Before allowing employees to use their own smartphones and tablets, organizations should have a clear understanding of BYOD pros and cons and their potential long-term effects.
The bring your own device (BYOD) movement
Users have grown accustomed to -- and indeed expect -- the ease, efficiency and mobility their smartphones and tablets offer. So enamored are they with their devices, they've begun bringing them into the workplace and using them to do their jobs. The BYOD trend can make it easier for workers to accomplish their tasks, thanks to simple-to-use mobile applications that allow employees to access and share data more smoothly. Users can work just about anywhere at any time without having to save files to flash drives or email documents from one account to another.
More on BYOD pros and cons
BYOD challenges that quell adoption
Four of the biggest BYOD hang-ups
Beyond networking security lurk more BYOD snags
Users can also update smartphones and tablet software more easily than traditional corporate technology, which means their devices tend to stay more current and cutting-edge. Workers are also more invested in their own devices and can customize them to meet their own needs. And the flexibility BYOD offers makes employees more likely to put in more hours each week, regardless of where they're located or the time of day.
Yet BYOD can mean more than increased productivity. Employees who use their own devices for work might save their employers money, at least in some areas. The most obvious savings, of course, are with the devices themselves. Organizations that would normally provide devices to their mobile workers no longer need to, and the workers themselves require fewer training resources. BYOD can even minimize application outlay if workers take advantage of the many consumer apps available to do their jobs, such as Evernote and Dropbox. Workers often pay for most or all the data and voice services, as well as other associated expenses. As a result, the enterprise avoids spending money on devices their workers don't want in the first place, and workers are more likely to take better care of the devices, which can reduce support costs and improve security.
Despite the advantages that BYOD programs offer, implementing one should not be taken lightly. Take, for example, the assumption that BYOD will result in cost savings. Although true in some areas, the enterprise must often commit resources in other ways. Line-of-business applications must be adapted for different devices, increasing support costs and making centralized app management necessary. For this reason, many organizations dole out funds for mobile management tools to control personal devices and their applications.
Companies will also need to develop the strategies and policies necessary to implement a BYOD program and enforce those policies once the program has been put in place. In addition, organizations must invest in educating employees on the risks and responsibilities associated with using their devices in the workplace.
IT can expect increased support costs associated with helping employees comply with BYOD policies. Developers will call on admins to help plan and implement apps on the various devices, and admins will have to simultaneously ensure that the implementations don't put corporate resources at risks. IT must also be prepared for the additional strain on the corporate infrastructure from personal devices connecting to their internal systems.
Yet even more important than the costs incurred by a BYOD program are the security risks of letting workers store sensitive data on their own devices. What happens if a device is lost, stolen or infected with malware? A company has less control over the devices it doesn't own, making it easier for sensitive data to be compromised. Company-issued devices usually come with an acceptable-use policy, but it's a lot more difficult for IT to tell workers what is acceptable on their own smartphones and tablets. Plus, when an employee leaves the company, his device leaves too, and the organization might be unable to reclaim sensitive data.
At the same time, IT must contend with workers' privacy concerns about employer access to personal contacts, messages, emails, installed apps and other data. IT should be able to protect the organization's sensitive data while preserving workers' rights to privacy, which is not always an easy balance to maintain.
An organization planning a BYOD program must also take into account any compliance mandates that govern information security and safeguard specific data. Even if workers use their own devices, the organization must still ensure that the data is protected as required by regulation and law. The enterprise must also understand the liability it faces if sensitive data is compromised, whether or not the storage or transmission of that information is governed regulations. Planning a BYOD strategy should no doubt include seeking out legal advice, not only for understanding liability issues, but privacy as well.
Moving ahead with BYOD
Implementing a program requires careful consideration of BYOD pros and cons. But the tide is tough to turn back, and many organizations are accepting the trend as a fait accompli. Before an organization implements a BYOD program, it should have in place a set of policies that fully explain acceptable use of personal devices in the workplace. The policies should address such issues as securing data, application usage, protecting privacy, compliance and what happens when an employee loses a device or leaves the company. Each employee who participates in the program must fully understand and agree to those policies.
A big part of planning a BYOD program should be determining how enterprise apps will be delivered and maintained. Fortunately, mobile application management tools are maturing quickly, making it possible to more easily separate enterprise apps and data from personal information. Some organizations are moving to an app-only management strategy in which the focus is on enterprise apps and how sensitive data is stored and shared on devices, eliminating the need to manage devices themselves. Some organizations have implemented virtual environments or virtual private networks to avoid any sensitive data being stored on workers' devices. Whatever strategy the organization employs, it should be implemented in conjunction with the BYOD program and its policies, not thrown in as an afterthought.
The success of a program will depend in large part on how well the organization understands the BYOD pros and cons and what it will take to mitigate risks. IT should know how workers will be using their personal devices to conduct business and have the ability to ensure data cannot be easily compromised. In the end, a well-defined program and well-educated workforce are the best strategies for ensuring a successful BYOD program.
This was first published in March 2013