Hidden Cost, Hidden Danger? A Guide to BYOD

by Pam Baker

Should you let employees use personal mobile devices for work, or are you better off providing company-owned devices? Our guide will help you decide whether BYOD makes sense for your business.

Mobile devices give small businesses a competitive edge by helping them get more work done in the field and on the road. When it comes to devising a mobile strategy, small business owners must decide whether to provide company-owned mobile devices, or to let employees use their personal devices—a practice more commonly known as Bring-Your-Own-Device, or BYOD.

At first glance, a BYOD program sounds like a no-brainer. Small companies, particularly those on a shoestring budget, can ill-afford to provide employees with mobile devices, so why not save a few bucks and let them bring their own? However, the cost of the mobile devices is just the beginning when it comes to company mobile use in general—and BYOD in particular. It behooves you to know exactly what you're getting into before you decide to make the move or stay put.

small business BYOD

Besides hidden costs incurred in the course of running a BYOD program, there are several hidden dangers to contend with as well. However, you'll find some of the same issues with company-owned devices too. Indeed, some people think that adopting a BYOD program eliminates these issues. But the issues aren't that simple. Here is what you need to know to decide which mobile strategy is best for your company.

Small Business Mobile Strategy Considerations

The good news about mobile devices is that your employees can work from anywhere. The bad news is that they can also work at anytime. Working after hours on a mobile device, whether it is company-owned or a personal device, may make you liable for paying the employee overtime. In the case of personal devices, it may also make you liable for footing a proportionate amount of the employee's carrier costs as well.

"BYOD does not mean that you pass along all the mobile phone costs to your employees," says David Alison, founder of EasyGrouper, a mobile communications platform provider. "Recognize that you should be responsible for some level of reimbursement for the cellular and data costs that your employees incur."

He cited a recent California ruling that required employers in that state to do exactly that, and he says that similar laws will spread throughout the country. Some may even be retroactive, so you're better off if you take care of that issue proactively. "Have a mechanism in place for reimbursement, whether you decide to pay for a certain percentage of your employees' cellular bill or require more detailed expense reporting and usage tracking," he said.

Remember: when you calculate costs for BYOD, you need to factor in the carrier costs, too— not just the cost of the physical devices.

Another important point you must to consider: how to maintain control over your company information. Requiring employees to use company-provided mobile devices doesn’t mean that company data will stay off of their personal mobile devices. Employees often use their personal devices to do company work even when they have a company device available—simply because they prefer their own device, they don't want to take the time and effort to find the other phone, or boot up the company laptop.

Another common misconception is that allowing employees to use their own devices for work exacerbates this problem. Actually, many carriers now provide the means to provision one device with two phone numbers. This separates company information from the employee's private information, which often solves the issue.

"When you make the move to BYOD, it's important to have a mobility solution that lets employees separate their business and personal communications on a single device. A 'dual persona' solution maintains separate identities," says Pej Roshan, vice president of product management at ShoreTel, a phone system provider.

"Employees never need give a customer their personal mobile number again; instead their company number follows them from desk to field," he added. "And managers can rest easy knowing that customer lists [and other company data] stay with the company, not with the employee." 

You can also protect company data on a personal device by the use of "containers." This is simply a technical way of wrapping and protecting company data—and thus separating it from personal data on the same device. Several carriers and phone system companies offer this technology.

By using containers and dual persona devices—or a combination of both—you can wipe your data from any personal device (if it is lost or stolen, or if the employee leaves the company) without disturbing the employee's data. This is vital, as companies have been sued in the past for wiping personal data—ranging from photos to a novel-in-progress—from an employee or former employee's device in an effort to secure company data.

Small Business BYOD: Legal Considerations

Protecting the employee's data on the device from your company's security wipe is not the only issue you need to address regarding personal rights in a BYOD program.

David Willson, an attorney at Titan Info Security Group, a risk management and cyber security law firm, recommends that you address the following issues in your company policy. Have all employees agree to—and sign—the policy before allowing the use of personal devices for work:

  • Include a right to monitor, remote track and remote wipe the employee's mobile device
  • Require the employee to report a lost or stolen device immediately
  • Require acknowledgment and acceptance from the employees that if the employee stores photos or other personal data on the device, it may be deleted in a remote security wipe
  • Require that the employee make the device immediately available to the company for purging of all company data upon the employee's termination or resignation

"You can include many more provisions, however, the bottom line is to offer employees the option to use their own mobile devices—but only if they agree to the policy," he said. "If any employees reject the policy, then offer them the company device instead.

Small Business BYOD Policy Tips

Speaking of company policies for small business BYOD, let's look at some other important tips. Smack at the top of this list: permission from employees to remotely and automatically install security and other company software and updates on their devices. You'll also want to get permission to automatically backup any company data stored on the phone.

If your company uses cloud services, much of that data will be stored off the device already. However, customer and client names and contact info may end up in the employees contact database. The dual-persona devices described above can handle that problem nicely. If you don't have that feature in place though, you need to address how you're going to get customer contact and other data from that personal device.

Also, employees are notorious for using commercial apps that your company can't control. For example, you can’t access or secure files that your employees store in Dropbox. Your policy should address the use and storage of company data in such apps, so that it either doesn't happen or your company has access to it.

Paul Hill, senior consultant at SystemExperts, provider of IT compliance and security consulting services, suggests that —when writing your company policy—you spell out the stipulation in exact language, such as "employees should not store any company data on cloud-based storage services unless explicitly authorized in writing by their manager."

Even so, you'll likely need to train employees and constantly remind them of the policy forbidding the use of such apps for work.

small business BYOD

"The last point can be difficult for many employees to fully understand and manage," says Hill. "Many cloud-storage services come with a variety of integrated, third-party applications. In some cases an employee may be using an app and not realize the data is not stored locally."

Examples of cloud storage vendors include Apple's iCloud, Google Drive, Microsoft OneDrive, Evernote's cloud storage, Dropbox, Adobe Creative Cloud, Box, Hightail, and CloudOn. Not only might you have trouble ever getting that data back into your database, but you may have trouble protecting it in the cloud from hackers and providers, too.

There's one more often-overlooked issue that you should address in your BYOD policy: the importance of not sending objectionable material from a personal mobile device that is also used for work.

"Because BYOD blurs lines between work and private life, we see more and more discrimination lawsuits that involve employees sending inappropriate or objectionable conduct over their personal devices," says Shira Forman, an employment lawyer with the New York office of Sheppard Mullin Richter & Hampton.  

Forman advises small businesses that adopt BYOD programs to be vigilant about updating and enforcing their anti-discrimination and anti-harassment policies.

"Employees need to be reminded that just because they are using their own smart phone doesn't mean they should feel free to send an inappropriate personal text or video to a colleague," she says.

Limiting BYOD Device Options

The most common mistake small business owners make with BYOD programs is to open the gate to any and all devices employees might want to own. This creates havoc for your IT department (or you, if you do the company IT support yourself).

It's better to narrow the types of devices you will support by operating systems and versions rather than supporting a huge range of devices that will likely constantly change as employees upgrade or refresh them. The situation becomes more complicated if employees insist on using mobile devices with old operating systems the manufacturer no longer supports.

"If a small business attempts to support all types of devices, it's inevitable that neither the employees that own the devices, nor the employees responsible for the IT security of the company will be happy with the result," says Hill.

Hill went on to say that small business owners should understand that the carrier, the phone manufacturer, and the management platform affect device management capabilities as much as the device's operating system features. In other words, make sure you are fully versed in the ease or difficulties in device management capabilities before you add any given device or phone carrier to your BYOD approved list.

BYOD Security Tips

Beyond securing your company data using the technologies and techniques previously discussed, there are plenty more things you can do to further enhance data security.

"Protecting data on a BYOD device is much like protecting it on traditional computers," says Lysa Myers, a security researcher at ESET, a security product producer.

"Update software as promptly as possible, encrypt sensitive data in files sent across the network, backup important files, and enable security features within the operating system—especially remote wipe and auto-lock," she added. "You may also wish to limit apps to an approved list, to minimize the possibility of employees installing leaky apps."

You should also train employees so they know what they can do to prevent making themselves—and the company target for hackers. Explain how they should fortify their home Wi-Fi and avoid public networks. To aid with home network security, and thereby extend protection of company data, consider offering company security software for their home use on other devices. Or, simply point them to a list of free or affordable security products, and teach them how to use them if need be.

Dr. Engin Kirda, computer science professor at Northeastern University and co-founder and chief architect at Lastline, a security product producer, recommends you take the following security measures:

  • Make sure employees have a strong alphanumeric password on their home router
  • Implement security tools on everything from their home printer to their tablet
  • Keep their operating systems up-to-date
  • Be prudent about using unsecured cloud applications, thumbdrives, Bluetooth sharing or other uncontrolled transfer technologies to transmit confidential data
  • Make sure they're not afraid to ask for help or request special training
  • Urge them to use a password manager e.g., open source tools such as KeePassX to generate and store strong passwords

Also, be careful to vet security products before you buy or share them with employees. In other words, make sure you understand what the product can and cannot do before you invest in it.

"Personal devices often don't have the same level of security technology installed, and not all enterprise-grade security technology 'scales down' to personal devices, or small businesses for that matter," warns Dr. Kirda.  

This is true for both company-owned and personal mobile devices, it's just that BYOD security is tougher to conquer by virtue of the range of devices, operating systems and carriers you must accommodate.

To BYOD or Not to BYOD: That's the Question

As noted earlier, many of these issues apply to both company-owned and personal mobile devices. Make sure you compare the two options accordingly when making your final decision.

In some areas, BYOD trumps company-owned devices hands down. One example of this, as counter-intuitive as it seems, is dual-persona solutions on private devices.

This option beats owning two devices—one company-owned and one personal—in limiting company data exposure on personal devices. In other words, one protected personal device is generally safer than two devices, as employees will often use the personal device for business purposes anyway.

In other ways, company-owned devices will actually be cheaper and easier than BYOD. For example, IT support is simplified. Device control is often better too; however, data protection is not.  Employees still tend to work on their personal devices and, conversely, personal stuff on the company devices.

You should also consider how receptive your employees are to BYOD. While employees in many companies not only enjoy but demand BYOD, employees in other companies don't welcome what they see as an additional cost they can ill afford. It's best to figure out where your employees stand before you make your final decision.

In the end, what matters is which choice benefits your company the most in costs and benefits. Only you can decide that.

Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.

Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!
This article was originally published on Tuesday Sep 30th 2014
Mobile Site | Full Site