Monthly Archives: May 2013

BYOD & Corporate Data: It’s Time to Formalize this Party

Employees across the US are increasingly using their own cell phones and other mobile devices for work purposes, in addition to personal or non-work purposes.  This trend has been dubbed Bring Your Own Device (“BYOD”) and according to a recent Cisco survey, 90% of Americans use their smartphones for work.  And, depending on the level of the employee, or the “distro” lists to which that employee is a member, there may be a significant risk that such a device contains vulnerable, confidential business information.

The BYOD trend is probably here to stay. Employees prefer their personal devices over unfamiliar employer-sourced devices.  According to an InfoWorld article, internal helpdesk support calls drop from an average of 4.5 per user per year to 2.5 when employees use their own devices.  Employers, at the same time, save money by not having to provide the devices or procure the underlying data and service plans.  Clearly, companies and their employees alike are capitalizing on the benefits of BYOD.  Here’s a great picture, courtesy of Logicalis, that depicts some interesting trends within the BYOD landscape:

Logicalis graphic.

But, at the same time, the risks associated with a BYOD program cannot be ignored.  One such risk is to corporate information security.  If a company does not have a strategy for managing a BYOD rollout, then corporate email, calendars, financial data, proprietary data, trade secrets, third-party data subject to non-disclosure agreements, and on and on, can all be vulnerable to loss or misappropriation.  And, as some reports would seem to indicate, this risk has largely gone unmitigated: some 40% of employees who use their personal smartphone for work purposes don’t even have a password to lock/unlock their device.

As dismal as the statistic above would seem to indicate, US IT departments are leading the way in terms of managing BYOD.  According to Ovum Research, of the 20-countries they surveyed, US employees are the most likely to have signed a BYOD policy at work.  And while that is certainly an accomplishment, the fact is that 70% of US employees using their own devices at work have not signed any such corporate policy governing BYOD.  The time has come to develop industry standards and best practices related to BYOD programs.  Luckily, there are many in the IT and IS field that are far ahead of their counterparts in legal and HR.  I’ll lean on one such expert at the IT Manager Daily.  As described in a recent post, BYOD programs call for three critical components:

  1. A software application for managing the devices connecting to the network;
  2. A written policy outlining the responsibilities of both the employer and employees; and,
  3. An agreement that employees sign, acknowledging that they have read and understand the policy.

While the enterprise mobility management software (#1 above) is absolutely indispensable to a successful BYOD implementation, I’d like to focus on a few elements that a BYOD policy should address.

First, the BYOD policy should address three related areas of federal employment law; namely, discrimination, labor standards, and labor relations.  As Keneth Vanko recently posted,

“First, the BYOD policy should ensure that the device is not used in a manner that could lead to discrimination or harassment suits. Second, the employer can’t inadvertently run afoul of the Fair Labor Standards Act. Specifically, non-exempt employees should not be permitted to use the device during non-working hours for work purposes. Third, with the National Labor Relations Board cracking down on the use of social media policies, a comprehensive BYOD should specifically provide that the policy does not preclude employees from discussing the terms of their employment, or anything else that can be described as concerted activity under the NLRA.”

Second, the BYOD policy should address security directly and specifically as it relates to the unique ways in which we all use mobile devices.  For example, a comprehensive policy should address at a minimum:

  • Company’s unilateral right to wipe a lost/stolen device of all company confidential information
  • Company’s unilateral right to wipe a device of all company confidential information upon employee’s termination or resignation
  • Company’s control of certain platform-specific mechanisms, such as:
    • Password for logging in
    • Mimimum standards for password strength
    • Disablement after repeated failed logins
    • Self-locking after idle

Third, the BYOD policy should address how provisions of the policy will be enforced.  Beyond the conventional managerial reprimands and HR-type repercussions, the policy should describe IT-type terms or limitations of use.  For example, consider including a provision that states if certain unauthorized use is made of the device or certain prohibited content is accessed, then access to corporate data (such as email or calendars) will be blocked until such time the device is returned to a conforming state.  Taking the concept one step further, consider swiping all corporate data from the device for repeated failure to comply with the terms of use contained within the policy.

Lastly, consider whether the policy addresses prohibited uses of the device independent of whether such use is related to business or personal activities or whether such use is made “on” or “off the clock”.  For example, it may be prudent to create a bright-line rule relative to certain uses such as storing or transmitting: illicit materials, proprietary information belonging to another company, material that harasses other employees, or materials related to an employee’s outside business activities.  Ultimately, such a mechanism (as many of the mechanisms described above) must be considered in light of a company’s IT constraints.  Depending on the capabilities of the chosen enterprise mobility management software, enforcing a BYOD policy may be a challenge; however, as more enterprise software companies push the BYOD envelope even further, I imagine that BYOD security and mobility management will simply be another COTS module that corporate IT teams integrate with their existing systems.

No matter how a company decides to articulate its specific BYOD policy, it must, at the end of the day, be well communicated and easy for employees to follow.  A concerted effort from multiple stakeholders representing IT, Legal, HR, Finance, Communications, and Procurement, should lead to a BYOD implementation that keeps employees happy and corporate data safe.