An employer's guide to BYOD pt2by
Companies must think about the security impact of pushing data on to devices, says Simpson, and ask themselves what would happen if it got into the wrong hands or compromised. Regulatory issues posed by the Sarbanes-Oxley Act and Basel II accord need considering.
"A simple step would be to add another level of authentication to apps that contain secure information so the end user has both a passcode to open their device and another to open the application," he says.
"You can also put encryption on to the data so the data being transferred across is encrypted and held on the device in an encrypted way. Equally if a device is lost or stolen, have you got the ability to lock down that device or kill the information that is on there so the device is safe from prying eyes?"
That extreme level of security, where a company has the ability to lock down and wipe a device owned by the employee means the organisation must clearly communicate their BYOD policy in an acceptable user policy, says Garlati. "We now have a situation where IT owns the data but the employee owns the device. This has never happened before because the device has always been a corporate asset. The acceptable user policy has always been treated as corporate use from a corporate device of corporate data. Now a company is trespassing on someone else's property the moment they get into your device."
This agreed policy between employees and organisations, explains Simpson, needs to make employees aware what standards are expected and what can happen. "That may be about enforcement of password settings, reporting what happens with compliance on the device or understanding what happens about locking and wiping the device," he says. "It also could be about how much of the device does the organisation have control over? If you've got a 16gb device you don't want the organisation taking 15gb of that and only leaving you 1gb for a game."
SAP, which is testing a BYOD programme for smartphones and tablets among employees in a number of countries, has policies in place around the company accessing private data on the device and what users can and can't do with the devices. "We've drawn the line at the data stored on the device, so that would include photos, but it wouldn't mean going through their apps to other applications such as Facebook and Twitter," says Simpson.
The line which enterprise and employee can and can't cross on personal devices must be made absolutely clear in the policy documents – even when those stretch to 24 pages and simply require an agreement box to be ticked.
"The company needs to be able to show a court that they did everything possible to make the policy understood to the employee," says Garlati. "You cannot change user behaviour unless you help them understand what is in it for them."
The vast majority of BYOD usage is spent accessing email, calendars and contacts lists, and it is here where companies are most likely to see productivity gains, argue our experts. "Without a doubt the biggest app for mobile devices is email. If you are going to have a mobile device you need to have the ability to connect to my [the business's] email and calendar system," explains Simpson. "It brings good productivity benefits because it means you are more connected to what is going on within the organisation or with your customers or suppliers."
Garlati says there is no question that employees checking their email during the evening commute, at homes or at weekends are working more, and counters the argument that corporates already achieve that with company-issued devices. "Corporate IT deployment of mobile devices is never horizontal, which means that it doesn't actually affect 100 per cent of the employee base because of the cost," he says. "By relying on consumerisation this increasing productivity is much broader and extends to all."
Employees, he adds, are more likely to use a mobile device if they own it. "Imagine you're at home updating your Facebook page on your iPad and receive an alert that a new corporate email has arrived, you are likely to read it. If the same happens from your [work] BlackBerry you may turn it off."
Going beyond email access to other corporate applications is dependant on the vision of the organisation adopting the BYOD approach, says Simpson. "Apps that you want to provision out on to devices can vary from linking into a workflow system to people inputting their expenses, travel receipts or timesheets – anything that requires input from the employee that you don't want to limit them to being on their laptop or in their office. Those kinds of things are quick wins."
What are the costs?
From an organisation point of view, says Simpson, a big driver of BYOD is cost reduction. "If you can reduce the amount of assets you are managing yourself because you are not purchasing and managing the devices and the phones, then that can be seen as a cost-saving. The disadvantage is that mobile infrastructure is going to become more complex because to a certain extent you have less control over the organisation."
When things start to go wrong and employees can't send emails or open attachments do they turn to their phone operator or corporate helpdesk? "There is evidence that the calls or tickets to helpdesks generated by devices and technology not owned by the enterprise are three or four times more expensive than the equivalent tickets generated for known technology," says Garlati.
"If the mobile device is provided by the enterprise, there is training and documentation associated with that, and plenty of tools that can remotely allow the helpdesk to remotely access the device and change the configurations."
Companies looking to adopt BYOD need to balance the cost of setting up and securing a platform against the costs they incur from purchasing and maintaining the devices already, says Simpson. "The choice is how much do organisations want to control themselves versus how much they are willing to pass on to the employees. It may give them the flexibility but always comes down to cost and the security risks.
"BYOD requires some thought from organisations but that shouldn't necessarily be a scary thing to consider because the end goal could be happy employees, secure information and a lower cost base overall."
Companies will have to swallow the cost of extending this user experience even if they don't have an appetite for the change, says Garlati. "From a corporate perspective BYOD is like paying taxes, it's a cost of doing business."
Ultimately, it's up to individual businesses to work out if the risk of embracing BYOD and the cost of managing this new user network result in higher employee satisfaction, productivity and wealth creation.
This article originally appeared on our sister site BusinessZone, the UK's leading resource for SMEs and entrepreneurs