Balancing BYOD: risks and rewards
March 2019 | COVER STORY | LABOUR & EMPLOYMENT
Financier Worldwide Magazine
March 2019 Issue
The working world is changing. Cultural revolutions, social and environmental issues and technological advancements are combining to re-shape working conventions. As traditional practices change, new patterns emerge.
Worker mobility has become a key issue in recent years, due in part to the proliferation of devices including smartphones, laptops and tablet computers, with widespread access to high-speed internet. Cloud computing, too, means more employees are able to work from anywhere, at any time and on any device, including non-company issued devices.
Though there may be some operational issues involved, companies are beginning to acquiesce to employee requests to use their own devices for work. “Many companies give employees the option, and may even require, employees to bring their own device,” says Michele Haydel Gehrke, a partner at Reed Smith LLP.” According to Bitglass, 85 percent of enterprises now allow data access from personal devices for employees, partners, customers, contractors and even suppliers. Growth of the bring your own device (BYOD) industry is expected to continue in the coming years, reaching an estimated value of $366.95bn by 2022, according to Global Market Insights, Inc.
Companies often allow personal devices for efficiency and convenience, so that employees who are able to work remotely can carry only one smartphone, one tablet or one computer, as opposed to having several, according to Martine Tariot Wells, a shareholder at Brownstein Hyatt Farber Schreck, LLP. “This is particularly evident in industries and organisations that have workforces working out of the office on a regular basis. For example, in 2018, the US Bureau of Labour Statistics determined that in 2017, nearly 50 percent of workers with advanced degrees worked remotely for at least some portion of each day worked,” she says.
Improvements in mobile technology and consumer electronics in general have meant that many consumer devices are equal, if not superior, to enterprise devices. This increased sophistication, coupled with decreasing cost, rising ownership and improved connectivity, have caused many employees and companies to explore BYOD opportunities.
Productivity, employee satisfaction, customer retention and cost savings are also compelling companies to utilise BYOD policies. “Many employees prefer BYOD policies, so offering that and paying a fair share of their phone/data bill is a good employee benefit,” says Ms Gehrke. “BYOD also allows an employer to save on phone hardware and phone and data charges since they do not need to buy and maintain phones for employees. However, some of these savings are tempered by the legal obligation in some jurisdictions to pay a reasonable share of an employee’s monthly phone service charge. A formal BYOD programme also protects employers by having data security and other policies and procedures in place so that the organisation is protected even from the inevitable sporadic use of personal phones that is hard to deter.”
To the extent an employer allows BYOD, it is recommended that the organisation takes a variety of security measures. “Security measures include access to the organisation’s business only through a secure cloud-based computing or virtual personal network (VPN) system, two-factor authentication and no expectation of privacy on the individual’s personal devices used for business purposes, so that if needed work data can be accessed, monitored, retrieved and ‘wiped’ from such a device,” explains Ms Wells.
Implementing a BYOD programme is no simple task, however. It requires effective planning to identify the risks of utilising non-standard devices. Companies must also decide how to enforce policies for devices connected to the company’s network and evaluate, implement and review solutions going forward. “It is also important to widely communicate the policy to internal departments and end-users,” explains Mitch Koczerginski, an associate at McMillan. “A BYOD policy should cover issues such as the responsibilities of the organisation and employees, the scope of monitoring, acceptable and unacceptable uses of BYOD devices, security requirements and access requests.”
Companies should set out clear guidelines for employees, and take steps to manage risk and protect their reputation should a device be used inappropriately, suggests David Gourlay, a partner at MacRoberts LLP. “Staff should be trained on security risks and firms should enforce their policies consistently. As data controllers, firms must ensure data is processed lawfully, not retained for longer than required, and must adopt appropriate measures to secure data, which may include adopting a remote wipe policy should a device be lost or compromised. BYOD is here to stay and policies can be expected to evolve to encompass wider technologies in the form of Bring Your Own Everything (BYOx), for example; such policies will not be limited to devices, but encompass wearable technology and apps,” he adds.
Evaluating the risks
Obviously, companies should not just tell their employees to bring their personal devices to work and start using them for professional purposes. There are a number of risks and implementation challenges which companies must overcome to truly benefit from BYOD.
Indeed, some organisations are resistant to the whole concept. The demand for BYOD is not universal. Individual employees may wish to maintain separation between their work and personal lives, for example. How then, can companies determine whether a BYOD policy is appropriate for their organisation – and what steps should they take when implementing one?
Some companies encourage employees to use personal devices alongside work-issued notebooks and smartphones. Others, give employees the option to use personal devices exclusively. BYOD does create security issues, however. For example, the IT department must ensure that devices are able to connect securely to the network. Ultimately, companies must decide what works for them. Whatever they choose, a BYOD policy should be supported by contracts with language describing the terms and conditions of using a personal device for work, including the ability to remove company data from the device if needed. Many companies are implementing BYOD policies which limit the use of websites and applications such as Twitter, Facebook and other forms of social media in order to curtail time-wasting. An excellent way to protect mobile devices, regardless of who owns them, is to sandbox as many applications as possible, separating them from the operating system as well as other applications. Employees can then access data or documents online, without having to download them onto the device itself.
Finding the right way forward can be difficult. It may feel as if the company is losing control of both security and corporate data. “The risks inherent in BYOD centre around data security and the ability to manage the workforce and enforce policies,” explains Karla Grossenbacher, a partner at Seyfarth Shaw LLP. “If employees are connected to employer systems and data through personal devices and are not required to comply with the company’s data security standards and protocols, this presents significant risk. Also, communications made on employee devices are ‘offline’. The employer cannot – without the right policies – access, monitor, review or preserve these communications. This is a real issue when it comes to conducting workplace investigations and defending lawsuits.”
Data privacy concerns
From a data privacy standpoint, companies should conduct impact and threat risk assessments. Cyber security and data privacy are among the biggest threats facing companies today, so companies need to factor these challenges into BYOD planning and policies. “Both privacy impact assessments and threat risk assessments are project-based assessments tailored for specific privacy and security needs of different organisations,” notes Mr Koczerginski. “They identify risks associated with the collection, use, disclosure, storage and retention of personal information. These assessments enable organisations to determine whether a BYOD programme effectively reconciles security requirements with privacy obligations.”
Many organisations are nervous about the security of information held on personal devices and require employees and third-party contractors to use company-issued devices only. “The primary risks with BYOD lie in the security of the device – both in terms of confidential information and personal data held on and transmitted via the personal device,” says Melanie Crowley, a partner at Mason Hayes & Curran. “Employee personal devices would not necessarily have the appropriate encryption software or the ability to wipe remotely if lost or stolen. Furthermore, the use of personal devices also results in employee personal information being mixed in with corporate information, which makes it difficult to monitor and manage.”
When employees are responsible for the upkeep and protection of their devices, it is much harder for the IT department to ensure critical security measures are being followed. Anti-virus protection, patches and updates may not be regularly installed. Employees may also pose other threats to their device, and by extension the company’s data, by downloading mobile apps, visiting questionable websites and using the company’s networks improperly. Creating a mobile technology policy that employees understand and help maintain, and consistently reiterating the importance of cyber security, can strengthen a company’s BYOD programme.
Regardless, with any BYOD policy an organisation is entrusting the security of its data to devices that are outside its usual sphere of control. “Even the most robust BYOD implementations, therefore, bring with them an increase in the risk of losing confidential information, including personal data,” notes Doug McMahon, a senior associate at McCann FitzGerald. “Services that enable BYOD working have become a significant attack vector for hackers, particularly when multi-factor authentication protocols are not used. When devices are lost or stolen – which they inevitably are – securing an employee’s device can be a more fraught process than dealing with a company-owned device.”
In the view of Peter S. Vogel, a partner at Foley & Lardner LLP, cyber crime is the number one topic of discussion in 2019, since criminals know and understand how vulnerable people are. “There is so much malware sent by phishing emails it boggles the mind, and there is little hope that this will improve in the foreseeable future,” he says. “The US Federal Bureau of Investigation (FBI) estimates the time from initial cyber intrusion until detection is about eight months. So what happens during those eight months to cell phones, tablets and home computers is the really scary part, including theft of credit card information, healthcare data and personal identifiable information. The simple solution is to train employees to be more aware of phishing and malware emails, and to not open an attachment or URL link if the content does not pass the ‘smell’ test.”
When trying to reduce cyber vulnerability, companies must explore mitigating steps to achieve cost benefits with less risk. “The first port of call for many companies will be to check their insurance policies,” says Mr McMahon. “Next, a company should look at practical solutions to mitigate the risks of something going wrong. A key place to start here is the BYOD policy itself. It could be the best BYOD policy in the industry, but if the company does not take steps to implement it in practice, it will not be much use. Sufficient staff training can be as important as getting the policy right in the first place.”
Companies need to focus on putting the right procedures in place and making employees aware of their obligations. “Any employer allowing employees to use personal devices for work purposes needs to have a BYOD policy that each employee signs before being allowed to use a personal device in the workplace, in which the employee agrees to comply with the employer’s information security policies and protocols and take whatever steps the employer deems necessary to protect its data,” advises Mr Grossenbacher.
According to Ms Crowley, an organisation’s BYOD policy should, at a minimum, explain what measures the employee must take in order to protect the data on the device, such as encryption, password protection, and limitation on the types of information that can be stored on the device. “It must also explain the scope of the organisation’s access and the purpose of the access, address how the organisation will go about protecting the employee’s private information that it comes into contact with, set protocols around how data is stored on the device, include details of the organisation’s incident management procedure for situations where there is or could be a data breach, or a device is lost or stolen, and specify what will happen when an employee resigns or leaves the organisation. There is an obligation to permanently delete employer confidential information,” she adds.
Other data protection issues should be assessed, particularly in light of recent regulatory developments in the European Union. The General Data Protection Regulation (GDPR), for example, has extensively changed the way companies need to handle data. “Companies should consider the type of data they process, where it will be stored and how it will be transferred,” says Mr Gourlay. “They should consider whether storage of some types of data on certain devices should not be permitted. They should also undertake a balancing exercise between company needs and employees’ rights when implementing a BYOD policy. The risks and contingency plans in relation to data breaches and employee resignation should also be considered. BYOD schemes may result in companies processing personal information about employees and possibly their family and friends, if they use the device too.”
For many organisations, BYOD is all about the technology. However, if companies are to allow staff to utilise non-company issued devices, then they must have the right policies in place and enforce the right behaviour. Policy is at the forefront of successfully managing mobile devices.
© Financier Worldwide