First Reference company logo

Inside Internal Controls

News and discussion on implementing risk management

machine cogs image

BYOD: you’re probably already doing it, but are you doing it smart?

By now, countless businesses have had to address some issue relating to an employee using her or his personal digital device for work purposes (“bring your own device” or BYOD). An employee wants to access the office wireless network on her laptop so she can work while away from her desk; another wants to store and view work documents on his tablet; another just wants to check her work email from her smartphone. These are just a few of the many ways workers are using personal digital devices to perform work-related tasks.

It’s generally simple to allow employees to use their personal devices; often they’ll know better than the employer how to set up the device to do what they want. But it’s less easy to control what happens after.

Do you know whether your employees are using your wireless network for business or personal purposes? Have they shared the network password with non-employees who work or spend time nearby? Do you know whether your business-related documents are secure on your employees’ devices? Are employees sharing those documents with others? Are employees using their digital devices for work outside of regular working hours, perhaps setting up claims for overtime pay? If your employees (and you, by proxy, rely on these devices, how do you manage if they break down or get lost? Who pays for the repairs or replacement? Who owns work-related information produced or stored on an employee’s personal device? These are all serious questions that employers should consider if they plan to allow (or already do allow) employees to BYOD. And they can all be addressed by well prepared workplace policies.

Three key issues around BYOD are maintenance and support, employee agreements and compensation. I’ll let Steve Goldwasser, author of Information Technology PolicyPro, introduce them:

When employees and their devices are approved for participation in the BYOD program, it’s important that employees clearly understand any limits regarding the company’s training, application and device support, and support for any problems encountered in the use of the devices and company or personal applications installed.

Further:

The company must restrict which applications are installed on the device and the network connections to which it may be exposed. There must be controls in place to protect the company’s networks and data against the inadvertent or intentional installation of rogue or otherwise undesirable applications on the employee’s device.

And:

There are numerous reasons for the company to reimburse employees for some or all expenses related to the purchase and ongoing use of their devices used in the BYOD program. Reimbursement for purchase and use costs may be published in a schedule that takes all the known factors into account, and the schedule may be subject to periodic review and change. Reimbursement for use may be established as a percentage based on the factors in play, a fixed periodic stipend, or by having employees submit expense claims.

Maintenance and support

It is inevitable that your employees will seek help from your tech support team on issues pertaining to the work-related use of their personal devices. You must ask yourself how much support you want to provide. Here are some cases in which employers will likely want to offer support:

  • Initial connections to company networks and data from approved personal devices
  • Technical support for company-provided or mandated applications
  • Technical support for employee-owned applications approved for access to company networks, systems and data in general, and for task and project management, email and calendar synchronization, document sharing, messaging and other information management applications
  • Technical support for employee-owned applications installed for personal use that conflict with applications identified as company-supported applications
  • Assessing malfunctioning devices
  • Lending a temporary device while an employee’s personal mobile device is being serviced or is waiting for replacement
  • Guidance and resources for backing up applications and data

Of course, all of these things will require resources: people, knowledge, time and money. For businesses that have all of these resources, this won’t be a problem. Others will have to make sure they incorporate these elements into their BYOD plan. Will you need more support staff? Will your support staff need additional training on the devices that employees may want to use? If you do choose to offer support for employees’ personal devices beyond work-related purposes, where will you draw the line?

Whatever support you choose to offer, make sure your support staff provide it in a consistent manner to all employees who need it. As the gatekeepers to your networks and data, technical support staff have a  special responsibility with respect to BYOD programs. While all employees who wish to use their personal devices for work should sign specific BYOD agreements (see below), support staff should have additional obligations outlined in their agreements.

Employee agreements

Employers and employees who use personal devices for work-related purposes should always have a written and signed agreement that outlines both parties’ rights and obligations with respect to the devices, and a code of conduct. The agreement should also describe the penalties for misuse. Employees must respect the employer’s networks and data and understand how their actions can damage the employer’s property and operations.

Without an agreement, employers will be in a bind if they want to assert any right over an employee’s use of a personal device or the data on it. Indeed, any such agreement should clearly state that the employer has right of access to an employee’s personal device insofar as the employee uses it for work, and that any work-related information stored or accessed on the device belongs to the employer.

An agreement should also state when an employee may use a personal device for work. Make it clear that employees should not work outside of regular business hours, and that they must seek authorization before they do work outside those hours. Do you want your employees to work all hours of the day and expose yourself to the risk of overtime claims?

Employers may also want to specify whether they will share the cost of certain repairs, for example, for damage that occurs in the course of work.

One strong control is prohibiting certain apps that have the potential to cause harm, for instance by installing malware to steal information. Employers may have a hard time convincing employees to avoid installing certain mobile apps, but making this a fundamental condition of BYOD will help build a strong defence against malicious use of your data and networks.

Compensation

When it comes to reimbursement for BYOD expenses, an employee’s personal device is somewhat like an employee-owned vehicle used for work purposes. The employer is passing the purchase and support costs of work-related devices on to the employee, and the employee may be justified in expecting some compensation for using the device to perform work.

This will likely depend on the nature of the work performed via the device. You may not want to reimburse an employee who is just checking his work email messages, but you would likely consider it if the employee is often working away from the office and, say, has a cellular plan for her tablet which she uses to stay connected and perform research and so on.

With all of the planning and consideration that employers should put into their bring-your-own-device program and policy, some may wonder whether it’s worth it to allow employees to use their own devices for work, or whether they can’t simply “go with the flow” and let employees use their devices without regulation. Surely, it can seem difficult to take the time and effort to prepare a policy and program and implement it in your workplace, but there are many benefits. Employees will know what they can and can’t do with their devices, and the employer will have a policy to rely on when something goes wrong.

Besides, whether you permit it or not, employees will almost certainly use their personal devices for work, and “what you don’t know, can’t hurt you” isn’t a particularly good business strategy. It’s better to be clear about how your employees are using their own devices for work purposes. Without that information, you will be leaving yourself open to significant risk.

In case you’re wondering, that’s what Information Technology PolicyPro (ITPP) is for: to make it easier for you to introduce new policies to your workplace. BYOD has quickly become a popular aspect of many businesses’ operations, and I don’t think it will go away any time soon. Employers must keep up. We recently added six new customizable bring-your-own-device policies to ITPP, along with informative overviews that talk about the needs and considerations for such policies. Let these sample policies be your guide in this evolving area.

Adam Gorley
First Reference Editor

Follow me

Adam Gorley

Editor at First Reference
Adam Gorley, B.A. (Phil.), is a researcher, content provider and editor. He contributes regularly to First Reference Talks and Internal Control blogs, HRinfodesk and other First Reference publications. His areas of focus include broad human resources issues, corporate social responsibility, corporate governance and government policies, information technology and labour market trends.Read more
Follow me
Send to Kindle

, , , , , , , , , , , , , , , , , , , , , , , , , , ,

Comments are currently closed.