BYOD (Bring Your Own Device) = BAD IDEA!

Introduction BYOD (Bring Your Own Device) is a new trend (maybe the norm in some places by now?) where employees bring their personal computers, phones, USB flash drives,...

536 0
536 0

Introduction

BYOD (Bring Your Own Device) is a new trend (maybe the norm in some places by now?) where employees bring their personal computers, phones, USB flash drives, etc. to work and use them for work as well as personal needs. Companies are apparently encouraging BYOD based on the theory that it keeps employees happy because they get to use a device of their choice (e.g. iPhone, iPad, Blackberry, Android Tablet, etc.) and the company saves money and gets a more productive employee in the process. On the surface it sounds like a good idea and companies and individuals are embracing the concept in mass these days. There are however some downsides to BYOD for both company and employees that in my mind make BYOD a bad idea!

Downside for the Company

I can imagine that for some companies the cost savings alone will drive them to a BYOD policy. Depending on the industry and type of work being done on the devices, a BYOD approach may be a big cost saver provided the company can also live with the potential downsides. What are some of those downsides? I’m not sure I can list them all, but here are a few to get you started:

  1. What if a BYOD with company data is lost or stolen? Is the employee or company responsible for the loss?
  2. What if a BYOD is corrupted with a virus, trojan, worm or other form of malware that results in a data breach? How do you explain that to the Board of Directors, shareholders, customers, or, in the case of HIPPA or Sarbanes-Oxley, the government auditors?
  3. What if a BYOD results in the infection of the corporate network with virus or malware? Who is fired? The employee? The overwhelmed IT guy? Or the hot-shot manager who last year got the big promotion because of all the money he supposedly saved the company by implementing a BYOD policy?
  4. Can the corporate data on the BYOD be encrypted? If so, who has the passwords and keys? What happens if the passwords or keys are lost or stolen?
  5. Does the BYOD have remote wipe capability? If so, who decides and under what circumstances is it wiped?
  6. How is the data on the BYOD backed up? Does the backup include just corporate data or does it backup everything; including personal information? If it’s only supposed to back up corporate data how does the line get drawn between personal and corporate data?
  7. What happens to the data on a BYOD if an employee quits or is terminated? Does the company have rights to the entire device or just the data on the device? Even if the company can get access to the BYOD how can they be assured of removing all traces of company data without either destroying the device or destroying personal data of the employee in the process?
  8. Who is responsible for managing the BYOD? If it’s the company then, the employee won’t be happy. If it’s the employee, the company won’t be happy. If it’s shared responsibility, then neither will be happy!
  9. Will your IT person commit suicide because of BYOD? BYOD has to be an IT person’s worst nightmare? They are caught in the middle between the employee and the company and will never be able to make either side 100% happy. Moreover, there’s absolutely no way that any IT professional can run a secure network if the owners and employees are allowed to be connect BYODs that were on the coffee shop WiFi at lunch or being used to surf porn sites from the hotel network the night before! From the perspective of an IT department, BYOD has to be the worst idea since unsecured WiFi!

The above list is in no way comprehensive, but it should get you thinking before you adopt a formal BYOD policy in your company or small business. More importantly, it might also get you to realize that your employees are likely already using their own devices for work even though you have no formal policy as such! Given the downside risks, you now realize you have a lot of work ahead in crafting a formal BYOD policy or some how disentangling yourself from the unofficial BYOD policy you already have established!

Downside for the Employee

One of the big attractions to BYOD from an employee perspective is the notion that they get to use a device that they like, or maybe in the case of Apple’s products, actually love! The employees are supposedly more productive because they are familiar with the devices and software on them. They also feel comfortable being able to use the social media connections on their favorite device while they are at work. Whether that improves productivity is still up for debate!

As compared to the old days of corporate issued desktop computers and cell phones, BYOD employees feel freedom to take their work where ever they go. They also like not having to lug along two cell phones and two computers every time they travel. At first glance, BYOD actually seems to make sense from an employee perspective but there are still some serious downsides to consider:

  1. If you agree to use your device for company business, what rights does your company have to snoop on your machine? Can they read your private files, e-mails, web history? Do they have access to your passwords, your Facebook account?
  2. Do you plan to ask for help from corporate IT when you have problems with the BYOD? If so, then someone in the company will likely have rights to see at least some of the things stored in it’s memory or hard drive that you might feel are private. Are you really comfortable with that?
  3. Do you share your files from the BYOD on a home network? If so, be careful to turn off those shares when you connect to the corporate network! If you don’t, your boss, the employees down the hall or in the office across town may be able to snoop through all your private stuff. The same happens when you get home and your kids can see your work files on the home network. Trust me this happens all day long in homes offices around the world so be careful what files and folders you share with your BYOD!
  4. What happens if your BYOD is lost, stolen or broken while you’re doing company work? Does the company replace it or do you? Ask the same question if the device is lost, stolen or broken while you’re off the clock? Maybe you’re better off letting the company buy the device after all?
  5. Does the company have the right to wipe (or remote wipe) the devices? If so, are they wiping just their data or all the data on the device; including your files? How would you feel if your photos, e-mails, texts, etc. were suddenly taken from you because corporate wanted to clear their data?
  6. Does the company backup the BYOD to their network? If so, it most likely is capturing some of your private data too? Do you really want copies of your photos, texts, e-mails, phone numbers, etc. on the company server?
  7. What happens if you quit or are terminated? Does the company have the right to look through your personal device and remove their data before you leave? How will they do that without either seeing or destroying your private data?
  8. Are you taking on added responsibility and / or liability by using your own devices and not a company issued and managed computer or phone? Is the company assuming that you will manage the BYOD according to their standards or yours? If the former, do you know what those standards are? Just because they aren’t written somewhere doesn’t mean they don’t exist in the mind of your employer or boss!
  9. Do you let you spouse, children or friends use the BYOD? Do you really think that’s a good idea if the device has corporate data on it? What happens if one of them inadvertently deletes the corporate data? What happens if they infect the device with a virus or worm that then propagates to the company network? Do you think there’s any chance you wouldn’t be fired if something like that happened? You should definitely think twice before letting anyone use a BYOD that contains corporate data!

As you can see from this short list there are some serious downsides to the BYOD idea for employees. I’m sure many of you can think of more situations where having a device with company data in your constant care might not be such a great thing after all even if it means you get to use your iPad at work! I would caution employees to think hard before signing a BYOD type agreement with an employer. More importantly, I would caution you to avoid bringing your devices to work in situations where there is no formal BYOD agreement in place, because in doing so you may find that you’ve increased your level of risk and responsibility within the company without getting any measurable upside benefits.

Summary

Putting on my small business owner hat, I think the downsides of BYOD more than outweigh the advantages. Hardware is cheap these days. It’s cheaper to buy and manage good hardware and software for your employees than it is to attempt to manage the enormous diversity of devices that your employees might bring to the job. If employees insist that certain types of hardware or software helps their productivity, then just buy and manage it for them and insist that it’s for company use only. If you do this, your IT department will thank you, and will be able to do a better job for you. By limiting the scope of hardware and software on the corporate network, and limiting their responsibility to only devices owned and operated by the company, your IT guy or gal will have a better chance of creating and maintaining a secure and reliable corporate network and keeping employees happy too.

From the employee perspective, I think it’s also clear that you don’t want to entangle your personal devices with company networks or politics. You’re better off to ask that the company give you the tools and devices you need to do your job. If you then use these devices only for work related activities you will never have to worry about your private data and what should happen should your employer get hold of it.

Note

I decided to blog on this topic after hearing of several incidents lately where employees were using their own personal computers at a company operating in a health related field. It seemed that the company in question didn’t have a BYOD policy and the IT people were not actively managing the BYODs for security threats. I felt that this unwritten policy could eventually leave the company in a pickle should there be data breach resulting in a HIPPA violation as a result of the BYODs. I expect this is happening a lot of places with out anyone really thinking about the ramifications for either company or employees. I’m sure many of you reading this are facing similar situations. I’d be interested to hear how you are managing the issue. Comments welcome!

JR

 

In this article

Join the Conversation