Small businesses are concerned with many things including security, costs, efficiency, technology, legal compliance and more. One area of increasing concern and questioning is allowing employees to use their own personal devices, such as laptops, phones, iPads, etc. at work. A recent study cited 74% of businesses are either currently allowing or planning to allow employees to use their own devices. Should you allow your employees to use their own devices for work and if so what security and monitoring and other issues do you need to address?
Many employees, including millennials, prefer using their own devices instead of using company issued equipment. While this can help lower your costs and improve morale, it can also bring a great deal of security and other issues with it. Let’s review some bring your own device (BYOD) pros and cons:
Here are some of the benefits to allowing employees to bring their own devices to work.
BYOD Pro No. 1: It can create a more efficient and relaxed environment.
BYOD Pro No. 2: It can help a small business to save money by eliminating the need to provide employees devices and equipment.
BYOD Pro No. 3: It has been known to boost morale and productivity by allowing employees to use devices they are familiar and comfortable with.
BYOD Pro No. 4: It can also provide your business with the latest technology at little or no cost to you because many employees, especially millennials, will upgrade to the newest equipment on the market.
While these pros are significant, there are also several negative qualities that go along with employees using their own devices.
BYOD Con No. 1: Personal equipment can expand your risk to exposure of information. Allowing use of personal devices takes away your control of passwords, lock functions, protection of the equipment itself, unauthorized access to company data and more.
BYOD Con No. 2: The issue of protection of the equipment itself can be unclear. Who is responsible if it is stolen or lost?
BYOD Con No. 3: Employees may feel that using company issued equipment instead of their own increases your access to their personal information such as financial data, personal contacts, photos, etc. They may also worry that you can remove these things from their device and they lose all control. This is especially true when an employee is terminated.
BYOD Con No. 4: Employees using their own personal devices may feel more secure using their equipment to hurt your company thru social media, texting, etc.
BYOD Con No. 5: If nonexempt employees are asked to use personal devices for work, you may open yourself up to exposure under the federal Fair Labor Standards Act and state overtime and wage payment laws. Since nonexempt workers will have ready access to the technology, they may be put in the position to respond to emails and text messages or to otherwise engage in work activities outside their scheduled work hours.
BYOD Con No. 6: It can be unclear how to handle expense reimbursement. State law may dictate how this is to be handled. Does the employer have to pay for the data plan?
BYOD Con No. 7: It may be necessary to include methods to ensure that any business records stored on an employee’s personal device have been saved long enough to satisfy electronic discovery requests during litigation. Failing to retrieve information stored on a worker’s personal device that should have been produced may lead to consequences for you should you face any litigation.
The importance of a Having a Good Company Policy
Allowing employees to use their own devices for work requires a strong, concise policy addressing all issues. Make sure your policy includes detailed information on how to separate employee work product from personal data. And before implementing a BYOD policy at your business, develop a security plan with your IT department, HR department or consultant, and inside or outside legal counsel that outlines regulations employees must follow.
Here are some tips for what should be addressed in your policy:
Policy Tip No. 1: Include an explanation about how you will educate your employees on the importance of following these regulations, so you can avoid the risk of data being compromised. Have them sign a paper stating they received the policy and will abide by it.
Policy Tip No. 2: Clearly state which devices are allowed and how your company will support them.
Policy Tip No. 3: Mandate specific policy on security, anti-virus software, firewalls, use of unsecured wi-fi networks, passwords and access to your company data. Be specific and include punishment for not adhering to the rules.
Policy Tip No. 4: Determine which devices will be permitted and supported and which types of company data people will be able to access from them.
Policy Tip No. 5: Determine who in your business can use personal devices. You may want to decide this based on the job responsibilities and the level of the job.
Policy Tip No. 6: Include guidelines for work hours. Be specific about when they are “on the clock” and when they are “off the clock” when using their own devices.
Policy Tip No. 7: Be clear about your ability to access information on their devices. Make sure to state that company work product and data is owned by the company and cannot be utilized for any other purposes.
Policy Tip No. 8: Be sure your policy addresses sexting, texting while driving, sexual harassment, inappropriate materials or downloads, bullying and other HR and possible liability issues.
Policy Tip No. 9: Establish your right to access, monitor and delete information from employee-owned devices.
Policy Tip No. 10: Determine and communicate whether you will introduce any new forms of monitoring, such as location-based tracking via GPS or other methods. If so, specify when the monitoring will be used by the employer and for what purpose.
Policy Tip No. 11: State how your company will protect an employee’s personal information and identify what that information is and how it will be used and saved.
Policy Tip No. 12: If you plan to delete information upon termination, determine what data will be wiped and give them notice.
Policy Tip No. 13: Put in place a data protection clause that includes protocols for reporting lost or stolen devices, mandating certain antivirus and protective software, and requiring or strongly encouraging regular backups.
Policy Tip No. 14: Include a policy on lost devices. Define who is responsible and address replacement issues.
Policy Tip No. 15: Include in your policy who is responsible for authorizing work-related software and other downloads.
While this may seem like a lot of work and expense for a small business, it is necessary to protect your business, your work product and possibly head off legal issues in the future.
President, SACS Consulting & Investigative Services, Speaker, Trainer, Corporate Security ExpertTimothy A. Dimoff, CPP, president of SACS Consulting & Investigative Services, Inc., is a speaker, trainer and author and a leading authority in high-risk workplace and human resource security and crime issues. He is a Certified Protection Professional; a certified legal expert in corporate security procedures and training; a member of the Ohio and International Narcotic Associations; the Ohio and National Societies for Human Resource Managers; and the American Society for Industrial Security. He holds a B.S. in Sociology, with an emphasis in criminology, from Dennison University. Contact him at info@sacsconsulting.com.