BYOD – Hype or sustainable trend?

→ Wolfgang G. Tichy

Employees increasingly want to integrate their private devices into their firm’s IT network. This raises significant legal issues for employers and employees alike, including possible damage claims.

By 2017, half of all employers will require workers to supply their own devices for work purposes.

The trend of Bring[ing] Your Own Device (BYOD) to the office is cur­rent­ly the biggest tech­no­log­i­cal devel­op­ment impact­ing our work envi­ron­ment. A recent­ly pub­lished study estab­lished that by 2016, 38 per­cent of com­pa­nies expect to stop pro­vid­ing devices to work­ers and let them use their own. By 2017, half of all employ­ers will require work­ers to sup­ply their own devices for work pur­pos­es.¹ In 2013, Shell intro­duced BYOD for ca 135,000 employ­ees and Cis­co did the same for 46,000 smart­phones and 14,000 tablets. Near­ly 50 per­cent of all Britons already use their per­son­al dig­i­tal devices for work-relat­ed pur­pos­es; how­ev­er, only a small frac­tion of the sur­vey par­tic­i­pants said that their employ­er had the appro­pri­ate tech­ni­cal and legal frame­work for doing so. BYOD is not a hype that will van­ish soon­er than lat­er; instead, it is a trend that has already changed how we use elec­tron­ic tools and devices for work pur­pos­es.

The BYOD trend clear­ly emanat­ed from the employ­ees and not from the employ­ers or their IT depart­ments. Employ­ees increas­ing­ly pre­fer using their own “styl­ish” smart­phones and want to avoid car­ry­ing two devices – their pri­vate­ly-owned one and that pro­vid­ed by the employ­er. In doing so, employ­ees often take their cue (with some­what of a time lag) from the top man­age­ment, which want­ed to use their pri­vate­ly-owned tablets (above all, iPads) instead of clunky lap­tops. The end result is that IT depart­ments are increas­ing­ly under pres­sure to inte­grate per­son­al dig­i­tal devices in their firm’s IT sys­tems. This trend rais­es a whole host of issues for the IT spe­cial­ists, as they are tasked with ensur­ing the sys­tems’ secu­ri­ty and func­tion­al­i­ty.

Ben­e­fits of BYOD – wish­ful think­ing?

The advan­tages of BYOD are well known: pri­mar­i­ly, more com­fort, greater flex­i­bil­i­ty, improved employ­ee moti­va­tion and sat­is­fac­tion, which results in greater effi­cien­cy. Also, increased employ­ee avail­abil­i­ty is attrib­uted to BYOD, as employ­ees are less like­ly to turn off their pri­vate devices after leav­ing their work­place. Recent stud­ies sug­gest that these ben­e­fits are for real. How­ev­er, employ­ers are also expect­ing BYOD to pro­vide relief for their IT bud­gets, as the devices are paid for by the employ­ees, not the employ­ers; hard­ware invest­ment costs should there­fore decrease. On the oth­er hand, it remains to be seen which effects BYOD will have on the IT bud­gets, due to the dra­mat­i­cal­ly increased secu­ri­ty con­cerns and prob­a­bly high­er sup­port efforts they bring about. Sup­port­ing sev­er­al types of devices run­ning on dif­fer­ent plat­forms will require a more flex­i­ble, bet­ter staffed and trained IT depart­ment. In the end, the eco­nom­ic effect of BYOD will also depend on the actu­al pol­i­cy estab­lished by each indi­vid­ual com­pa­ny: employ­ers need to decide how to han­dle the theft of or dam­age to devices, as well as fees for cel­lu­lar net­works, espe­cial­ly when roam­ing. These costs will obvi­ous­ly sub­stan­tial­ly affect over­all BYOD costs.

How to do a tai­lor-made BYOD pol­i­cy

Secu­ri­ty issues ema­nat­ing from pri­vate­ly-owned and con­trolled devices oper­at­ed in firms’ IT net­works are the most appar­ent and evi­dent pit­falls when allow­ing BYOD. Employ­ers need to be aware that address­ing these issues by tech­ni­cal means (ie by using appro­pri­ate secu­ri­ty sys­tems and soft­ware) is an absolute must, albeit only one side of the coin. Hav­ing the right BYOD pol­i­cy in place, name­ly one which tells users what to do with their devices and what not, is the oth­er side. With­out such pol­i­cy, the employ­er will not be able to pro­tect itself against the claims of third par­ties or even those of employ­ees if dam­ages occur.

A com­mon mis­take com­mit­ted by employ­ers is to allow BYOD in a first step, then to intro­duce secu­ri­ty sys­tems and soft­ware, and to final­ly set up a pol­i­cy and have employ­ees agree to that pol­i­cy. Basi­cal­ly, the exact oppo­site approach should be cho­sen: first, the com­pa­ny should analyse what kind of mobile strat­e­gy it wants to imple­ment. After the basic strat­e­gy has been agreed, the risks asso­ci­at­ed with this strat­e­gy need to be analysed and, if required, the strat­e­gy should be adapt­ed. After this step has been final­ized, the BYOD pol­i­cy needs to estab­lished, as this pol­i­cy will put the strat­e­gy into prac­tice, but will at the same time try to mit­i­gate most of the risks from a legal and prac­ti­cal per­spec­tive. Obvi­ous­ly, the process of estab­lish­ing a pol­i­cy needs to be car­ried out in close inter­ac­tion among the rel­e­vant spe­cial­ists from the legal, IT and busi­ness sides. Only after the pol­i­cy has been final­ized should the IT depart­ment be instruct­ed to set up the rel­e­vant IT (secu­ri­ty) sys­tems. It goes with­out say­ing that pri­vate­ly-owned devices should not be oper­at­ed in the firms’ IT sys­tems before the rel­e­vant IT sys­tems are up and run­ning.

Having the right BYOD policy in place, namely one which tells the users what to do with their devices and what not, is a must. Without such policy, the employer will not be able to protect itself against the claims of third parties or even those of employees if damages occur.

1

http://www.gartner.com/newsroom/id/2466615