Navigant's Cyber Risk and Information Security PracticeLearn More

Blog

Before You Implement BYOD: What Organizations Need to Know09 December 2014

By
IT Security, Policy Development

Bring your own device (BYOD) is a topic that every organization is either discussing or trying to implement today. The concept of BYOD is that employees are allowed to bring their personal mobile devices (smartphones, tablets, laptops, etc.) to work and use them to access company information such as email. This can be a complicated initiative to undertake for any size organization for a variety of technical and non-technical reasons.

Organizations need to consider what requirements they will place on employees from a security and acceptable-use standpoint. Are people allowed to access all of their relevant corporate data or only their email? If the organization uses a cloud service such as Dropbox, are employees allowed to access sensitive information on their personal devices? If an organization doesn’t have a clear understanding of what data they possess and who owns the data, then these types of decisions can be even more difficult to make. Most organizations have a mix of employees, consultants, and clients who have a need for some type of access to corporate data. This scenario requires the organization to implement a variety of data management policies for each group.

Additional things to consider are how the organization’s IT department should manage these personal devices and their level of responsibility. The easy part is configuring the devices to access the data. The challenging part is developing and implementing mobile device policies and monitoring and controlling these types of devices. There are several mobile device management applications available today that streamline this process and give the IT department greater control, but employees may not be comfortable with this level of access. These applications are only effective if an organization has well-thought-out BYOD policies in place.

Organizations should also consider the legal implications of allowing employees to store corporate data on personal devices. Depending on the industry, an organization may be required by law to retain records for certain periods of time or possibly ensure that sensitive information is completely destroyed after it is no longer needed. BYOD presents a unique challenge to organizations that fall under this scenario.

In spite of the complexity of some of these considerations, organizations can realize significant benefits from allowing employees to BYOD, including increased productivity because employees always have access to data. BYOD also allows employees to select the best mobile device for their needs instead of having their choices dictated by the organization. Salespeople likely have different needs than engineers, for instance, and they can select the best device that meets their requirements. BYOD also cuts organizations’ costs.

Of course, there are also disadvantages of implementing a BYOD environment that affect a variety of functions within an organization. The IT department needs to clearly define where their responsibility begins and ends when it comes to device support. Employees may not understand that certain applications are not supported by IT.  Another potential issue is that the cost savings of not providing employees with devices may be offset to some degree by the need to purchase mobile device management software and training for the IT department. Another often overlooked disadvantage is that employees who are always connected don’t have any downtime to decompress and reenergize outside of work. Some managers may assume that if they are allowing BYOD then the employees have no excuse for not constantly checking email or responding to calls. This can have a significant negative effect on morale.

At the end of the day, most organizations that embrace BYOD implement a hybrid approach of corporate-owned mobile devices for accessing particularly sensitive data and employee-owned devices for less sensitive data. An organization’s BYOD strategy should be developed and tightly integrated with the organization’s overall cyber security program.

COMPASS has developed a methodology to assist organizations with developing a customized, cost-effective, and practical approach to cyber security that includes BYOD strategy. This approach combines the discipline of project management with the latest cyber-security technology and data-protection best practices. In today’s hyper-connected world, every organization is just one data breach away from being a leading story on the news and social media, which can severely damage its reputation and brand. Find out how to protect your organization and develop a customized BYOD strategy. Contact COMPASS to discuss your organization’s BYOD needs.

Work With Us Learn How