Bring your Own Device (BYOD) is the set of policies in a business that allows employees to use their own devices – phone, laptop, tablet or whatever – to access business applications and data, rather than forcing employees to use company-provided devices for that purpose.
BYOD also refers to the ability to bring one’s own mobile phone to a new carrier, but this article will focus only on the first definition as it applies to IT organizations.
BYOD has made a huge impact in organizations, and research indicates that nearly 80 percent of all organizations support BYOD personal devices today, while another survey found that about 95 percent of employees state they use at least one BYOD device for work functions.
Some of the many BYOD benefits include
- Productivity gains by employees
- Improved morale and convenience
- Easier to attract new hires compared to non-BYOD companies
- Company cost savings
- Higher job satisfaction
- Reduce the number of smartphones employees need to carry
- Better overall user experience since employees typically know how to use their own devices
The consumerization of IT has had far-reaching impact. Employees increasingly desire to utilize their favored devices – whether Mac, PC laptop, iPhone, Android, or whatever else may come. As a result, enterprises have created mobile applications which often enable simple and better-to-manage solutions in many instances for business owners. There are a number of reasons why BYOD is important, including:
- Improved employee productivity. Employees who have the ability to use a favored, familiar device are likely to be more productive than those who are forced to learn the ins and outs of unfamiliar equipment. More importantly, employees find it easier to work from home or other locations when they do not have to switch devices.
- Device cost savings. More BYOD translates to fewer company assets to issue, track, manage, repair, upgrade, and maintain.
- Simplified onboarding and offboarding. BYOD MDM tools can enable or disable company network access without the need to modify the BYOD device.
- Better employee relations. Employees with BYOD devices feel more in control of their environment, are often more productive when they feel empowered with BYOD and are more apt to work remotely when they can use the same device.
- BYOD as perk. For many employees, BYOD demonstrates the company is forward-thinking and tech-savvy. Most employees receive some reimbursement for using their BYOD devices, since organizations see substantial savings by not having to purchase and maintain those devices.
There are a number of modes of BYOD operation. First, the organization should establish security policies for every device since weak passwords and unsecured devices can lead to data loss. BYOD policies should establish:
- Minimum security controls including data encryption and password strength
- What type of enterprise data can be stored on local devices (if any)
- Whether timeout controls and auto-lock features will be enforced
- Which mobile device security or mobile device management (MDM) software must be installed on BYOD devices, if any.
- Whether the organization is authorized to remotely wipe the device of business information if lost, if employment is terminated, or if a policy breach is detected
A business’ level of security procedures will depend on the type of organization; for example, finance or healthcare organizations require higher levels of security than a small start-up web design firm. Once security policies are established, organizations should define acceptable usage guidelines to determine how BYOD devices may be used during the course of business activities. This will help prevent malware or viruses from gaining access through unsecured websites and applications. These policies should cover
- Acceptable applications for employees to access from personal devices, with a clear delineation of the types of applications acceptable – and those that are not.
- Which websites are off-limits while connected to enterprise resources, corporate networks, or VPNs.
- Which enterprise applications and data can be accessed from user devices; i.e. email, calendar, messaging, contacts, etc.
- Storing and transmission of illicit material, or utilizing devices for other outside business activities from personal devices
Policies should be enforced through the use of BYOD MDM software, which enables monitoring, managing, and configuring BYOD and employer-owned devices from a single central dashboard. Typical MDM functionality for BYOD includes
- Automatic scans of BYOD devices for threats, including blocking dangerous applications from the corporate network
- Pushing anti-malware updates to devices and ensuring their installation
- Remote installation of updates and patches to OS and applications
- Security policy enforcement
- Automatic backup of enterprise applications and data periodically or on demand
- Wiping lost, stolen, or compromised devices remotely
Once BYOD policies are established, they must be communicated to employees and sufficient training provided to make adoption simple and widespread. A training manual for new hires that outlines the policies and why they were chosen can help alleviate fears of the organization ‘spying’ on employees and help increase their comfort level with policies and MDM software alike. This should conclude with every BYOD employee agreeing that they have read and understood these policies to protect the organization from any liability caused by illegal or inappropriate use of their devices.
Finally, BYOD plans should include an exit plan for employees who leave, regardless of their reason for departure. This should include HR and network directory exit plan and should have a BYOD exit checklist that includes disabling company email accounts, remotely wiping employer information from devices and entirely wiping company-issued devices, and changing any shared password to company accounts.
Additionally, BYOD policies could include defining a stipend from the company to help pay for BYOD data plans or home broadband connectivity, and whether employees who check email or answer business calls after hours are entitled to overcome compensation.
Although the benefits of BYOD are many, there are significant risks to the organization. Businesses must define and deploy security policies and measures to prevent or repair security holes to prevent the exfiltration of intellectual property or protected information. An IDG survey found that over half of all senior IT security and technology professionals reported that serious violations of personal mobile device use occurred in their organizations.
Since BYOD devices connect both to sensitive corporate applications and potentially risky networks and services, the risk of malware infection or data exfiltration is high. Loss of a BYOD device could lead to third parties accessing unsecured data or applications, and even an employee who leaves the company can put enterprise data at risk if the sensitive information is not deleted or applications wiped from the BYOD device. Other risks include devices that are shared by family members, devices that are sold while still retaining sensitive information, or devices compromised by an employee visit to an infected website. Even the use of public hotspots presents a security risk.
Organizations must ensure that all applications and OS versions on BYOD devices are up-to-date since malware threats often target recently uncovered vulnerabilities. Businesses must have the agility to support a broad range of devices, which can put a large burden on the IT organization, which can be addressed by outsourcing MDM to an organization focused on ensuring BYOD security. Some of these challenges can be addressed by containerization and app virtualization, which packages enterprise applications and streams them to BYOD devices, ensuring that every employee has the most current version of a given application.
Another risk often overlooked is the simple determination of who ‘owns’ a phone number. This is a particular issue for salespeople or others in key customer-facing roles who may have become accustomed to reaching the business via an employee’s personal mobile number. If a key salesperson leaves the organization for another job, those customers may potentially be calling a competitor when they think they are calling the organization.
Although there are many considerations for effective BYOD deployment, here are three key factors to help bring a plan into focus.
First, assess the current business and technology requirements for user devices. Gain an understanding of the mobile application requirements that will help employees do their jobs and determine what data need be accessed from mobile devices. Determine which applications are critical, which can currently provide secure information access, and which might be considered for replacement with newer, cloud-based or SaaS applications.
Next, decide if BYOD and MDM software will be delivered from on-premises servers, from a third-party service, or from the cloud.
Finally, draft a BYOD policy that business leaders and employees can agree to, as outlined at the beginning of this article. Adopting a policy and having employees sign on to the terms of that policy will help keep the organization’s applications and data safe while offering the employees the convenience of using their own devices for both business and personal access.