices, as well as protect data when a device is lost or stolen. Encryption is an excellent method for ensuring that any information or data stored on a mobile device is useless to thieves.
Regardless of whether you are already taking advantage of the BYOD trend or you’re simply thinking about it, make sure that you are fully aware of the risks and that you thoughtfully address any potential issues. Security, risk management, remediation and policy development should be considered before setting up a BYOD program. Once implemented, be certain to communicate the new policy and enforce available risk mitigation steps. This up-front investment will ensure that mobile expense savings can be fully realized along with a productive, appreciative workforce. This thoroughness will enable making BYOD a competitive advantage.
To learn more about how OneBeacon Technology Insurance can help you manage online and other technology risks, please contact Dan Bauman, Vice President of Risk Control for OneBeacon Technology Insurance at firstname.lastname@example.org or 262.966.2739.