Most businesses have heard of BYOD by now. That’s “bring your own device,” and it refers to the fast-growing trend of employees bringing personally-owned smartphones, tablets, and other devices into the workplace. Along with the BYOD trend we’re now seeing BYOA, which stands for “bring your own app.” Employees who use mobile, cloud-based apps in their personal life are turning to these for business use.
The biggest advantage: productivity. The biggest concern: security.
Can You Avoid It?
Unless you have extremely rigid security policies in place, or a very tech-phobic team, your employees are almost certainly using their own devices and apps already. If you aren’t sure, ask them. Find out what phones and tablets they use, what applications they like, and what they use for work.
Most people start by accessing company email on their personal devices, or adding it to their Gmail account. As for apps, the most common examples include Evernote for note-taking and record keeping; Dropbox for file sharing; Skype for chat, phone, and video calls; Google Docs for email, document editing, and storage; and many more.
Since people are so accustomed to these apps, it’s easy to start using them for business. Maybe there’s a document they want to work on from home (Dropbox/Google Docs), or they need to connect to a co-worker while travelling (Skype), or they want to keep detailed notes in meetings (Evernote). Most people wouldn’t think twice about using apps like these to get their work done, especially if it’s easier than using whatever tools are provided by your company.
How Do You Manage It?
You can take one of three approaches: block it, ignore it, or embrace and guide it. Given the productivity benefits for employees, it doesn’t make sense to block it. If you ignore it, you are taking a huge gamble on security. That leaves one answer: embrace this trend, and guide it so that you still gain all the benefits while managing business risk.
For email, decide whether it is acceptable for staff to access it on personal devices. This isn’t as simple as it sounds. For example, hourly employees who read company email after hours should get paid for that time, so HR needs to be closely involved in these discussions. Also you need to decide how to handle email security in the event of a termination. The best practice is to create a BYOD policy that gives the employer “right to wipe” if an employee is terminated, to protect the security of company information. That means you can remotely delete all the data from their personal devices. If you go this route you need to decide what tools you will use to enforce this policy.
If you find people are regularly using file-sharing services, that’s an indication that remote access to company files is inconvenient to use. Either improve remote access capabilities, or consider moving your company file storage to one of these services. Nearly all the major file sharing services have affordable business editions. The business versions have improved security and management features over the consumer versions, so you’ll have better control over company data.
Is Skype popular in your company? That means it’s time to explore video conferencing. Skype has a premium version, or you can check out other tools like Gotomeeting.com. Video calls are more productive than conference calls, because if someone gets distracted you can see they are doing other things. They can’t simply put you on mute.
Tools that help employees manage to-do lists and note-taking tend to be based on individual preferences, so these are not areas where it makes sense to dictate company policies around which apps are acceptable. Just be sure your staff is saving company information in the appropriate places for record-keeping, and they don’t keep valuable data that you need on personal devices that you can’t control or secure.
How Do You Keep Your Company Secure?
There are many aspects of security that you need to consider. First, there is risk of viruses and malware from employees downloading files from uncontrolled locations. Many companies with strong security measures in place have been undone by an employee innocently checking their personal webmail at work and clicking on an infected email attachment. That virus can easily slip onto the servers and wreak havoc. Unless you are monitoring network traffic very carefully, you have no way to know what files employees may introduce to your network and whether they are virus-free.
If an employee loses a device with company data on it, make sure that device is encrypted and locked so that your data is protected. This holds true for company-provided devices as well. Some devices can be tracked using GPS, and you can install tracking tools or require employees to use them. If devices are being retired, including employees’ home PCs, make sure data is destroyed and is unrecoverable. Consider offering a company electronics recycling program so that you can ensure data destruction takes place.
If you are subject to regulatory compliance requirements, security is an especially serious concern. Data that is properly secured inside your network can be taken outside your network on a mobile device or cloud-based app, and that can put you at risk for regulatory issues. Review your data to determine what’s at risk and how to protect it.
There are a variety of technology tools that can help protect you, and these are crucial to a strong security policy. This includes everything from antivirus to web filters to tracking tools. However, the best way to manage security is by setting clear policies that are communicated and reinforced regularly. Provide security-awareness training to your team to help them better understand how to avoid issues and protect their (and your) information. Provide guidance on what apps are acceptable and how they can be used. Explain what data is protected by regulatory requirements. Make it clear that data security is a priority for the company, and help them understand the role they play.