Bring Your Own Device (BYOD) is one of those new trends I have seen come up in the IT world over the past few years and many small businesses have been asking about it. Basically, the idea is that instead of the small business purchasing computers/tablets/smart phones for its employees, the employee just brings their own or the employee and the company go in half-and-half or something. Companies like BYOD because it saves them money in equipment and software licensing. Why buy an employee an iPad when that employee can just bring their own?
Like everything else; however, there are some caveats that need to be taken into consideration. Let’s look at some examples:
The employee is using their own laptop for work. However, their work requires some specialty software so the employer installs this software on the employee’s laptop thereby consuming a user license for that software. The employee is terminated and now that software must be removed from the laptop. Because the laptop is the personal property of the employee and that employee has all her tax information and so forth on the laptop, the employee refuses access to the laptop for removal of the software by the company’s IT support. How does the company reclaim the license?
An employee has been using his iPad at the office for months now. He turns in his two week notice and the current employer finds out the employee is leaving to go work for a competitor. How can the company search the personal iPad of the employee to determine if he is carrying any proprietary information out the door with him?
An employee is using his smart phone to field sales calls. The employee leaves your company for a competitor that offers more money. And you now realize that all of your clients have only that (soon to be former) employee’s cell phone number as the primary contact for your company. Since the phone does not belong to the company, there is no way to seize the phone number.
An employee has been using his laptop for work for four years now. You know that employee has lots of company data on that laptop. One day, the employee comes to work with a brand-new Dell Latitude laptop. What happened to the old one with all that data on it? Was the hard drive properly wiped using a D. O. D. compliant shredding software? Did he just give it to this kids without cleaning off all that proprietary data?
Based on the above examples, how do we handle regulatory compliance or disaster recovery?
In all the above cases, the company is at a loss. It is difficult to just search an employee’s personal property without some type of privacy violation which could lead to bigger problems. Furthermore, an employee who uses their own laptop/computer/smartphone/other device may not consider security at all since the employee views the device as their personal property and not as a vessel of corporate property and information. How are security updates getting done, if at all? What if the employee is allowing friends or other family to use the device to play games or for their own use?
BYOD can be a real money saver in regards to having to purchase equipment. However, as always the long term costs must also be considered. Devices that are not under the control of the company yet contain company information can pose true security issues and place the company in a bad situation regarding privacy and compliance. In my opinion, BYOD is a bad idea for most organizations – especially those that are governed by some type of federal regulation such as HIPAA.
Before your company proceeds forward with a BYOD policy, you may wish to consult a lawyer.