Mitigate Risks in ‘Bring-Your-Own-Device’ Workplaces | DCR Workforce Blog

Mitigate Risks in ‘Bring-Your-Own-Device’ Workplaces

Widespread access to mobile technologies is encouraging more employers to adopt a Bring Your Own Device (BYOD) policy in the workplace. In some cases, the transition is happening without a specific mandate from the employer.  When employees bring their personal smartphones, tablets and computers and connect them to the corporate IT network it is inevitable that some advantages as well as challenges come with the practice. This makes it necessary to put a plan in place to mitigate the risks.

Let us first look at the advantages:

  • Employers save on investment into traditional IT assets when more employees utilize personal devices.
  • With newer versions flooding the market at regular intervals, employers are saved from keeping up with technological advances while pleasing the tech-savvy Gen-Y employees.
  • Using the same device for work as well as personal matters has been credited with increasing productivity and savings in time.
  • Employees can more efficiently work remotely when necessary.  These tools also increase collaboration within distributed teams.

Now, the challenges and risks:

  • Interoperability. IT administrators are faced with different consumer-grade devices accessing their secure, controlled corporate environment.
  • Policy compliance. The employees constantly share, collaborate, and communicate on social media; making the IT administrator’s job harder, when compared to the times when they just blocked all such ‘unproductive’ activities.
  • Intellectual Property Protection.  Many of these devices can take notes, record sounds and conversations and can take pictures of internal documents and sensitive material.  They function as hard drives to carry large amounts of data, or allow access to cloud storage accounts. To further complicate matters, people let a partner, friend or child use their smartphone or tablet to play games or view photos or movies, exposing sensitive corporate information beyond the confines of the workplace.
  • Security. The devices may also carry viruses into the network, threatening the whole network’s security and integrity. IT personnel must empower workers to use their devices, while protecting the corporation’s network and systems. The ability to constantly monitoring which devices are connected the network encrypt data, run antivirus programs and enforce password protection becomes essential.  Loss of a mobile device is also a very common occurrence, increasing the threat to an employer’s data security. In addition, having such a device connected to an ‘unsecured network’ when used for personal purposes also makes corporate information vulnerable
  • Compliance with privacy and anti-discrimination laws.  Unauthorized access to certain electronically-stored information, including Social Security numbers, driver’s licenses and other personally identifiable information, is prohibited by the federal Computer Fraud and Abuse Act and the Stored Communications Act as well as by many state laws. These may affect an employer’s right to access the stored data on an employee owned device. This makes it necessary to incorporate the authority to ‘remotely wipe’ the data on such devices into any BYOD policy.
  • Defining work schedules. When a non-exempt employee outside of the regular shift using a personal device at the employer’s direction, the employer would have to compensate for the hours worked.

BYOD policies will need to keep all the above risks in mind and mitigate them by deciding how much data would be accessible on a worker’s personal device.  A role-based access management system becomes imperative. Employers need to obtain and document the worker’s permission to access and manage the device, including the ability to wipe out all information stored on the device. This action could also erase the worker’s own files, music, pictures etc.

Can we allow Temporary Workers to bring their own devices?

A huge (and growing) segment of the workforce today consists of temporary workers and independent contractors. What protects a company from a temporary worker who accesses its corporate network remotely or uses a personal device for work?

  • Every department will need to know the policies and procedures governing the temporary worker’s use of ‘own device’ at work.
  • The policy must be communicated and acknowledged as a part of the Independent contractor agreement or temporary worker’s contract.
  • Mandate background checks and extensive screenings for all workers who may have access to sensitive information.
  • Physical access to, using badges and cards; which will expire at the end of the contract’s term. Lay restriction on areas which do not need to be accesses by the worker. Access to facilities, online data, and other resources should be restricted, determined by the worker’s role and responsibilities.  Rigorous onboarding and offboarding processes should determine access and ensure the return of assets and termination of access at assignment end.

According to a Gartner CIO survey, 38 percent of employees will be using their own equipment in the workplace by 2016, while the number will go to 50% in 2017. So it is necessary for every employer to have a strong policy.  All employees – whether temporary or permanent – must be subjected to the same controls, enabling them to use these important tools to increase productivity while protecting the interests of the company.


Disclaimer:
The content on this blog is for informational purposes only and cannot be construed as specific legal advice or as a substitute for competent legal advice. They reflect the opinions of DCR Workforce and may not reflect the opinions of any individual attorney. Do contact an attorney for advice specific to your issue or problem.
Lalita is a people/project manager with extensive experience in operations, HCM and training and development across industries like banking, education, business consulting, BPO and information technology. She believes in a dynamic approach to life and learning as change is the only constant.