Don’t Let BYOD Backfire on Your Business

BYOD policies could easily backfire on businesses, unless closely monitored to maintain benefits for employees and the company.  I recently wrote a 3-part series on the Microsoft Security Blog called Motivations, Risks and Rewards of the BYOD Trend that examined what the BYOD trend is and then looked at it from the perspective of employees and the perspective of organizations.

Few topics have evoked such responses as I got from this series, such as this comment from Jane:

A sad example of workplace pushing off its responsibility to workers.

Many social services require staff to transport clients in their OWN car, and do not offer to pay increased insurance costs. The employer is supposed to provide the tools, equipment and safety measures to the worker. The idea that you bring the tools to work, makes the worker more of a private contractor. Several issues arise such as …who then owns the intellectual property if the worker brings their own computer or phone? Several boundary issues emerge if workers blend information used/shared with personal mail lists. This idea saves a buck but the industry looses control over its property.

What compensation is offered for worker providing essential equipment to the company? Sadly we just continue to see erosion the employee benefits, pay and inflation of taxes that cut into a good standard of living for workers.

Another comment was even more explicit, stating that in his case, the “win” was strictly on the company side:

… First,as happened in my case, subsidies were offered to get people to turn in the company Blackberry, and then once BYOD was entrenched the subsidy disappeared due to “cost cutting”.    Second “BYOD” soon became a requirement and managers fully expected  employees to be on call at all times.

The win here was strictly on the company side as they no longer had to buy maintain nor support devices and actually increase the ability to “reach out and touch you” 24×7.

When we recall from that BYOD was a trend originally initiated by employees because from the user’s perspective, BYOD means using devices and applications that are more familiar, and which the user is more comfortable with. Being able to choose which hardware and platforms creates more satisfied and productive workers.  Our research found that that 40% of the people we surveyed consider it very important to be able to use personal devices at work, and 67% reported they are already doing so–whether sanctioned by their employer or not. There are some caveats as well, but in general it seems that a majority of users are in favor of BYOD.

We also found that 53% of organizations officially condone BYOD practices, but no single best practice has yet emerged for managing the trend.  As you can see from the chart, there are actually more companies that prohibit BYOD than allow and subsidize it.

Of course, as a security guy, the biggest concern for companies when it comes to accepting the use of personal PCs and mobile devices in a work environment is security. The 2011 ISACA IT Risk/Reward Barometer found that over 58% of U.S. security professionals view mobile devices owned by employees as posing the greatest risk their organization faces. This is particularly true of businesses that operate in healthcare, finance, or other fields that fall under compliance requirements such as HIPAA, SOX, GLBA, or PCI-DSS. Every organization has a duty to protect sensitive company and customer data, but those governed by industry or regulatory mandates face fines, or even possible jail time, for failing to do so.

There are some solid reasons for organizations to at least consider adopting BYOD. Compliance mandates, and security issues are two large hurdles businesses should be aware, though, when weighing the pros and cons of BYOD.  As highlighted in the feedback shared here, even if those issues are managed, BYOD can go down a path that neutralizes the benefits and turns into a source of employee dissatisfaction – don’t let that happen in your organization.

About the Author
Jeff Jones

Principal Cybersecurity Strategist

Jeff Jones a 27-year security industry professional that has spent the last decade at Microsoft working with enterprise CSOs and Microsoft's internal teams to drive practical and measurable security improvements into Microsoft products and services. Additionally, Jeff analyzes vulnerability trends Read more »