April 2, 2018

BYOD Myths and Facts

Written by
Danielle Higley

Are you letting these three myths get in the way of creating a company bring-your-own-device policy?

According to a 2017 study by the Ponemon Institute, 1 in 4 businesses is likely to experience a data breach. Considering the average data breach cost businesses $3.62 million in 2017, there’s a lot at stake when it comes to guarding sensitive or confidential information.

While it doesn’t take a smartphone to compromise important documents, giving employees unbridled access to company files via their personal devices (smartphones, tablets, and laptops) is not good practice for keeping data secure. Unfortunately, that’s precisely what happens when companies don’t take a proactive approach and establish their own BYOD (Bring Your Own Device) policies.

Whether you’re holding back because you’re worried employees won’t like it, or you’re opting for avoidance rather than acceptance, here are three BYOD myths it’s best to nip in the bud now for a more secure future.

Myth No. 1: If I don’t create a BYOD policy, my employees won’t use their personal devices for work.

Truth: Employees ​will​ use personal devices; it’s the employer’s responsibility to keep information as secure as possible by establishing a strong BYOD policy.

A recent survey of 811 people found 62 percent have traveled to another state for work in the past 12 months. Out of those, 25 percent say they used their own device when traveling, rather than one supplied by their employer.

But mobile employees aren’t the only ones using personal devices to check company emails or view important documents. A Harvard Business Review survey of 300 companies found half had employees who bring their own devices to work, while only 35 percent had policies allowing
such behavior.

And don’t think disallowing employees from using their own tech is going to keep them from using it. That same HBR study also found that even though the number of companies allowing employees to bring their own devices dropped by 18 percent in 2013-2014, the number of employees who chose to use their own devices anyway continued to grow by 10 percent. In fact, the number of employees using their own personal computers actually doubled from 44 percent to 88 percent.

Steve Durbin, managing director of the Information Security Forum, is an expert in BYOD and helping organizations establish policies to keep company information secure. His recommendation to companies is to always be proactive.

“Employers have to have an eyes-open approach to this,” says Durbin. “We all know if we’re working at home, and we’ve got multiple machines, we’re going to take whatever one’s most convenient and appropriate, so I think we need to cater to that from an employer standpoint and let our employees know what they can or cannot do.”

Durbin recommends companies take these steps when establishing BYOD policies:

  1. Have employees sign acceptable use agreements, outlining how devices will be used.
  2. Teach people how to enable security functionality, download and maintain malware protection software, and set up encryption for data storage on the device.
  3. Encourage employees to store company information in the cloud, where administrators have more control over what can be downloaded or accessed without authentication.

“We feel a higher degree of ownership around our own device,” says Durbin. “Employers need to play that to their advantage and emphasize how you can maintain a clean environment on your device and keep malware off.”

Myth No. 2: Employees don’t like BYOD policies, and asking them to install company-required apps on their devices may prompt them to quit.

Truth: Employees of all generations appreciate the flexibility of being able to work on their own devices, and most people view the opportunity as a perk, not a threat.

Privacy is often the first concern employees have when getting on board with a new BYOD policy, particularly if that policy mandates employees install a security app like AirWatch or Jamf. Often, employees wonder if these apps monitor their regular phone usage, such as personal messages, pictures, or location. (They don’t, though you can enable location tracking if you want to, for security purposes.)

For some employees, getting past this worry of “Big Brother” looking over their shoulder is impossible. When that’s the case, employers should be prepared to present other options, such as issuing a second work-only device or a hardware token.

“As an employer, you need to make sure that if someone really does object, you give them another device,” says Durbin. “Plus, since it’s a company device, your problems tend to go away. You can now determine exactly how that device is used. You can make sure it’s locked down effectively and can monitor it.” Durbin points out that some people are happy to have two devices. “It’s a way for them to maintain clarity,” he says.

As it happens, most people are actually thrilled when their company enacts a policy that allows them to work on their own devices. “In the beginning, we thought BYOD would be a really good attraction mechanism, particularly for millennials,” says Durbin, “but I don’t think that’s the case anymore.”

At this point, he believes BYOD is much more mainstream, meaning workers from other generations, including baby boomers and Generation X, might be equally charmed by BYOD. “There are some potential advantages for people in being able to have their own devices,” Durbin says. “They might like to use, for instance, a Mac or a certain smartphone.”

Once workers realize they can customize their work technology to fit the devices they’re most comfortable with, and possibly even have those devices paid for by their employer, the prospect of installing a security app onto those devices is often no longer an issue. In fact, according to a 2013 IDG Research Studies survey, 78 percent of employees believe having a single mobile device helps them keep their work and personal lives balanced.

Myth No. 3: Teaching BYOD best practices starts and ends with what employees should be doing while at work.

Truth: Companies have a vested interest in teaching their employees how to keep personal information secure. Learning good practices keeps company information better protected while the employee is at home or on the go.

Helping workers protect their information in other environments besides the workplace is one strategy companies often don’t consider. In fact, some might think it’s an encroachment on personal space to give workers tips on how to make their home environments more secure. But if someone — even a complete stranger — offered to give you all the information you needed to keep your personal data free from prying eyes, wouldn’t you be even a little curious?

Many members of Durbin’s Information Security Forum have found success in helping their employees take a more holistic approach to security. “Emphasizing good practice in the home environment has had a significant impact in raising the levels of awareness and security within the corporate environment,” says Durbin.

Much of that has to do with the fact that when employees know how to keep their own information secure, they’re better able to protect company data as well. It’s a win-win. “We all have a vested interest in what we do at home,” says Durbin. At some point, you’re going to be doing things on your device that are really important to you, like accessing mobile banking. You’re personally motivated to keep those things secure. If the employer can help you do that, you’re more inclined to take some of that good practice into the work environment.”

Employers can help employees reduce the chances of a data breach on their own devices by coaching them through a few simple, specific steps. These include lessons on resetting the home router password, being aware of open windows or other viewpoints where unintended persons may see your screen, and identifying potentially dangerous links.

Fact: BYOD is here to stay.

BYOD isn’t a perfect solution for every company. High-security organizations like the FBI or the IRS would be smart to prohibit employees from accessing any work-related information on their own devices. Fortunately, these make up the exceptions, not the rules. And that’s good, considering many employees are using their own devices for work, whether their employer likes it or not.

Don’t put your company at risk for a data breach. Your chances may be 1 in 4, but there’s no reason you should be part of that unlucky 25 percent. Be proactive, not reactive, and get a BYOD policy in place ASAP.

Danielle Higley is a copywriter for TSheets by QuickBooks, a time tracking and scheduling solution. She has a BA in English literature and has spent her career writing and editing marketing materials for small businesses. Last year, she started an editorial consulting company.