Often times, companies may think that allowing or requiring employees to “BYOD” bring their own devices to work offers convenience on both ends and helps the company cut costs related to equipment/ hardware expenses. After all, they’ve taken some measures to protect their company network… right? Let’s look at this scenario, which we come across often, and discuss some key take-aways and best practices on this topic:
Ben was just hired as the new Creative Director at ABC Company. He is warmly welcomed on his first day and taken to his new creative workspace and handed his work equipment, inclusive of a shinny and brand new Windows laptop. Over the next few days, Ben speaks out to his Supervisor about his preference for Mac products due to performance, enhanced features and overall his ability to design “more creative” work. Ben also offers a solution, he recently purchased his a brand new MacBook Pro and he is happy to bring it to work instead of the provided laptop. His Supervisor agrees and gets IT to setup up remote desktop through VPN to access company files.
Life is peachy and Ben continues his work at ABC Company for several years to come, until one day, he accepts a new opportunity with DEF Company and so he parts ways with ABC Company in good terms and their IT department disables his VPN access and his other business accounts.
What ABC Company doesn’t realize is that, over the past several years, Ron had been downloading and saving company documents to his personal cloud storage. Initially, it was done out of convenience to facilitate his work without having to log in to the VPN every time he needed something; however, then forgot to delete these files. As he starts his new role at DEF Company, he decides that he will keep these files for “reference” in his new position… after all, it was HIS work AND HIS computer, right???
Although, in this particular case, there wasn’t a malicious intent to steal company data, the end result is still that of an ex-employee of a company having unauthorized access to company data/ files. We strongly discourage business from intentionally unintentionally allowing the use of personal computer equipment for work purposes. Here are some key reasons why:
- SECURITY: Unless specifically written in employment agreement, and even then, you may come across some grey areas; employers are unable to monitor or “control” the security or use of a personal computer; hence, presenting potential vulnerabilities to your company’s network security. In addition to the activity performed on the device potentially posing a security threat to a business, you also have other security-related concerns which include:
- Lost or stolen devices
- The use of devices by friends and family
- Many times in remote settings- the locking of devices to prevent unauthorized access during work hours
- MONITORING & ACCESS: Business have very limited rights and access to monitoring and accessing communication conducted through a personal device. Although a company “owns and controls” the data, the management of communication or exchange of that data falls into a grey area.
BYOD Best Practices:
If BYOD is still the route that your business choses to take, here are some best practices to keep in mind:
- Decide which employees should be permitted to participate in a BYOD program. Many times, business look at excluding senior executives whose data is more likely to be relevant in litigation and sales staff, who may store client information on their devices.
- Create a clear BYOD policy and set clear expectations to include authorizing the company access to the device for record retention, litigation or investigations.
- Employers should obtain a written consent to monitor the device, remotely wipe the device, install security software and copy data if necessary.
- Create a policy barring friends or family from using the device.
- Create a policy limiting the use of cloud-based storage.
- Address safety issues, including prohibition of using the device while driving, etc.
- Finally ensure that your policy includes consequences for non-compliance.
As always, any questions, please remember that your Paradigm team is a just an email, call or text away:
firstname.lastname@example.org OR 321-248-3954