Bring Your Own Device (BYOD) policies have become increasingly popular with businesses small and large, as they can save a company money and operational energy. But how do you balance the risk with the reward?
With the BYOD market on course to hit almost $367 billion by 2022—up from just $30 billion in 20141—the days of traditional, desktop workstations seem to be fading into hazy memory. While companies with BYOD policies saw an annual savings of $350 per year, per employee2, there are big risks involved in allowing employees’ personal devices to access your company’s network. Here are some tips for implementing or updating you company’s BYOD policy.
- Make it make sense. While BYOD is the trend of the day, some businesses aren’t naturally suited to it. Companies with highly classified information may require the security of company-owned and managed devices to ensure the safety of their secrets. Cyber attacks are increasingly common, and personal devices are often the weak link in a business’s network. Another key consideration is the cost/benefit analysis—if it’s cheaper to have a couple desktops and land lines than to pay for your employees’ plans, it may be best to stick with tradition.
- BYOD wasn’t built in a day. If you’re receiving pressure from your employees to implement a plan, or you’re up against a decision deadline with a vendor, it can be tempting to implement a program and worry about the details later. However, with the various security and employment issues inherent in BYOD policies, it’s important to take the time to really consider the terms and format of your policy. If your size allows for it, consider tasking a team with the creation and management of the program. Having employees help create the policy can avoid potential user complaints down the road. And having someone (or several someones) designated as the go-to for the inevitable questions streamlines operations.
- Set boundaries. Having access to work emails and documents remotely can be very freeing—but it can also set employees up for rapid burnout. Explain to your employees (preferably in the BYOD policy itself) that they are not expected to answer emails at 2am or triple their workload simply because they can work outside of traditional business hours. While having a work/life balance expectation is important for everyone, this is particularly crucial for hourly workers—several companies have gotten in FLSA (Fair Labor Standards Act) hot water by failing to pay hourly workers for time spent on their personal devices. One way to minimize that risk is to have an hours-tracking app on employees’ phones—that way they can easily log any time spent responding to work emails or texts and be properly compensated.
- Back it up. One of the biggest exposures in BYOD practice comes when an employee’s device is lost, stolen, or destroyed. If their work hasn’t been backed up as it would be on a workstation desktop computer, all that data may be lost. Be sure devices are set to automatically sync to the company cloud at regular intervals. For information protection purposes, be sure the device is NOT set to sync to the employee’s personal cloud system. Similarly, it is imperative that your BYOD policy require all employee devices to have password protection to limit exposure, should the device fall into the wrong hands.
- Dance like no one is watching; text like it will be read in court. A huge blind spot for many companies is the possibility that its employees’ devices may be discoverable under certain circumstances. If the employee is using his or her personal device for business purposes (like emails or text messages), the entire device may be discoverable in a lawsuit. On the other hand, if it is the employee who is in litigation and he or she turns over a device for discovery, sensitive company information may be compromised in the process. Worse yet, if your employee were to attempt to wipe a device subject to discovery, the punitive legal consequences may be significant.3 Consider including language in your policy to address these issues.
BYOD policies present employers with an interesting catch 22: monitor too much, then you can be seen as invading employee privacy; be lackluster or inconsistent in policy enforcement and it places the company’s data at a huge risk. Be sure to do your due diligence and take these best practices into consideration when implementing or updating your company’s BYOD policy.
For more information, or to have an attorney draft and/or update your business’s BYOD policy, contact an attorney at Goosmann Law Firm today at (712) 226-4000.