BYOD – Hype or sustainable trend?
→ Wolfgang G. Tichy
Employees increasingly want to integrate their private devices into their firm’s IT network. This raises significant legal issues for employers and employees alike, including possible damage claims.
By 2017, half of all employers will require workers to supply their own devices for work purposes.
The trend of Bring[ing] Your Own Device (BYOD) to the office is currently the biggest technological development impacting our work environment. A recently published study established that by 2016, 38 percent of companies expect to stop providing devices to workers and let them use their own. By 2017, half of all employers will require workers to supply their own devices for work purposes.1 In 2013, Shell introduced BYOD for ca 135,000 employees and Cisco did the same for 46,000 smartphones and 14,000 tablets. Nearly 50 percent of all Britons already use their personal digital devices for work-related purposes; however, only a small fraction of the survey participants said that their employer had the appropriate technical and legal framework for doing so. BYOD is not a hype that will vanish sooner than later; instead, it is a trend that has already changed how we use electronic tools and devices for work purposes.
The BYOD trend clearly emanated from the employees and not from the employers or their IT departments. Employees increasingly prefer using their own “stylish” smartphones and want to avoid carrying two devices – their privately-owned one and that provided by the employer. In doing so, employees often take their cue (with somewhat of a time lag) from the top management, which wanted to use their privately-owned tablets (above all, iPads) instead of clunky laptops. The end result is that IT departments are increasingly under pressure to integrate personal digital devices in their firm’s IT systems. This trend raises a whole host of issues for the IT specialists, as they are tasked with ensuring the systems’ security and functionality.
Benefits of BYOD – wishful thinking?
The advantages of BYOD are well known: primarily, more comfort, greater flexibility, improved employee motivation and satisfaction, which results in greater efficiency. Also, increased employee availability is attributed to BYOD, as employees are less likely to turn off their private devices after leaving their workplace. Recent studies suggest that these benefits are for real. However, employers are also expecting BYOD to provide relief for their IT budgets, as the devices are paid for by the employees, not the employers; hardware investment costs should therefore decrease. On the other hand, it remains to be seen which effects BYOD will have on the IT budgets, due to the dramatically increased security concerns and probably higher support efforts they bring about. Supporting several types of devices running on different platforms will require a more flexible, better staffed and trained IT department. In the end, the economic effect of BYOD will also depend on the actual policy established by each individual company: employers need to decide how to handle the theft of or damage to devices, as well as fees for cellular networks, especially when roaming. These costs will obviously substantially affect overall BYOD costs.
How to do a tailor-made BYOD policy
Security issues emanating from privately-owned and controlled devices operated in firms’ IT networks are the most apparent and evident pitfalls when allowing BYOD. Employers need to be aware that addressing these issues by technical means (ie by using appropriate security systems and software) is an absolute must, albeit only one side of the coin. Having the right BYOD policy in place, namely one which tells users what to do with their devices and what not, is the other side. Without such policy, the employer will not be able to protect itself against the claims of third parties or even those of employees if damages occur.
A common mistake committed by employers is to allow BYOD in a first step, then to introduce security systems and software, and to finally set up a policy and have employees agree to that policy. Basically, the exact opposite approach should be chosen: first, the company should analyse what kind of mobile strategy it wants to implement. After the basic strategy has been agreed, the risks associated with this strategy need to be analysed and, if required, the strategy should be adapted. After this step has been finalized, the BYOD policy needs to established, as this policy will put the strategy into practice, but will at the same time try to mitigate most of the risks from a legal and practical perspective. Obviously, the process of establishing a policy needs to be carried out in close interaction among the relevant specialists from the legal, IT and business sides. Only after the policy has been finalized should the IT department be instructed to set up the relevant IT (security) systems. It goes without saying that privately-owned devices should not be operated in the firms’ IT systems before the relevant IT systems are up and running.