5 Ways to Avoid BYOD Nightmares


byod

Ten or 15 years ago, managing your information technology was simpler in one sense.  A company decided on its computing environment -– its designated operating system, devices and software –- and that’s what employees used.  Period.

But then along came the BYOD trend.  BYOD, which stands for “Bring Your Own (computing) Device” to work, has swept America in the past five years.  Employees got used to using technology in their personal lives – so much so that that they didn’t want to give it up when at work.

We all seem to want the flexibility to work from home and while on business travel, using devices we individually feel comfortable with.  And of course we all want to use the coolest new mobile devices rather than staid company-issued laptops or desktop computers.

If your business is like ours, you’re now under pressure to allow employees to use their own smartphones, tablets and laptops for work.   A study last year found that 95% of large companies surveyed allow employees to use employee-owned devices for work.  It’s now become ingrained in the workplace.

The BYOD trend has benefits, to be sure.  It makes for happier employees.  They can be more productive while working outside the office.

BYOD Trend Challenges for Small Businesses

But the BYOD trend also poses extra challenges for businesses:

Control – One obvious thing is that it is harder to control your IT environment.  With companies relying more on technology to conduct business, there’s simply more to manage to make sure everything works as seamlessly as possible.  Top that off with employees using a variety of devices and operating systems … and complexity multiples.

Personal vs. Work – Then you have the morphing of personal activities with work activities when people use a single device for both.  The question becomes how to partition them. How do you keep personal email separate from work email in a way that employees don’t resent, and that protects both the company and the employee?

Mobility – Your team may work from different locations, such as their homes, or they may simply do more work while out in the field or on business trips. They will be using mobile devices and that brings added challenges. Mobile security is one of them – and that can be as simple an issue as a tablet getting lost.  One honeypot study found that when mobile devices where intentionally lost, in almost all cases the data was accessed, either for illicit purposes or simply to discover the owner.  If a mobility-related incident resulted in losses, the average was almost $250,000.

Security – Small businesses in general face more IT security challenges than ever before.  According to one study, companies with fewer than 250 employees were the focus of 31 percent of all cyber attacks last year.  And with so many different devices, and so many of them being mobile devices, security concerns are multiplying.

byod

So, What Can You Do?

A lot, actually.  The most important thing is:  do not turn a blind eye to BYOD devices.

Recognize that the IT environment is very different today.  It calls for new policies, employee education, adoption of up-to-date best practices, and last but not least, implementing device management tools and other technology solutions designed for a BYOD environment.

Here are 5 steps to take to operate in a BYOD environment:

1 .  Require Notification

The whole idea behind the BYOD trend is giving greater freedom to employees. However, there are ways to achieve a sense of freedom, without abdicating control altogether.   For one thing, make it a policy that all devices have to be “registered with” or brought to the attention of your  IT administrator or any outside firm that assists you with IT, so that device management solutions can be enabled.  Some employers exert more control by creating a list of  “approved BYOD devices.”  While this poses some restrictions on employees, at least it meets them halfway.  You have to know who is using what.

2.  Adopt Best Practices

For instance, require mobile devices to be secured with a password-protected screen lock when not in use.  Also, require employees to notify the company immediately in the event a mobile device is lost or stolen.  These and other best practices will help protect your business.

3.  Create a Policy

With freedom comes responsibility. Create a written BYOD policy for employees. This could be in the form of a memo, incorporated into the employee handbook, and/or placed on the company intranet.  Make employees aware of what is acceptable, and what’s not.

4.  Educate Employees

Take the time to educate employees about the challenges and risks.  You’ll get more cooperation if they understand the “why” behind rules.  A lunch and learn session or simply bringing up the topic in staff meetings can go a long way.

byod

5.  Implement a mobile device management solution

This is probably one of the most crucial things you can do.  A mobility management solution gives you a way to manage multiple devices and applications, from a central dashboard.  It enables you to view the “big IT picture” and treat BYOD devices as integral points in your IT systems – not something separate or unrelated.

Look for one that offers robust security and that protects important company data.  Security certainly will be at the top of the list.  But you also want the ability to monitor and manage mobile devices.

Beyond that, some mobility management solutions can help you manage expenses, too, through consolidated reporting.  You can manage different devices and different plans through a single dashboard.

Advanced security specifically for mobile devices, such as capabilities for remote wipe of data in the event a mobile device is lost, and data encryption, can create peace of mind.

Data archiving solutions can also add to convenience. They help you meet disaster recovery and legal archiving requirements, and further secure your IT assets.

Bottom line:  there is a lot you can do to allow employees the freedom and flexibility to use devices they prefer.  You don’t have to sacrifice protection of your business assets or create an unwieldy logistical situation in doing it.

Shutterstock: BYOD Message, Mobile, BYOD at Work

42 Comments ▼

Anita Campbell Anita Campbell is the Founder, CEO and Publisher of Small Business Trends and has been following trends in small businesses since 2003. She is the owner of BizSugar, a social media site for small businesses.

42 Reactions
  1. Why implement an MDM when what you’re most concerned about is the corporate data?

    Why have the ability to wipe their entire device including wedding and baby photos?
    Let the employee have angry birds and facebook.
    Focus on controlling what matters to the company – company data and company time.

    Corporate data is what counts – email, contacts, calendar, files. If the business selects an app(s) to provide the user with any company data, be that from an ECM, CRM, fileshare, then only select one that allows the admins to control data leakage, audit data access, keeps data out of the cloud, and integrates with all the internal corporate file repositories in a way that doesn’t require the users to change their work processes to get the data onto their device.

    • Thanks, Bruce, for your insights. The issue on that point is protection in the event a mobile device is lost or stolen. I wasn’t suggesting that companies should just take control in other situations.

      There are many points to consider when choosing tech tools to manage BYOD … and a short article can’t address them all. The article is really aimed at raising awareness.

      We’ve recently implemented quite a number of technology services and tools for our IT infrastructure. I wasn’t even aware some of those services and tech tools even existed until we started reading up on them.

      – Anita

    • Bruce,

      I agree about your remark on the cloud. I am working in the cloud, yet my fear of privacy leaks and lose of control over my data makes me adopt the hybrid strategy – I actually backup my data locally, not the other way around 🙂

      BYOD might be a real headache, but Anita’s #3, policy, is probably the most important of all.

  2. Great article to recognize the value and importance of securing data in the context of BYOD.

    Businesses thrive on collaboration. However, security and collaboration are mutually exclusive goals. As mentioned by Bruce F., an alternative is to adequately secure the data, not just the device.

    An effective IRM solution achieves twin goals of collaboration and security. It allows people to collaborate outside of the perimeter on any device or platform while keeping information secure through usage rights.

    • Hi Vishal – thanks much for the input.

      Security is a big concern for business owners.

      One of the biggest concerns I have is email accounts being accessible on lost or stolen mobile devices.

      We recently went through an issue when one of our team members had a Yahoo email account hacked. Email is a vulnerable point, because if someone gets into a device and gets access to your email, they can initiate password resets and in that way get into important business systems. So as a result of that, 3 people on my team had to run around for a total of 4 hours verifying that the Yahoo email address was no longer being used on any of our systems, changing passwords, verifying no intrusion attempts had taken place before we realized what happened, etc. In that case it was an old email address that she wasn’t even using actively any longer, but we did find a couple of social media accounts and, more importantly, one business system where it was still the email of record for those accounts.

      In that case it wasn’t so much a case of getting access to business data directly, but access to the email account that could be used to unlock access to cloud data and cloud systems.

      So imagine that it wasn’t a hacking, but her tablet with access to email accounts had been lost and someone got into it. Same sort of issue.

      All it takes is one point of weakness to put systems at risk. I believe in multiple layers and types of security, if possible.

      – Anita

  3. Martin Lindeskog

    Anita:

    I can relate to your story about an email account that could have been hacked. Directly you think about the consequences and how information could be spread into the wrong hands and places.

    Have you read about business cases with companies with best practices of handling the issue of bringing your own computer device to work?

    • Hi Martin,

      Someday I’d love to see us go to retinal scans or fingerprints for device login. It could solve a lot of issues. But aside from some HP laptops that use fingerprint scans, I don’t know of that many devices that have that sort of security, and we must deal with the here and now. 🙂

      Yes, I have read a number of use cases and studies about BYOD. It’s a challenge in our own organization. We use BYOD here at Small Business Trends, and managing things is interesting, to say the least. But people want to use what they want to use. Our CTO actually builds his own computers. We use iPhones and iPads, BlackBerries, Android smartphones and tablets, Windows computers and laptops, Macs — you name it, we got it.

      – Anita

  4. Great article. I think security is the biggest issue involved with BYOD. I think it is essential that companies have the ability to remotely wipe the device as you mention.

  5. I am a hopeless technophobe – to the extent that I am in the tiny % of the population who don’t own a mobile phone. However,I have become very aware of the BYOD trend and its problems. So much so that I have an investment in a UK quoted company called GLOBO plc which has morphed from being a Greece- based mobile phone business to one offering BYOD solutions. I mention this not to boost the stock ( its doing terrifically anyway ) but because anyone interested in the issue should look at their website which is really informative about the BYOD problems and how their software solutions operate.
    I have a question though – are they reasonably unique or are there a myriad of companies offering solutions?

  6. When it’s an employer-owned phone, and the employer pays for it, I can understand the employer having full access to it and being a stalker, monitoring and recording all e-mails, texts, web sites visited, apps installed, and phone calls the device is used for. However, I think that stepping in and demanding that employees give this kind of access to their own phones is a grievous invasion of privacy. Basically saying “you will be fired unless you let us look at your cell phone” is grossly and overly intrusive. At least if the company provides one, you then have the option as to whether you want to get your own phone for personal use.

    While it may create “peace of mind” for the employer to be able to spy on all of their employees, I think it does the opposite for the actual employees- it makes them feel like prisoners, or that their corporate big brother is always watching. And do you really want to take the risk that some guy from IT will use it to start stalking Janice from accounting, now that he can literally track her with her phone’s GPS, log in to her dating website, read all her e-mails, read all her texts, record all her phone calls? It could lead to sexual harassment lawsuits.

    If an employer has a special app and its access and power is limited to just that app, that’s one thing- but the reality is that people will be using word processing etc apps as well, so I doubt it would ever be confined to just that one app.

    With these types of invasive policies, you would find that employees would even lie and say that they don’t own a cell phone, rather than be forced to allow their employer to stalk them. In light of that, the better policy that respects employee rights is to give employees choices from among the most popular phones / tablets (iPhone, iPad, Samsung Galaxy, a Samsung tablet, Windows Phone, Surface tablet, and the legacy Blackberry phone) (that way everyone still gets to use what they want, which I think is the point of this article – how to adequately secure company data without forcing employees to use a device that they don’t prefer) manage the data as you said, notify everyone up front that the company monitors all activity on its phones/tablets, tell them they’re allowed to have a personal phone / tablet at their own expense as long as they don’t put company data on it, and advise them of the other rules.

    • Hi Tom, The goal isn’t to spy. Employers need to take care to “partition” such devices to address only the part used for work purposes.

      You took words out of my mouth and turned them around. “Peace of mind” isn’t coming from spying. It comes from knowing your information can be secure.

      Some small businesses never recover from intrusions — the losses are too much for them. That means employees would be out of jobs. That certainly doesn’t help the employee. I enjoy providing employees with employment – it’s one of the things that motivates me. I am not motivated as a business owner by spying. I just want to protect everyone’s interests.

      – Anita

      • the problem is, we work in a society now where HR folks are actually DEMANDING people hand over not only the name on their FB account, but also the LOGIN info so they can thoroughly check them out. and if you say you DON’T have a FB account (like my anti-social hubby) or you refuse, then YOU don’t get the job.

        So frankly, trusting the company i work for to NOT abuse the BYOD system isn’t going to happen. Corporations have PROVEN they will go above and BEYOND to find new ways to control, harass, and bully their workers.

        So you can go on blindly believing that YOUR point is the company being able to protect itself… but I WATCHED a supervisor FORCE someone to log into their FB account so that he could SPY on another co-worker’s weekend, off the clock activities. Your point might be valiant. But the point of the company/corporation will NEVER be so honorable.

        Giving an employer access to abuse my privacy is NEVER EVER EVER going to happen.

        Sorry.

      • People don’t need to or shouldn’t use company time for FB or Angry Birds or anything that doesn’t have to do with work. That is simply time theft and cause for dismissal.

    • Tom, You took the words wright out of my mouth. I use my work devices for work, and my personal devices for my use’s, and every body’s happy. Also, if you think your employer doesn’t snoop or spy on you. Well the USA Gov. is innocent of all spying accounts.
      Remember the guy sitting in Russia, in the airport. Avery small part of me is cheering him on, and a bigger part wants to crush him.

    • If a company gave employees a choice of leading technologies, BYOD would never have become the trend. BYOD only exists because companies do not provide latest technologies. With that, BYOD gives employees a chance to use what they want. But now the company is faced with the issues of all the rogue devices and how to enforce business rules.

      If you want the benefit of the using the technology you want, then you have to submit to the rules. If you don’t want the company to but their security on you device….the answer is simple. You get to carry their flip phone in one pocket and your smart phone in the other.

      I’ve yet ato here of a company that had BYOD as a requirement for the job. I suppose there are some that given allowance or expense report item and ask you to buy your own phone. But even then, since they are paying for it, I would still say they had perfect expectations to ad their security.

  7. WHAT TOM SAID!!!
    I would also like to ad that maybe its time for companies to take a step back (in moving forward). Meaning that they may want to consider limiting work computers Internet access when working on company specific or sensitive data. Keeping internal files and mail just within the companies walls and OFF the Internet.
    I think a lot of Internet intrusions are not REALLY linked to nessasary Internet usage. But more likely recreational usage done on company time. Which I’m not against, but that recreational usage should be reserved for the employees personal devises, not the company computer in the first place.
    Yes it’s true many more are working out of the office but usually it’s not “work related” activities or “work related” computers that get lost or broken into. It is the personal device.
    I believe we would be better off keeping employers out of employees personal lives…and keep our personal lives out of work.
    If we REALLY need that awesome device to do our jobs…the company should provide it and monitor it.

    • I woul also like to ad. That as much as I love technology I really hate it when it’s used to violate an individuals personal rights and freedoms. Ocular scans and DNA profiles are CERTAIN to be mis-used. I mean come on, you can’t even keep company “data” safe from intrusion…no need to put a persons most sacred information out there. Being an employee shouldn’t mean being a slave to intrusion.

    • Hi Ba,

      Thanks for your input.

      First of all, I would not want any business owner to get the idea that BYOD is about spying. If any business owner reading this thinks that, they should clear that out of their minds right now. Spying on your employees as an employer can get you into all sorts of trouble — not the least of which is that it erodes employee trust. Your comments alone should demonstrate to any business owners that spying is not a good move.

      Having control over company data doesn’t need to involve and should NOT involve spying on employees. Companies should be concerned ONLY with employer data, and not be able to see personal data.

      So in that respect — about spying on employees being an absolute No-No — I agree with you 110%, Ba.

      – Anita

      • Yeah To Be Sure!.

        You are definately preaching to the quire, And its impossible to lecture to people about internet security you cant tell them it isnt Kiddie hackers anymore but major and serious crime people as some gangs make more money in a year off Internet thefts thatn they do from drugs!…. I told one group that laughed at me: Its not a case of your password but they also know when your wife is home alone, Or when your kids are dropped off at school, And when I told them that they quit laughing, Now my business switched to Linux just to beat hackers tho its nice not to pay Microsoft license fees anymore either cause if your still running Windows you are BEING hacked, And its UNBELIEVABLE the number of people who are still transmitting in the clear or using Open Wifi without a password, And at least use a few numbers in your password to give yourself a fighting chance but oh the Dummies out there!, Harold from Detroit…..

  8. There’s really very little grounds to complain on privacy here. BYOD isn’t a requirement for employees who own a mobile device, it’s an option. And if you CHOOSE to use your personal device to access sensitive and valuable company data, part of the deal is giving the company control over certain aspects of the device to protect their assets. If you are personally not comfortable with it, don’t volunteer.

    My stance would be drastically different if the company required BYOD, but I’ve never heard of that. Companies should also have a current agreement for employees to view detailing the control and monitoring that takes place, so employees can make an informed decision.

  9. Harlowe Thrombey

    I would never allow my employees to use laptops for work so long as a REAL computer is available, where the usage of a real keyboard with real keys, and a real mouse, creates the possibility of up to 90 WPM being typed.

    You show me a laptop user, and I’ll show you a damn Slow worker.

    • I’m surprised you’re not still using phones with dials on them and manual typewriters.

      • Harlowe is currently accepting applications for telegraph operators as well. Hey Thrombey – FYI I can type 95 WPM on my laptop.

  10. Most important rule of all… do not hire anyone named “Snowden”!!…
    He (or she) will take your company info, and tell the world about it…

    • don’t need a Snowden, -big brother- knows long before him all your It secrets.
      and that is one reason i use work for work and private for private.
      not that there might be much difference, they also know my private usage, not that it bothers me as such.

  11. Not an issue with BlackBerry 10 devices and BES10. With the BlackBerry Balance, the device can be setup with two completely separate profiles that never interact with each other. The corporation can control the Work side (and put as many restrictions as they want, remote wipe, etc) while the Personal side operates like a device the employee would pick up off the shelf. It’s the perfect solution to the BYOD dilemma, allows the employer to control a profile while the employee can keep their personal data separate and do what every they like with the personal side of the phone.

  12. Thats something that should never be allowed. there a reason you dont mix business with pleasure. Any device used on a company network should be company owned and company managed. When you start introducing personal devices into a corporate infrastructure you are asking for trouble. Look what happened when snowden used personal usb drives with company infrastructure. those computers should have been locked down with a privileged account that required approval for every administrative change. if your not managing change control in a company properly, your risks greatly increase. and its the company’s responsibility and liability to own.

  13. Anita,

    the best idea seems to have devices available to employees that are company owned. I know one piece of hardware for work and the other for home. the integration of home/work is blurred when a employee chooses to integrate the two. it does not seem too cumbersome today to have a iPad/laptop/smartphone for work and another for personal. with the significant risks involved to the organizations that you pointed out it seems the employee supplied device for work related purposes is the best bet. What are you thoughts about the older model with today’s slimmer/lighter technology?

    Thanks

  14. I think the best way to handle this “problem” is not to worry about it at all. Small companies tend to accept employee owned devices because it offers equipment capital savings; employees like it, because they’re invariably less obsolete devices, easier to perform personal tasks with less monitoring, and when push comes to shove their employer can’t legally confiscate it. Pretty much everyone wins and, most of the time, nobody loses.

    I would rank any network and mobile device policies as a big mark against a company when evaluating them as a potential or continued employer. Haven’t worked for one with them yet, and I’m inclined to keep it that way unless there’s big money on the line to convince me otherwise. To me it’s a sign that a company doesn’t have their priorities straight.

  15. An owner's view.

    It never ceases to amaze me how people blatantly display their sense of entitlement. I own my own company and I do not allow personal devices at work. My employees use our equipment period. I give them the job, but it’s entirely up to them to keep it. I provide a locker and they provide the lock. If they want to use devices on breaks or lunch that’s fine, but if I catch them on a personal device during operational hours, they are terminated on the spot. I’ve only had to do it a few times and it sets a clear example for others to follow. If there is an emergency we have a company phone that their family can contact them at. Amazingly, production seemed to skyrocket when we introduced this policy. Now, every employee signs an agreement upon hire notifying them of the policy.

    Jobs are hard enough to find these days. Specifically a career that provide benefits and retirement. Some may disagree with my policy, and that is their right to do so. I personally consider it a slap in my face that my employee steals my time while I am one of the few that pays well and offers benefits. If your Facebook and tweeting is more important than your career or feeding your family then I have absolutely no sympathy to show you the door. There are many people looking for work and I am more than happy to provide the right few with the opportunity.

    • I see you point with you workplace. I believe the BYOD devices are more geared to organizations that require extensive travel and overnight trips. Other than that it seems just a large waste of time to have a BYOD discussion. I agree if i was looking for a place and if you use you own devices on my dime unless you have some important news coming in which you can tell me, then i as an owner have issues with it. Keep up giving good wages and retirement benefits, in the end you will end up with great employees and a more productive, efficient, and effective workplace.

  16. Would it be possible for patients to control their own medical records using BYOD?

    Would encryption be required?

    Are there other considerations?

    HButler@post.Harvard.edu

  17. This can be hard because you are basically requiring your employee to use their own device to work for you. The problem is really the lack of control not only in the product but also its maintenance.