It’s time to do it. You’ve been putting it off. You hoped you could avoid the situation altogether. But for whatever reason — maybe the CEO got a new smartphone for Christmas and he’s been dying to use it for work — it’s time to set up a bring your own device (BYOD) policy.

Indeed, BYOD is beginning to move from being a privilege to a requirement. Gartner Inc. predicts that by 2017, half of employers will require employees to supply their own devices, writes Lynn Greiner in Financial Post. In fact, 38 percent of companies expect to stop providing devices by 2016. (This does raise the question of what employees are going to do between 2016 and 2017.)

Some organizations believe they need to have a BYOD policy to attract and retain millennials, nearly two-thirds of whom use a personal device or app at work compared with just a third of Baby Boomers, according to CIO. Chances are that it won’t be possible to get them to stop using their personal devices at work. Faced with the choice, companies are deciding they’re better off working out a way to use personal devices more safely rather than trying to persuade employees not to use them for corporate data. “Prohibition does not work,” writes knowledge management specialist Bill Ives. “People will do a work around if there is a desire for a service or product.”

Perhaps your company thinks it’ll save money on the deal by having employees supply their own smartphones rather than use company-supplied ones. In fact, some studies have shown that companies can save more than $3,000 per employee. But that’s not necessarily the case, according to Greiner. “The potential savings from employees absorbing the price of phone and rate plans (if indeed they do; some are subsidized) can be eliminated by the additional management costs,” she writes. “And those costs are growing; ABI Research predicts that global expenditure for mobile security management will almost double the 2013 total by 2015.”

Some organizations are also looking at the notion of “COPE,” or corporate-owned, personally enabled devices — that is, devices the company owns but that employees are allowed to personalize with their own apps. This can end up saving companies money over BYOD. “Financially, if a business adopts BYOD and reimburses its employees for their devices, or for their rate plans, the business loses because it ends up paying full retail price for the devices, and consumer prices for the plans,” Philippe Winthrop, global mobile evangelist at CSC — who came up with the concept of COPE a few years ago — tells Financial Post. “Conversely, when the business owns and manages the devices, it can negotiate substantial discounts on both devices and plans that may chop those expenses by up to 70 percent,” he says.

The biggest issue with smartphones — any of them, really, but particularly for BYOD — is security. While some early BYOD policies focused on protecting the device, in practice, devices are going to get lost or stolen.

Instead, the focus is shifting to protecting the data — after all, that’s what the company owns. What are ways to protect this data? Focus on setting the device and applications up so that employees are using data on storage or cloud resources the company controls, rather than the employee’s smartphone — which also helps take care of the versioning problem of having multiple copies of the data.

For corporate data, encrypt it, require a password from the phone to gain access to it, log when the data is accessed, and don’t let employees download copies of corporate data to either their own devices or to cloud storage services such as Box or Dropbox. This also helps reduce the electronic discovery problem of obtaining corporate records from the employee’s device in a legal situation.

Also encourage employees to save personal data in the cloud to ensure someone doesn’t lose their baby pictures if the smartphone gets lost and IT has to wipe it. And make sure employees know that they’re supposed to alert the company if their device is lost or stolen.

Remember, too, that even though it’s an employee-owned device, the organization can still stipulate its use if it’s going to be used with corporate data. For example, you can require BYOD users to run a particular security app on their devices, writes Don Reisinger in eWeek.

Finally, keep in mind that security doesn’t end when the employee stops using the device or stops working for the company. In the age of increasingly disposable phones, it’s important to ensure that there’s a policy for end-of-life for the devices, even if they’re bricked or otherwise dead — you never know what enterprising person could resurrect them, writes David Taber in CIO. To enforce this, your company may need to agree to purchase the devices, he writes.

You don’t want to find this out the hard way next year after the CEO gets a new smartphone next Christmas.

Related Posts