Bring Your Own Device (BYOD) is proving to be a big challenge among business directors. Many employers are looking to the idea of their employees taking their own mobile phones with them to work, for use in the day job.
Last week, I attended two events, both of which have featured BYOD as the subject of focus. The first of these was the Mobile Monday panel discussion: BYOD – A Faustian Pact? Held at Centre Point in London, Copper Horse Director, David Rogers, was chairman for the session and panelists were from companies such as Blackberry and Telefonica O2. The greatest aspect of the discussion was, in addition to the interesting points raised by the panel, the interactivity between themselves and an audience that was one of the most active I’ve seen. It provided some stimulating talk, which was occasionally partitioned by an audience show of hands on questions such as “Do you regularly use mobile banking?”. What was surprising to me was that the majority of the audience raised their hand to that.
|David Rogers (Copper Horse) chairing the BYOD panel at Mobile Monday, with Mubaloo's Gemma Coles speaking.|
Event number two was an online webinar titled Mobile Apps - The Danger of Making Security an Afterthought. This time, David switched to the role of panellist to join fellow guest speakers from the likes of IBM and Sanofi as a discussion took place surrounding mobile app security.
The primary reasons behind implementing BYOD are to: increase flexibility, improve productivity and reduce cost for the organisation by not having to purchase ‘work phones’ for staff. However, there are important issues to consider for decision makers. And after attending these events, here are my thoughts on the subject:
- BYOD is a balance of trust – A big question mark before embarking on implementing the idea of BYOD is - do employers trust their employees enough? Employers must expect and believe that their staff are capable of using their devices to an acceptable standard, be it at work, from the basics of refraining from making personal calls to not engaging in dangerous or illegal activities, or on a more general level, by having the nous to make sure that their device is as safe as it can be from outside threats. However, this all comes down to a piece of paper - the policy that's written and implemented by the company and signed up to by the employee. In truth, employers are just giving in to the reality of the fact that their staff are bringing in their own devices anyway and the company has no control whatsoever.
- BYOD is a balance of separation between work and home life – One of the largest considerations for an employer is that their employees’ work and home lives do not intertwine to a great extent. Of course, this depends on the role. For some staff, normally lower down the ladder of employment, it is a case of when the clock hits 5pm, work for the day is over and can be resumed at 9am the following day. But for other individuals, be it company directors or those whose job requires them to be ‘on call’, work becomes more of a continuous element of their lives. For the former, having work-related emails and calls coming through at hours when an employee is meant to have finished work for the day is a problem that needs to be considered. So where is the line drawn between work and play?
- App permissions are a large consideration for employers seeking to implement BYOD – It’s not so much about what type of apps that employees are downloading to their phones, it’s the permissions that the applications ask for upon being downloaded that is the problem. Your mobile number, contacts and location are just some of the many examples of types of information that can be gathered by a mobile app. And depending on the type of work an individual’s business carries out, employers may not be so keen to let users reveal particular data. There are data protection obligations too. Ultimately, the phone belongs to the employee, but there may be situations where restrictions need to be in place so that their work for a company isn't compromised. This needs to be addressed via remote mobile device management tools (MDM), but is that too intrusive into the personal side of things?
- Policies: A simple one-time checklist or an ever-changing nightmare? – Whilst a BYOD policy outlines the rules set by an employer which an employee must abide by, a device policy addresses the issues of what features of the phone the employee is able to use - and this is a problem when it comes to BYOD. Employees' phones are all so different, suited on a work level for their particular role and on a non-work level in terms of personal preferences, e.g. the type of apps they download (and the sensitive access to features which come with them). So is it the case that tailored device policies are required, in conjunction with their phone settings, or is it possible to roll out a generalised device policy for all to agree by? Or is it a combination of the two, where a middle ground needs to be identified? Technology and the components of it are changing all the time, with mobile phone applications being updated regularly as well as the device, platform and browser software. So is it the case that an employee’s device policy needs to be looked at after every individual change? The word “impractical” springs to mind, particularly in a large organisation. But regular changes made to phones will include addressing security features from time to time, so whose responsibility is it to take care of security in BYOD?
- The responsibility of mobile application security is still ‘up in the air’ – Following on from the previous two points, a poll was taken during the webinar, asking attendees whether they believed the responsibility of mobile app security should be down to IT departments. Over 25% of the voters answered with the option that it is down to IT. However, the remaining voters disagreed, with the majority of those saying that responsibility should be shared across more than one area. In the area of BYOD, security is surely something that users should be involved in, but is it something that they are wholly responsible for? To have each individual employee notifying their organisation about updates to their phone and how it affects their policy again seems impractical. Overall, the responsibility is definitely something that in my opinion needs to be shared, but how and exactly who with remains to be seen.