Does your company BYOD?

By Dave DeWitte

Eight years after the business world embraced the phrase “Bring Your Own Device” (BYOD) for policies covering employee usage of company apps and data on their personal smartphones and devices, it’s still a nettlesome topic that some would prefer to avoid.

BYOD’s relevance jumped a notch when Walmart announced its own companywide policy last October. Employees of the world’s largest retailer can now use their smartphones for logging work hours, taking inventory and a variety of other corporate tasks.

“Through the new program, participating associates have the option to download our app suite directly to their own personal devices,” the company said on its Walmart Today blog. “This is another way to access the tools that help our people understand the health of their business, and spend more time on the sales floor serving customers. And the best part? Associates also receive a discount on their monthly phone bills.”

Although some companies in the Corridor have embraced BYOD in a formal way, “it really sends shockwaves when somebody like Walmart goes out and does it,” said Brian Fagan, an attorney who’s advised businesses on such policies as chair of the labor and employment law practice at Simmons Perrine Moyer Bergman PLC in Cedar Rapids.

Mr. Fagan has found a relatively small minority of his business clients tackling the BYOD issue through formal policies, and suspects that many companies are still grappling with the issue. For those who are considering it, he says the choice of providing devices or permitting employees to use their personal devices at work depends entirely on the needs of the company and its workforce.

Pros & cons

The arguments in favor of BYOD policies are rooted in pragmatism. Employees often prefer to work on a phone or other device of their own choosing, and don’t want to carry two phones. BYOD can save employers money on buying and upgrading electronic devices, reduce training time on devices and increase productivity by putting technology in the hands of employees who might not otherwise have it.

In 2016, network equipment company Cisco released a report indicating BYOD saves workers at least 81 minutes per week by using their own devices, and that companies allowing it save an average of $350 per employee annually.

The arguments against BYOD policies are weighted more toward security. An employer may prefer to have control of the phone number an employee uses, such as a sales representative, while their IT department may need to secure data and manage apps across a variety of devices and operating systems.

For some employers, BYOD isn’t worth the headaches.

“We provide our folks with whatever technology they require,” said Kyle Gingrich, vice president of operations at Apache Inc., which manufactures conveyor belts and hose products in Cedar Rapids. “Then we can employ our own IT security measures.”

At ImOn, the Cedar Rapids-based pro­vider of internet and cable TV services, “we are enabled to, as far as email, use our own devices to access our email ac­counts,” said Vice President of Marketing Lisa Rhatigan. “You can take a company phone or use your own personal phone and get some help with the cost.”

Employees who go the personal de­vice route have to get it set up through the company’s IT team to ensure all security protocols are followed.

“It’s just making people productive,” she added. “I like to access my email when I’m on vacation, so I don’t come back to a big pile of them.”

Mr. Fagan said a number of practical factors specific to an employer can sway the decision one way or another. Perhaps the employer has a tech-savvy workforce that is fiercely loyal to the devices they have cho­sen. Or perhaps the company is in a high­ly-regulated industry, such as health care or government contracting, where its employ­ees routinely work with sensitive data.

For those who go the BYOD route, Mr. Fagan believes strongly in the value of cre­ating a formal policy. Going without can invite some scary legal issues, not to men­tion data privacy concerns.

One simple issue is compliance with the overtime provisions of the federal Fair Labor Standards Act (FLSA), Mr. Fagan said. Employees who have their personal phone, laptop or tablet with them much of the time may be more inclined to use work apps during their off hours. The company could therefore be unintention­ally triggering overtime provisions of the FLSA if it allows non-exempt employees – those who qualify for overtime under the law – to work on their apps during off-du­ty hours. A clear statement about when the apps and data can be used can help prevent that and avoid a large overtime payout, Mr. Fagan said.

“It comes down to usage, manage­ment and security,” said Jim Anderson, general manager of IT at Communica­tions Engineering Company (CEC), a Hi­awatha-based systems integrator. “When you’re making that decision, whether you want to do BYOD or supply the asset for the employee, you have to keep those things in mind.”

“On the usage piece, you have to make sure everything you are expecting them to do from an application stand­point is easy to use,” he continued. “Some people like to use [Apple] Macs and some traditional PCs or [Google’s] Android in the mobile realm,” Mr. An­derson said. “You need to have applica­tions that work across those platforms.”

The second piece, Mr. Anderson said, is ease of management.

“You want to make sure it’s easy on your IT department to provide good support.”

Keeping it secure

Aaron Warner is the founder and CEO of cybersecurity firm ProCircular in Coralville. He says BYOD is probably go­ing on at most companies, whether they are aware of it and have a policy or not.

“Anytime you have employees in this day and age, you have BYOD,” Mr. Warner said. “It’s a question of where you draw the line. Do you let them connect to your network or do you set up a network aside just specific to personal devices?”

While employees are able to do more and more on their own devices, the securi­ty threats are only amping up, Mr. Warner cautioned. An ever-expanding number of devices can be controlled by smartphones through the Internet of Things, but many of them were not designed to be on a network and lack essential security safe­guards. SMS or text messaging fraud is in­creasingly employed by hackers as a way to gain access to networks.

Using tools such as data encryption and multi-factor access control can help reduce threats to the network from em­ployees using their own devices, Mr. An­derson said, but threaten the ease of use that is one of the strongest arguments for a BYOD program.

“More open tends to be more problem­atic from a security standpoint,” Mr. An­derson said. “These are the conversations that are interesting to have. You don’t want to kill the end user’s productivity or performance, but a cybersecurity incident can kill productivity pretty bad and it’s more widespread and difficult.”

Mr. Warner and Mr. Anderson recom­mend employers who allow BYOD con­sider a network segmentation approach, in which they cloister highly private and sensitive data on a network or an area of a network that is accessible only to em­ployees who need it, and provide broader access to employees who need a network for less secure needs such as email and logging hours.

Mobile device management (MDM) software is another tool employed by many companies to manage apps and data on employees’ private devices. MDM software may expose many of the employ­ee’s activities on their personal device to their employer’s scrutiny, however, and can even be used to erase data if the device is lost or stolen.

While remote management tools may be needed, Mr. Warner said they have some­times been used badly, such as in cases where an employer deleted everything on an employee’s phone, including personal photos, because it was lost or not returned.

“I’ve been on that phone call [with the affected employee],” Mr. Warner said. “It is not a pleasant conversation.”

The BYOD policy and the way it is com­municated can make a huge difference, according to Mr. Fagan. Employees need to know what part of their personal data could be monitored or erased, and under what circumstances.

“Employers want to clearly state what they’re accessing, what they have rights to, what they can monitor and delete on their device,” he said. “Are they moni­toring GPS, where they are and what they’re doing?”

A BYOD policy, he said, should spell out such things, and be signed by the em­ployee to provide proof of consent.

Technology never stands still, which could make BYOD more of a concern in the future. More employees will likely want to use the convenience and pro­ductivity tools they use at home in their workplace, such as Amazon Echo or Google Home. Market research reports point to rapid growth for the BYOD mar­ket. Security products developed for the BYOD market are forecast to generate $24.6 million in annual sales by 2020, according to a 2014 study by Allied Mar­ket Research.