Is it safe to BYOD to work?

Bring Your Own Device offers some interesting benefits to employers and employees both, yet a lot of organisations are giving up on this idea

Bring your Own Device or BYOD is not a new concept. However, it seems organisations are still in a fix about whether to adopt it or not. Organisations that did, failed miserably only to later realise that they did not have the required data security measures to allow people the use of their own systems. On the other hand, organisations that do have the right kind of security and monitoring measures, only make the employees utterly uncomfortable about using their personal devices at work, as they risk exposing even their personal usage to the employers. Looks like it doesn’t seem safe for either employer or employee to adopt BYOD.

Bring your Own Technology (BYOT) or Bring your own Phone (BYOP) or Bring your own Personal Computer (BYOPC) are all related to the broader bring your own device idea. This refers to the policy where an organisation allows employees to carry their personal devices to the workplace and use them to access corporate network or data. Intel first adopted it in 2009. Sriharsha A Achar, chief people officer & chief information security officer, Apollo Munich Health Insurance, shares, “Adoption of BYOD in high growth markets is touching 60–70 per cent and is making significant inroads in the business world. The Middle East had one of the highest adoption rates — about 80 per cent of the practice worldwide in 2012. However, as per the recent survey, organisations are moving out slowly from BYOD.”

BYOD offers some interesting benefits to both the employers and the employees, such as improved productivity owing to the comfort level with one’s own device and reduced cost for the company. However, the reasons why a lot of organisations are giving up on the idea lately are even more. Some of the common cons of BYOD are — additional cost towards protecting the device, risking data and systems to attacks and malware, and even corporate liability in case of fraud. In addition, as Achar says, “It is a little bit trickier telling an employee what is, or is not, an acceptable use of their own laptop or smartphone. There might also be cases of non-compliance to the Acceptable Use Policy.” Worse, if workers are terminated or leave the company of their own accord, segregating and retrieving company data can be a bigger problem.

An employee of one of the telecom majors with a BYOD policy, shared with us that he had the entire security system installed on his personal computer, but when he left the job, to his dismay—on his last day at work— his personal computer was formatted, with most of the key hardware disabled and with the OS lost. This is a case of someone who had agreed to the terms of the company — when he started working there — believing that when he leaves the organisation, his system will be restored to the same settings as it had before the company installed its own. However, the organisation simply safeguarded itself by retrieving what was theirs, deleting the rest and leaving the employee empty-handed.

“In today’s context when information security is at its peak, it becomes difficult to deploy BYOD in a company like ours. While we tried to do it at some point in time, there was resistance because people did not want to get the company’s security system installed on their laptops.”

Achar shares how people reacted when at Apollo Munich, they discussed the idea of a BYOD internally. He says, “In today’s context when information security is at its peak, it becomes difficult to deploy BYOD in a company like ours. While we tried to do it at some point in time, there was resistance because people did not want to get the company’s security system installed on their laptops.” Moreover, at the senior management levels, where data sensitivity is high and most systems have to be encrypted, Achar believes that a BYOD policy becomes all the more difficult to implement. “Since people are not comfortable with the information security system monitoring their personal devices, as a policy we are unable to bring in BYOD”, Achar adds. In fact, people are also concerned about the accountability of the company, in case something goes wrong with their systems when at work.

On the other hand, where an organisation lacks the appropriate information security methods or the recovery process after an employee decides to leave the organisation, the vulnerability rises and the insecurity leads to organisations taking extreme measures, which probably was also the case with this employee who was left with a personal laptop good for nothing!

“Unless and until there is a strong and agreeable policy, which is understood and signed off by the people who will use BYOD, it is going to be challenging to execute it”, says Achar.

The vulnerability of course, is high, as on a personal system it is very difficult to monitor and sometimes differentiate personal and professional usage. What might seem as a professional threat, may at times just be a personal action, while something harmful may as well at times go unnoticed. When organisations get into the control mode, then sending out even simple e-mails from the company domain also become difficult. Such monitoring will only result in more administrative hassles.

BYOD puts organisations into a dilemma of how much to control and what to let go of. However strong the security measures may be, the ever-developing world of technology will always come up with new hacks, which is why a lot of companies are now drifting away from BYOD.