Many employers now either expect or permit employees to use their own electronic devices – smartphones, tablets and laptops — for work. For company purposes, those devices need access to the company network and vice versa. It seems very much a part of an open information culture and the trend toward blending professional and personal lives.
There can be advantages for both sides. Employees would very often rather use their own devices. Employers would also probably be just as happy to skip the hassle and expense of buying, issuing, tracking and maintaining a lot of company equipment.
But simplifying the chore of equipment management may complicate information security. BYOD has significant implications for the security of employer data and the privacy of the employee communications. It may not be the right choice for every situation.
How to Handle Employer Security
Of course, employers should hire carefully. Any employee with access to data can steal it or misuse it, even without electronic assistance. It’s just easier that way. The other concern with a BYOD policy is inadvertent damage. An employer must also be concerned with the possibility that employee-owned devices may be infected with viruses or other malware that could in turn infect the network.
For purposes of protecting the employer’s network and data, a BYOD policy should
- Spell out which specific devices and operating systems the company will support.
- Require that all devices be password-protected.
- Determine which functions – email, Word documents, etc. – employees can access from their mobile devices.
- Limit access to data in a way that is appropriate to the employee’s job.
- Establish an antivirus software policy.
- Consider whether some data should be encrypted.
- Develop a procedure for employees to report suspected data breach incidents.
- Develop a response plan in the event of a breach, which may include remote data wiping.
- Ban any outside applications that cause extra security concerns, and
- Reimburse employees for authorized costs, which should be spelled out in advance.
What About Employee Privacy?
The flip side to this issue is that employers and employees should both be concerned about the privacy of employee communications, especially when employees are using their own electronic devices at work. Will communications using the company network be monitored? If so, employees should be clearly informed, so that they do not act with an inaccurate expectation of privacy.
Questions about the use of social media can become even more complicated. What if an employee is encouraged or expected to post company information on a personal site. Who owns the site when the employee leaves? A written agreement may prevent litigation.
Both employers and employees should also be aware of three potential situations that may require employers to disclose data on an employee’s personal device. These include an investigation of a security breach, a discovery demand in civil litigation or a criminal investigation. Personal e-mails and images, even though not germane to the underlying issue, can be swept up in the compelled disclosure. It is a chilling thought, and not entirely within the control of either the employer or employee.
So is BYOD a good idea or not? It may be an important part of company culture. Protecting employer data, however, may require some additional security protocols. Protecting employee privacy is largely a matter of disclosure and education about expectations and risks.