The modern workplace has already been redefined by the use of companies' IT resources while working from outside the office. For a few years now, there has been a growing trend for employees to use their own smart phones, tablets and computers including apps they have installed (which are often web based software applications). German companies have seen a huge increase to Bring-Your-Own-Device (“BYOD”) and there follows an outline of steps companies using BYOD should take into account.
While there are many reasons for companies to allow the use of privately owned mobile devices including employee satisfaction and minimisation of hardware costs, employers have to take into account various aspects of integrating this type of hardware into the networks of their company. Some relate to privacy and technical measures, others touch on licensing issues.
As the boundaries of company networks are fading, challenges like data integrity, data security and data protection grow bigger. To tackle these challenges, companies should:
- implement guidelines with regard to the selection of new devices;
- adapt security controls in line with their safety standards;
- deal with aspects of theft or loss of mobile devices; and
- cover aspects like the termination of employment relationships and the consequent transfers of company data hosted on a personal device.
Some of these issues should be familiar to most employers and should already be covered in an applicable IT guideline regarding the use of company laptops and notebooks. Nevertheless, there are some significant technical differences when taking into account employee owned mobile devices.
Analysis of use
As a starting point, each company should conduct an analysis into the kind of users and the kind of privately owned devices which may be used from a specific company location. This analysis should lead to the formulation of a case-specific BYOD security policy which should take into account details like the device infrastructure, applications or service used. With regard to the choice of devices and support, the contents of the BYOD policy should be informed by the following considerations:
- Can a certain device be encrypted?
- Can personal data be separated from company data?
- Has the user been rooting or jail breaking the device?
- Is the employee willing to integrate his privately owned mobile device into the mobile device management of the company, bearing in mind that in case of loss, all data on the device would be deleted, whether work related or personal?
- Is the employee willing to accept the monitoring of the device to some degree?
Align mobile device strategy
An employer should implement BYOD aspects into his mobile device management (MDM) strategy. A first step is to classify the privately owned devices used and integrated into the company network by the employees (also know as profiling). This involves categorising devices in order to identify them when they access the company network. In addition, access to the company network has to be managed securely. This can be performed by digital certificates which provide automated authentication on entering the company network. Some of the technical solutions involve simple certificate enrolment protocols, token-based or smartcard-based solutions, or virtual private network accesses. Securing confidential information and other company data should involve a technical solution whereby data flows are not accessible via various instances and critical data are not readable in privately secured backups. With regard to BYOD, the MDM strategy must also be flexible. Onboarding, i.e. integrating a number of different devices like notebooks, netbooks, smart phones, tablets and e-readers, must be easy and practicable and should require little if any involvement of the IT department. On the other hand, it is of the utmost importance that the loss or theft of mobile devices is regulated by way of notifying the IT department and simultaneously blocking access to the company network, deleting the data stored locally on the device and locating the device.
Compliance with licence terms
Another aspect which should be touched on by an IT guideline dealing with BYOD is the licence of third party software. The use of companies’ IT on privately owned devices, for example, networking via the companies’ server and/or possible reproductions of software programs on the employee’s device, could infringe licence agreements existing between the company and copyright holders. Not only an individual applying the respective program without being entitled to do so, but also the company and its corporate bodies can be held liable for such copyright infringement. Therefore, BYOD may require amendments of existing agreements or measures to prevent employees from accessing defined software programs from privately owned devices. In any event, an IT guideline should set out which programs may be used on privately owned devices.
Further, conversely, employees risk copyright infringement when using their devices including licensed software (e.g. apps they have downloaded previously) for professional purposes as the grant of sublicenses to a company often requires the consent of the licensor. In addition, the use of databases is often permitted for private purposes only.
Don’t start without a plan
In conclusion, BYOD is something which requires an appropriate policy and, potentially, the amendment of a company's IT guidelines. Particular attention must be given to security, the separation of private and company data and licensing issues.