5 ASPECTS TO CONSIDER BEFORE IMPLEMENTING A BYOD POLICY.
As organisations increasingly adopt a BYOD policy in the workplace, IT departments are realising that a ‘wait-and-see’ approach may no longer be viable.
32% of organisations are providing technical support for employee-owned smartphones**
37% of organisations are providing support for personal tablets**
44% of organisations are supporting employee-owned laptops**
A BYOD policy can range from minimal support for personal devices to formal, written agreements detailing which devices and applications can be used. As such, organisations will need to consider 5 main aspects before deciding whether or not to adopt a BYOD policy.
his article explores these considerations and how they may impact an organisation’s decision to engage in a BYOD policy.
The BYOD Market
There is no doubt that the BYOD trend has exponentially continued to increase over the years with Gartner releasing a survey that shows “32% of organisations are providing technical support for employee-owned smartphones, 37% are providing support for personal tablets and 44% for employee-owned laptops” (Future of Work Enabled).
Although many organisations know that the BYOD market can be divided into three categories, what they don’t understand is the differences between these divisions (Network Computing). The three categories include:
Mobile device management (MDM): this usually involves managing the actual device. Capabilities of MDM tools include discovering and provisioning devices, backing up data and remotely wiping the hard drive off the device.
Mobile application management (MAM): here, a third-party product is required to manage what applications users can download and what data those applications can access based on predefined rules. Additionally, MAM products can push out software updates when they are available.
WLAN access control: this involves enforcing access controls on mobile devices that connect to the corporate wireless network.
5 key considerations to be made when deciding whether to implement a BYOD policy
1. REASONS FOR IMPLEMENTING A BYOD POLICY
Organisations should not implement BYOD policies just for the sake of keeping up with the growing trend within the market. It is important to have a clear understanding of what the organisation wishes to achieve and how a BYOD policy will assist in this.
The most common misunderstanding is that by allowing employees to use their personal devices, the company is able to save on hardware costs and service charges. However, what most companies don’t realise is that these savings are often offset by other costs including license fees for MDM services, infrastructure costs associated with streaming videos on tablets, and personnel expenses associated with managing the BYOD program. As such, cost savings should not be the main catalyst for implementing these policies.
Instead, organisations should focus on the vast benefits that BYOD programs provide as the basis for their reasoning. One of the main reasons for implementing a BYOD policy is the idea of user satisfaction. By allowing an employee to bring their own device to work while providing adequate support for these devices, organisations provide a higher level of reliability, privacy and security for the employee. Keeping employees satisfied will boost employee morale, allowing the organisation to retain their employees for longer periods of time.
Allowing employees to utilise their personal devices at work can also assist in increasing productivity. Giving virtual access to employees on a platform that they are more comfortable with using enables greater flexibility as they are more likely to work out of hours to accommodate the needs of or be more responsive to their customers. By engaging in a BYOD environment, organisations offer a more convenient alternative than supplying company-owned devices as the employee will only need to carry one device with them. An additional benefit of this is that people are more likely to be self-sufficient in fixing glitches with their own device, placing less of a burden on the IT personnel.
2. BYOD POLICY INCLUSIONS
Every BYOD implementation must be coupled with the execution of a policy that describes how the BYOD program will work. Organisations will need to think about what to include in this policy before making the final decision to engage in the BYOD trend. The policy must provide definition for employees so they can understand what can and cannot be undertaken with their devices, how the company can manage these devices and what will occur if someone violates
the policy.
Drafting the policy should be the responsibility of employees from multiple departments within the company so that the best possible agreement can be crafted. The policy will need to cover which device types and applications IT will support and what “acceptable use” of the device means, as well as, detail which management and security software the company
can place on employee devices. If a company decides to limit data storage on the device or allow ‘remote wipe’ capabilities within the software to enable the IT team to clear all data off a lost or stolen device, this needs to be detailed in the policy.
This brings about the issue of creating a clear distinction between the work and personal lives of employees. To effectively deal with this, the IT department can provide virtual partitions or folders that separate company applications and data from the personal side of the device. Again, these would need to be highlighted in the policy.
“All BYOD policies should cover concerns such as operating system versions, software that is installed and run on the mobile device, who is responsible for backing up the device (the employee or the IT department) and what happens if the device is lost or stolen,” commented Kareem Tawansi, CEO of software development provider, Solentive Software.
3. COMMON ISSUES AND CONCERNS ASSOCIATED WITH BYOD
Although the BYOD movement has gained traction, organisations are still hesitant to move to a complete BYOD program until the common issues and concerns are dealt with. Before deciding on whether or not your organisation would benefit from BYOD, the following issues should be considered:
The clash between security and personal data: For example, if a device is lost or stolen and IT completes a remote wipe, the employee’s personal data is more likely to be lost.
Legal concerns: including insurance, software licensing and anti-discrimination laws • Anti-discrimination – A BYOD program often neglects to take into account part-time workers or those who work remotely which brings about the issue of discrimination. • Insurance – Organisations may need to extend their insurance policies to cover user-owned devices or may pass the cost on to their employees. • Software licensing – Legislation around IP ownership is difficult to manage when the IP is remotely held on devices that the company no longer owns. Therefore, the company must ensure that they are frequently reviewing software licensing arrangements to ensure terms are not breached.
Security issues: If an employee’s mobile device becomes infected with a virus, it may attach itself to internal networks, spreading the virus on the corporate network. Additionally, if IT does not limit the data sharing and storage on employee owned devices, sensitive information may leave the corporate network.
Configuration issues: With the large array of devices on the market, the organisation will need to set out the devices that will be supported. Otherwise, IT will have too many different configurations to support.
4. RESOURCES NEEDED TO ENSURE SUCCESSFUL IMPLEMENTATION
Organisations need to be aware of the resources that will be needed prior to, during and after the implementation of the BYOD program. Due to the ever-changing and evolution of the technological landscape, a BYOD policy will need to be more like a living document, rather than a static policy. To keep up-to-date with these changes, policies will need to be reviewed and employees will have to be kept informed of these changes.
Additionally, training sessions will need to be conducted for the initial rollout of the policy to ensure that employees understand what they are agreeing to and to detail what will happen if a violation of the policy was to occur. During this session, employees will also need to understand that IT might put software on their devices, manage some applications, and remotely wipe the device clean if needed.
“It used to be that people were always complaining that they couldn’t get access at home, couldn’t use all their applications, but now we deliver a package of software which gives a very secure window into Suncorp. And when you bring your Mac into work, the system will recognise you again, but the only difference is that it will recognise that instead of remote access you are now on the Wi-Fi network.” Paul Cameron, Suncorp’s head of enterprise services (BRW)
During the implementation of the BYOD program, each department will have a specific role. The IT department will need to “validate employee devices to ensure they meet company’s standards, install security and management software, meet face-to-face with the device owner to review the policy, establish user permissions, set up password protection, and
provide ongoing support and device management” (Future of Work Enabled). HR departments would be involved in outlining which employees or departments will be permitted to use employee-owned devices and then decide on the consequences relating to a violation. Since a potential consequence may be termination, legal departments will also need to be involved. Enforcement of the BYOD policy will fall on an employee’s manager.
Resources, including education, training and communication, play a major role in the successful implementation of BYOD programs. As such, an organisation must ensure they have the necessary resources and are willing to dedicate these to the implementation and ongoing maintenance of the policy.
5. EMPLOYEE REACTION TO BYOD POLICY The main reasoning behind delaying the move to a BYOD program is the reaction of employees. Since BYOD creates an overlap between the work and personal lives of employees, employee reaction is a key determinant of whether the policy will be successful or not.
It is important for a company to consider protecting the personal data on the employee-owned device, except in cases where there may be legal liabilities for the company (e.g. illegal file sharing).
To enable a positive employee reaction to a BYOD policy, many organisations have utilised an “entrepreneurship program”. This involves forming a committee that reviews BYOD requests from an employee detailing why they think their device would make a good business case. If, over time, the business case works, the employee may be offered a percentage of the money saved or made (Future of Work Enabled).
Conclusion When deciding whether or not to implement a BYOD program, it is important for an organisation to consider all aspects of how the program may affect the company. It must be noted that a “BYOD plan requires a human element that includes a combination of communication, training, management, enforcement and justification” (Future of Work Enabled). To get the best out of the BYOD program, an organisation must ensure that they are willing and able to utilise all of these aspects.
Before embarking on implementing a BYOD program, organisations should firstly weigh up the benefits and the key considerations that need to be made as it may be the case that BYOD may not be suitable for an organisation.