With the proliferation of smartphones and other devices with access to emails and the Internet, many employers are now introducing a Bring Your Own Device (BYOD) to work policy. This policy is concerned with allowing, and in some cases, requiring employees to bring personally-owned mobile devices (laptops, tablets, smart phones and notebooks – together defined as “devices”) to their workplace, and to use those devices to access privileged company information and application.
Careful thought needs to be made before BYOD is introduced into any organisation. Some say that it may help employees to be more productive. They also say it increases employee morale and convenience by using their own devices and makes the organisation look like a flexible and attractive employer. But others say it increases the exposure of an organisation’s network to cyberattacks and the spreading of malware. Allowing the use of personal devices, without first implementing an appropriate policy and technical controls, is courting danger.
By the way, perhaps I should explain that BYOD may also be called Bring Your Own Technology (BYOT), Bring Your Own Phone (BYOP) or Bring Your Own PC (BYOPC). References to POD mean personally-owned device.
Good Practice Guide
Dell publish a good practice guide, here: It says that an organisation needs to decide which platforms will be supported and how. This includes determining whether to support BlackBerry, iOS, Android, Windows, or Symbian operating systems (or some combination of those). At a minimum, Dell suggest that the organisation must answer the following questions:
- What devices and mobile operating systems can we support?
- What are our security requirements at each level: devices, applications, and data access?
- What risks are we introducing by letting employees access corporate data through their personal devices? What level of tolerance do we have for those risks?
- How can we manage our mobile deployment in a BYOD world without risking sensitive data or intruding on employee’s rights to privacy on devices they own?
On the subject of security, IBM has published a very useful guide called: Security Essentials for CIOs and it can be downloaded free of charge from here.
Recommendation and Notes
It is strongly recommended that employers should take legal and IT advice from experienced professionals before implementing a BYOD policy. As with all work policies, you should obtain legal advice before implementation if you are uncertain about anything. There may be issues of ownership (Computer Misuse Act 1990), which do not normally arise where devices are company-owned.
In any event, developing a company BYOD policy should be carefully thought through before allowing employees to use their own smartphones, tablets or notebooks within an organisation’s network.
Irrespective of the security precautions mentioned elsewhere in the BYOD policy, employees should use their device in an ethical manner and in accordance with the Acceptable Use Policy provisions that are set by the employer.
Employees who prefer to use their personally-owned IT equipment for work purposes must be explicitly authorised to do so, must secure corporate data to the same extent as on corporate IT equipment, and must not introduce unacceptable risks (such as malware) onto the corporate networks by failing to secure their own equipment.
Employers must document the terms of their BYOD policy to address the rights and obligations of both owners of a POD used for the company’s work and the company’s rights and obligations to protect and own its data on these devices.
The employers should have the right to withdraw the privilege of POD usage at work if users do not abide by the policies and procedures outlined in the policy document: the policy is intended to protect the security and integrity of company data and technology infrastructure.
Ideally, employees must agree to the terms and conditions set out in the formal policy in order to be able to connect their devices to the company network.
The BYOD policy should also address the following issues:
- Employees’ Privacy
- List of permitted Devices and Support provided
- Device Security
- Other Security
- Acceptable Business and Personal Use
- Permitted Access
- Forbidden Usage
- Reimbursement policy
- Compliance with the Law
- Software and Data
With this in mind, we are in the process of establishing arrangements with lawyers across the country and and already have an arrangement with an IT specialist firm able to give advice on the important considerations involved.
If you are interested in getting involved or have any queries, please email me at firstname.lastname@example.org.
I’ve recently written an outline of a BYOD work policy, which is soon to become part of Bizezia’s Work Manual system (see www.bizezia.com/products/work-manual for details and subscription rates). If you would like to see the draft policy statement, please email me at: email@example.com.
[Updated 19 February 2014]
How did BYOD emerge
My research shows that BYOD first entered the business world in 2009, courtesy of Intel when it recognised an increasing tendency among its employees to bring their own phones to work and connect them to the corporate network. It started slowly but took off in 2011 when IT services provider Unisys and software vendors VMware and Citrix Systems started to share their perceptions of this emergent trend. My view is that BYOD started for real when the smartphones came onto the scene and accelerated when the iPhone was introduced. Blackberry also had a big influence on the early BYOD movement when large organisations, as well as even smaller ones, required employees to have a Blackberry.
Also, the awareness of technology among employees has risen exponentially with the advent of smartphones. Perhaps it started out as COPE (corporate-owned personally-enabled) – a business model in which firms provide employees with mobile computing devices and allows them to be used as if they were personally-owned. But BYOD (bring your own device) now leads the field even though companies can usually buy IT products at better prices than employees can.
The research revealed that despite the BYOD (bring your own devices) trend continuing to surge with more than two thirds (71%) of establishments admitting to ‘bringing their own devices’, almost a third (30%) are still without a specific IT strategy in place to manage the process, putting their IT systems at detrimental risk.
The new kid on the block may well be WYODAW (wear your own device at work) – particularly if Google Glass has anything to do with it!
How do accountants go about embracing BYOD for their firms and clients?
A useful source of information for me has been BYOD Enterprise Mobility Policy Guidebook published by Fiberlink, an IBM company at trials.maas360.com. They provide plenty of downloads at www.maas360.com. Their BYOD Policy Guide is particularly helpful and, combined with the draft work policy I have drafted, will form a useful base from which accountants and their clients can roll out a programme to implement BYOD in their own firms and also for clients.
Does the manual also cover the best tax treatments of BYOD?
I have been asked whether the Work Manual covers the best tax treatment for BYOD: it doesn’t – at least at present. I have spoken with Mark Lee (former ICAEW Tax Faculty Chairman and now Consultant Practice Editor of AccountingWeb) and he is looking into what tax information might be made available to accountants who wish to go down (or up) the BYOD road. His initial thought is that unless the employer makes a contribution towards the costs of the device – for example, to pay a monthly contribution to cover work-related use of the personal device – there are probably no tax factors to take into account, at least for the employers.
By the way, I read a good strap line somewhere on the web: “With BYOD smartphones on the rise, IT headaches will become migraines”. I also read that a study by Altodigital has revealed a “potential IT nightmare waiting to happen” as educational institutions fail to properly manage BYOD. This serves to confirm the need to plan and implement a policy before linking up and allowing access to corporate networks from PODs (personally-owned devices).
There may be insurance factors to consider when implementing a BYOD or WYODAW policy – I will research this and blog on it at a later date.
Will Wear Your Own Device At Work be the thing of future?
[Updated 4 March 2014]
Now an earpiece PC can track behaviour based on facial expressions
I see that a team of Japanese engineers are testing a tiny personal computer that fits into your ear, and is controlled by eye blinks or tongue clicks. The article in PCMag, says that “as if talking into an almost hidden Bluetooth earpiece didn’t make you look crazy enough, this 17-gram wireless device gets its cues from wearers through tongue clicks and facial expressions, according to The Japan Times.”
It follows in the footsteps of wearable computing hardware like Google Glass, this miniature machine—planned to launch as a consumer device by the end of 2015 — includes a microchip and data storage. It can also be connected to another gadget, like an iPod, a tablet, or a smartphone, to navigate apps using facial expressions. Want to open iTunes? Just raise your right eyebrow. Or stick out your tongue to browse the Web, wiggle your nose to send a text message, and clench your teeth to take a photo.
[Updated 17 March 2014]
Public WiFi security risks prompts a BYOD policy poser, says expert
It would be “impractical” for many businesses that operate a ‘bring your own device’ (BYOD) policy to completely ban employees from carrying out work activities over public WiFi networks despite the associated security risks, an expert from Pinsent Masons has said.
The expert, information law specialist Marc Dautlich of Pinsent Masons, the law firm behind Out-Law.com, said, however, that businesses can take steps to mitigate the risks of mobile working over public WiFi connections. He said that businesses have to decide whether to accept the risks and which approach to addressing them best meets their needs.
Dautlich was commenting after Europol, the EU’s law enforcement agency, warned about the methods criminals are using to access information sent over public WiFi networks. Troels Oerting, assistant director of Europol and head of the European Cybercrime Centre (EC3), told the BBC that mobile internet users should not send sensitive information over public WiFi networks.
You can read what Marc Dautlich said, here.