Become a Member

Free Preview

This is a preview of some of our exclusive, member only content. If you enjoy this article, please consider becoming a member.

Are You Ready to Follow the BYOD Trend?

Print Email
November 5, 2014 by Elizabeth Marazzo

“Bring Your Own Device” (BYOD) is the policy of allowing employees to bring their personally owned devices such as smartphones, laptops and tablets to work in order to access private company information and systems. Since its origination in 2009 at Intel, BYOD is quickly becoming a workplace technology trend. However, with this practice, businesses are potentially exposed to a new set of risks.

Executive Summary

BYOD provides an opportunity to increase employee productivity on devices they truly love while reducing the company’s mobile expenses, but the trend can potentially expose businesses to a whole new set of risks, says OneBeacon Technology’s Elizabeth Marazzo. Here, she advises that security, risk management, remediation and policy development should be considered before establishing a BYOD program.

While many believe BYOD will be the next big shift in corporate computing, there is uncertainty about potential implications for corporate Information Technology departments. How will data security be managed? Would IT be tasked with supporting every conceivable computing device? How will IT staff remain current on the latest devices? Yet, some organizations see this as an opportunity to increase employee productivity on devices they truly love while reducing the company’s mobile expenses.

A May 2013 report by Gartner, “Bring Your Own Device: The Facts and the Future,” predicted that by 2017 half of the world’s companies will implement BYOD programs and will no longer provide computing devices to employees. This report also predicted that about 15 percent of companies will never move to BYOD and about 40 percent will offer employees the choice of BYOD or company-provided devices.

Research conducted in November 2013 by HDI, an association serving the technical service and support industry, indicated an increased implementation of BYOD programs for both tablets and mobile phones. It also noted that organizations have implemented improved mobile device management systems with well-defined policies and are better able to keep up with the pace of mobile device innovation. This evidence reinforces overall industry maturing in support of mobile devices.

The Benefits

So, what’s fueling this trend? Put simply, employees love their own devices and prefer to use them. In turn, familiarity with their device is likely to increase the employees’ motivation and productivity. BYOD also eliminates the need to carry both a corporate and a personal mobile device. Companies benefit from this single-device approach as employees are “always available” and therefore respond more quickly to emails, texts and social media feeds. Furthermore, since BYOD devices are personal resources, they tend to be more cutting edge, so companies have the latest features and capabilities without having to pay for these upgrades.

The Risks

Emerging trends bring new risk exposures—and BYOD is no exception. Consider the following:

• Data Security: Security on the device may be compromised from infected data, attachments or apps, which may lead to infections or attacks on the corporate network. As well, data on the device could seriously compromise the company’s security if it fell into the wrong hands. Inappropriately stored passwords or a weak password could give a hacker or criminal direct access to the company’s corporate systems.

• E-discovery: Employers have a legal obligation to access critical data in the event of pending litigation. However, in a BYOD setting, the data may reside on personal devices. Attempting to access its corporate data on an employee’s personal device may result in additional legal obstacles due to the employee’s inherent privacy rights.

• Personal Injury: If an employee sustains an injury such as repetitive motion or “BlackBerry thumbs” from the use of their own devices, is this compensable? Can they take action against their employer? How much of this stems from personal vs. corporate use of the same device?

• Data Corruption and Deletion: BYOD devices need to be updated to meet the company’s network security requirements, such as software patches and revisions. However, what if the employee is working on an important personal project—e.g., the great American novel—and it is inadvertently deleted due to a company-required software update? Can the employee take legal actions against his employer for this information loss? What recourse does the employee have, if any?

• Revoked or Lost Devices: What happens when an employee sells or recycles a device, or their device is lost or stolen? Or what if an employee is terminated or leaves the company? The mobile device contains company information, but employees will always opt to retain their personal device. Unless the company has a policy in place, this presents potential data breach exposures.

• Compensation: BYOD programs makes it easier for employees to work beyond normal working hours, thus presenting potential Fair Labor Standards Act (FLSA) exposures. FLSA requires employers to pay nonexempt employees at least minimum wage for all compensable time worked and to provide overtime pay for hours worked in excess of 40 hours a week. Generally, compensable time includes work such as responding to emails, time spent on tablets, smartphones and laptops to complete a project, etc. This may constitute compensable time for FLSA purposes which, if not paid, can lead to liability.

Employers who allow nonexempt employees to participate in the BYOD program can minimize this risk by incorporating timekeeping policies in their BYOD program to limit and capture time spent outside of the office or normal business hours and require employees to report all time worked.

Is BYOD Right for You?

Adopting BYOD is a company-specific decision that must align with the balance of the corporate culture and practices. If your organization decides to implement BYOD, risks will need to be managed effectively, including employee privacy. Adoption requires striking a balance between the company’s rights to monitor, access, disclose and “wipe” company information and the employee’s expectation of privacy and safeguarding of personal data.

Implementing a BYOD program that both companies and employees will trust requires careful planning and management, including establishing clear policies, putting appropriate safeguards in place and assigning accountability for oversight and compliance purposes.

• BYOD Policy & Procedures: Document and publicize the BYOD policy. The goal is enabling companies to exercise control over corporate and personal use while adequately protecting both parties.

• Mobile Security Expert: Designate a specialist to educate employees on security risks and help develop strategies for mobile security and risk mitigation, including mobile data protection.

• Access Control: Consider the use of robust passwords to log on the device and to access the company network. In turn, ensure the network maintains logs noting who accessed the system, when they logged on, and the type of data that was viewed and transferred.

• Malware and Antivirus: Anti-malware software should be installed on personal devices to protect them against the latest viruses, Trojans, spyware, worms, bots and other malicious code. Another feature to consider is anti-phishing tools and policies to help prevent inadvertent visits to fraudulent websites that may try to steal corporate and personal information.

• Geofencing: This approach creates a virtual perimeter or boundary that lets employees use and/or play games but not during company time. This can also prevent employees from downloading high-definition videos that could clog up the company network.

• Mobile Device Management: With the variety of personal devices available, it may not be practical to manage these through the in-house IT group. Software is available to manage mobile devices through a variety of third-party vendors such as Airwatch, MobileIron, Citrix, Good Technology, IBM and others. These companies can deploy security agents onto each device, separate personal and corporate data, and also enable “selective wiping” of corporate data without deleting the employee’s data. Additionally, they can enable encryption on the devices, as well as protect data when a device is lost or stolen. Encryption is an excellent method for ensuring that any information or data stored on a mobile device is useless to thieves.

Conclusion

Regardless of whether you are already taking advantage of the BYOD trend or you’re simply thinking about it, make sure that you are fully aware of the risks and that you thoughtfully address any potential issues. Security, risk management, remediation and policy development should be considered before establishing a BYOD program. Once implemented, be certain to communicate the new policy and enforce available risk mitigation steps. This up-front investment will ensure that mobile expense savings can be fully realized along with a productive, appreciative workforce. This thoroughness will enable making BYOD a competitive advantage.

This article is provided for general informational purposes only and does not constitute and is not intended to take the place of legal or risk management advice. Readers should consult their own counsel or other representatives for any such advice. Any and all external websites or sources referred to herein are for informational purposes only and are not affiliated with or endorsed by OneBeacon Insurance Group. OneBeacon Insurance Group hereby disclaims any and all liability arising out of the information contained herein.

Print Email

Was this article valuable?

Here are more articles you may enjoy.

Executives on the Move at AIG, White Mountains, Vermont Mutual
Uncertainty Keeps Prices Up; No Prior-Year Loss Development: Travelers
The Latest Launches: Click for Cyber Insurance
FTC Issues Worker Non-Compete Ban as Chamber Lawsuit Looms

Contributor

Elizabeth Marazzo, OneBeacon Technology Insurance

Elizabeth Marazzo is risk control technology specialist for OneBeacon Technology Insurance. Reach her at emarazzo@onebeacontech.com.

Related Articles

CEOs Traveling to Asia Targeted by ‘Darkhotel’ Cyber Spies
Work-Related BYOD Use: Potentially More Costly Than Previously Thought
Apple Computers and Devices Targeted By New Malware
An Employer’s Guide to Securing Data in the Mobile Device Age
BYOD: Benefits and Risks of Personal Mobile Devices in the Insurance Workforce

Our Contributors

Meghan ParrillaHow Apprenticeship Programs May Be the Best Solution to Today’s Talent Crisis
Shannon ShallcrossViewpoint: You’re at a Competitive Disadvantage If You’re Not Innovating
Richard CoyleMany Businesses May Not Be Protected Against Losses From Snow Melt Floods
James GammellViewpoint: Risks for D&O Insurers Exploring the New Frontier of Gen AI
William SteenbergenThe Insurance Data Paradox: Structure Creates Flexibility
See All Our Contributors