One of the most popular trends in the IT world right now is the bring-your-own-device (BYOD) approach, where employees use their own mobile device at work. Its another case of new technology creating new problems. Before implementing a BYOD policy, you need to weigh the risks against the cost benefits.
IT departments have spent years working on desktop security and trying to prevent data loss via web and email, but employees are increasingly accessing corporate data with their own smartphones and tablets. As a result, employers have much less control over the security protecting their corporate data. Unlike desktops, very few people have protection against viruses and malware on their smartphones and tablets. Thirty-seven percent of IT decision makers reported that their business had unintentionally exposed corporate data through theft or loss of removable devices in the past two years.
From a legal standpoint, ownership of the smartphone or tablet is irrelevant in case of a lawsuit. Current discovery rules require litigation parties to preserve all relevant electronic data, which will include information stored on employee devices. Employees will need make any personal information stored on their devices accessible, including the history of the websites visited, songs and movies downloaded and played, copy of financial transactions or statements, the list of personal contacts and electronic communications including personal emails, personal phone call, text messages and various social media activities including Facebook, Twitter and VoIP services such as Skype.
While employees may initially be happy to choose their own device for work, that happiness may fade when the reality of the BYOD policy sets in. The IT department may restrict access to certain device features, like the application store, camera and media tagged as explicit. Employees may lose personal information if their device has to be remotely wiped. Employees may also be concerned that the IT department could access their personal data, even though most device management solutions do not allow such intrusions. Finally, if an employee is on a business trip, and loses their smartphone or tablet, there will likely be some confusion as to who is responsible for replacing the device.
Despite the risks, a BYOD policy may be the right choice for your business. You can adopt certain policies, which must be clearly communicated to employees, to help mitigate the risks. Any lost personally-owned or personally-owned devices belonging to a terminated employee should be remotely wiped. Employees should be prohibited from storing confidential corporate data or credit card data on unencrypted devices. Employees should also be prohibited from conducting any company business through the use of personal accounts, such as text messaging or email. And, as with all technology-based policies, it’s important to remember that the policies must evolve and change along with the technology, as it seems like smartphones and tablets have new features every day.