Regulators overseas are warning companies to improve their control of personal devices used for work purposes. In the United Kingdom, for example, the Information Commissioner’s Office yesterday warned companies to get shipshape, with new guidelines regarding data security and training.
A recent survey by ZDNet shows that just one in three people receives any training about securing data on their personal devices, yet 47% say they use personal devices for work purposes.
The problem is the same in Australia’s mid-sized and large companies, and it often starts at board level: company directors request their board papers be send to their tablet device, or smartphone, and the IT department obliges, says Stephen Coates, a partner in the Technology, Media and Telecommunications practice of accounting firm, BDO.
Pretty soon executives are requesting similar privileges from the chief information officer (CIO) and, before a policy can be set, everyone is bringing in personal devices (BYOD) even though there are no clear protocols regarding security, or legal and human resources issues.
“With advances in mobile technology, employees often have more capable and user-friendly equipment at home than what is supplied in the office,” Coates tells LeadingCompany. “Connecting these devices into an organisation’s network can offer some productivity benefits, but it’s not just a matter of ensuring the technology is compatible.”
Make the call
As soon as the problem is identified, CIOs need to raise the issue for the executive to make a call – is this company going to support BYOD, or not? – Coates says.
“First of all, the executive needs to decide: yes, this is what we want to do. It starts with who is going to be connected – executives, employees, customers – and why. Then start working out what the stakeholders want.”
A BYOD policy is not an IT policy, Coates explains. “It is not just an IT policy that says please don’t surf inappropriate websites. It has to cover off human resources issues, legal issues, website monitoring, purchasing … will all the devices be bought by the organisation and then the employee, or will everyone buy their own random device?”
A broader policy
The policy will also cover how much personal data use is allowed on company equipment or how corporate use on personal devices is remunerated. It may also have restrictions, such as no playing games on devices.
However, there are complexities. For example, most IT policies allow the company to occasionally monitor their employees. Can a policy deal with this in terms of privacy issues? Are there times when staff access to wifi is restricted or throttled back, such as outside work hours? Is training and education about the use or personal devices and IT policy more generally provided to new and existing staff?
There are technical issues – a proliferation of operating systems can cause headaches with conflicts. And technical support staff may struggle to know where to draw the line on personal versus corporate help.
The widespread use of laptops means CIOs are CIOs are conversant with security on mobile devices, Coates says, but BYOD policies do have to tackle some additional complexities.
Education can overcome the simplest of security leaks, such as the risk of over-the-shoulder access to confidential corporate emails read on public transport or other public places.
The risk of losing mobiles (and tablets) with personal information is somewhat greater than laptops – they tend to be carried around more often, even in social situations.
This presents a problem. CIOs typically wipe the data from lost laptops, but this is more complicated on personal devices – does the company have the right to wipe personal data, such as photos, or personal phone contacts, especially if the device is subsequently recovered? “If you lose your device, we will wipe it,” says Coates, “But it gets tricky if it is 11pm and your car has broken down and you want to make a call but all your contacts have been wiped.”
Getting past responsive policy
CIOs are starting to set expectations regarding the use or personal devices, Coates says. In leading companies, CIOs are moving past responsive policies and activity engaging with BYOD, for example by devised mobile timesheet apps for services professionals such as accountants and lawyers.
He says: “A lot of organisations are thinking about how to make it easier for employees, creating real benefit from personal devices and building that into the business case.”