Today’s employees are always connected, thanks to ubiquitous broadband and a wide range of portable devices, from smartphones, tablets and laptops to fitness trackers and a plethora of smart devices such as watches, cameras and GPS navigators. How necessary is this level of connection?
Cinemas and restaurants are no longer peaceful, with beeps, chimes, vibrations and other alerts notifying everyone in the vicinity that something else (generally of a trivial nature) has occurred in your vast network of contacts. It makes sense that social addicts want to spread this contagion to the workplace since not being connected can produce a sense of withdrawal not unlike that of those coming off hard drugs. We need someone to like that oh-so-interesting photo of last night’s chicken chow mein. We need someone to know how we feel at work… Or do we?
BYOD Motivated By Cost Savings?
Let’s look at the motives behind BYOD adoption for companies and device users. Visitors to your home quickly request access to your Wi-Fi as most are tied to a set data plan by their mobile carrier, with a monthly cap and corresponding rate per gigabyte of usage. Using Wi-Fi, device users can access broadband Internet and reduce data usage over 3G, 4G or 5G. Therefore, we can safely conclude that users want BYOD to save money on data charges by connecting to the company Wi-Fi.
Employers also want to save money, of course and by allowing employees to use their own devices, do not have to issue company-owned devices. Since it is likely that personal devices are of a higher spec than those purchased for business use, there are also possible productivity benefits.
In an ideal world, the story ends there, everyone involved saves money and lives happily ever after. Unfortunately, there are drawbacks for both parties, ultimately caused by data, user and device management requirements.
Can any company afford to provide Wi-Fi access without considering potential security risks to the network and the data residing on it? No, as every jurisdiction is likely to have regulations and mandatory requirements relating to data security, personally identifiable information (PII) or indeed e-discovery. Therefore, any cost savings in allowing BYOD are likely cancelled out by the management of BYOD devices.
Practical BYOD Issues
As a former network administrator, I appreciate the additional workload a BYOD program can place on the IT team (the team blamed when the network is breached or data is lost).
The problems with BYOD from a security perspective include but are not limited to:
- Permission management–to ensure secure access (by user, device or network credentials), a solution aimed at mobile device management (MDM) is best.
- Device Management–companies need to decide on the device types and manufacturers they will allow on the network. Additional requirements could relate to the device OS revision/version involved. To allow all mobile device access is a mistake as cheaper brands could use an earlier OS version with known vulnerabilities or apps that can exploit network connections.
- Security updates–if the device owner does not encrypt the device or install security updates then it is a weak point on your network.
- Viruses, malware and other threats–again, virus scanners and other security tools must have the latest updates to protect the device and, in turn, the company network.
- Employee exit procedures–When the owner of a BYOD device leaves the company, the device must be cleaned to remove company data in a secure manner. This can require admin access to the device, a problem for many device owners, who do not like being ‘spied on’.
- Lost or stolen devices–If a BYOD device is lost or stolen, there is a potential data loss/breach involved. For this reason, the remote wipe is a useful admin feature. Unfortunately, such control is often a problem for device owners (see (5)).
For employers considering BYOD, device admin is typically the single thorny issue. If a user does not want the company to administer the device (and I wouldn’t) then the company should not allow the device to connect to company Wi-Fi. End of story. If the same employee needs a company device for travel or remote work, then issue a company-owned device as the company can administer it as they desire.
In conclusion, I believe that constant connectivity is not needed, unless you are a volunteer firefighter or an on-call medical professional. For family emergencies, SMS is still an effective way to receive an urgent message. After all, employees can still use their mobile carriers for internet access if needed at work. From a company perspective, is it easier to only allow company-issues devices access to the network? It varies from company to company, but for the most part, when full administration of employee-owned devices is necessary, the resulting admin and security risks may not be worth it. There are also HR (if an employee uses the device on work tasks outside working hours, expect to compensate that employee) and legal considerations (under e-discovery, mobile devices are included, and data loss can result in substantial fines) in some jurisdictions. I recommend you identify all potential risks before embarking on a BYOD strategy. What do you think? Is the use of personal devices an issue in your company?
