BYOD: A boon or bane?
Bimal Shah, CEO of Leo Tech Services, can only recall one occasion when employee privacy had been compromised because of that company’s Bring-Your-Own-Device (BYOD) policies.
It was a somewhat bizarre situation, he says.
“The only quirky example I can think of where BYOD has betrayed personal information is when a colleague at another company tweeted about her morning run – and later realised that she was logged into her company’s Twitter account,” he quips.
“Instead of going to her personal followers, the update was unknowingly shared with hundreds of thousands of slightly confused followers.”
While BYOD policies showcased the lighter side of employee privacy in this instance, the issue is no laughing matter.
According to the Ovum Employee Mobility Survey which was conducted in July last year, a whopping 84% of employees rated privacy as a top three concern of BYOD.
That’s important because more and more employers are adopting BYOD policies. In a study by Tech Pro Research, 74% of those polled cited that their company was already utilising or planning to use BYOD.
Do you BYOD?
In the case of Leo Tech, a software development and services company, Shah says the firm has a robust BYOD framework and the firm believes in empowering staff to make their own decisions.
“This can be in terms of their choice of device, whether they’d like to sync office emails to their personal devices, how willing they are to stay in touch out of office hours, and so on,” he explains.
Micromanagement can undermine employee satisfaction and creativity – areas that should not be compromised in any modern organisation, he says.
“For instance, a traditional organisation may equate the quality of an employee with the number of hours worked, and thus prize those that respond to e-mail at three in the morning,” he says.
“However, that’s not the kind of culture we want to promote at Leo Tech. We lay emphasis on outcomes and productivity levels, and thus allow employees free rein in choosing how they prefer to work.”
Shah cites multiple reasons for the organisation establishing a BYOD environment.
Firstly, he says there is a case for convenience. It’s troublesome for employees to carry two devices and to constantly keep an eye on both.
“Additionally, some may find that they can run a meeting better or multi-task more effectively by using personal tablet devices or referring to notes on their mobile phones,” explains Shah.
While certain employees do receive company phones (a pool device for people on call, for example), he says it would be an impractical overhead to shell out on such devices for the entire staff body.
“Apart from racking up unnecessary costs, this may also be an invasion of the employees’ personal freedom – the choice of phone is a personal decision that’s made based on various considerations,” elaborates Shah.
“They may choose a certain model based on how fashionable it is, the operating system, or perhaps the availability of certain features.”
Furthermore, he adds that imposing a device that does not fit staff requirements may simply be a hassle for them.
“We develop mobile applications among other things, and allowing employees to use their own phones thus expands our testing ecosystem (such as models, operating system versions),” says Shah.
“This enables us to test beyond the dozens of rapidly obsolete phones and tablets that we routinely buy for our Quality Assurance department.
For software firm Citrix, BYOD programmes enhance employee satisfaction, improve productivity, and increase workplace flexibility, says Michael Stickler, Group Director HR International, Citrix.
In fact, Stickler says incoming full-time employees are offered enrolment in the BYOD programme during induction itself.
“We also recognise that – in today’s world – employees have an increasing desire to converge work and life and not see them as separate parts of their day,” he says.
“The solutions we provide help employees achieve that objective without carrying multiple mobile devices with them. Offering BYOD helps us achieve new levels of productivity – and at the same time ensures security, compliance and protection of sensitive business information.”
If those reasons aren’t enough to entice employers to start promoting BYOD policies, then Hwa Choo Lim, Head of HR for Southeast Asia at Cisco Systems, may force them to rethink their position.
She says Cisco’s differentiator as an employer is that it gives employees the opportunity to use cutting edge technologies and solutions before they are made public.
Hence, Cisco employees are early adopters of industry transformative solutions through pilot programmes.
“This is a fantastic ownership programme of our technologies. Our feedback is taken into account and incorporated into the solution that goes to market,” Hwa explains.
“We don’t just sell the solutions to our customers; we use them every day, the way we work, learn, live and play.”
Hwa also points to Cisco fostering a culture of trust, hence translating this ethos into a very flexible work environment.
“When we moved to Changi in 2013, 100% of our employees became mobile – from the company president to the engineers – so they can all work from any place and on any device,” she says.
“Given each employee has their own unique work preferences that will optimise productivity, the flexibility allows our employee to be in control and this in return will motivate them to perform better.”
The nuts and bolts of BYOD
According to Stickler, Citrix’s BYOD policies allows access to all of the company’s apps and data on any device while giving its IT department the means to maintain security with uniform policy enforcement and efficient control.
“Employees and contractors enjoy complete freedom to use any personal computer, laptop or mobile device they choose, and to access their mobile workspace easily wherever they work, over any network,” he says.
“In any organisation that has a high degree of mobile workers, this helps us tremendously to improve productivity, accessibility and collaboration among global teams and to create a people-centric work experience, and helps attract and retain world class talent.”
Stickler explains Citrix has developed a BYOD strategy which gives people optimal freedom of choice while helping IT adapt to consumerisation – all while concurrently addressing requirements for security, simplicity and cost reduction.
Its BYOD framework encompasses four basic guidelines: empowering people to choose their own devices to improve productivity; collaboration and mobility; protecting sensitive information from loss and theft while addressing privacy, compliance and risk management mandates; and reducing costs and simplifying management through self-service provisioning and automated management.
“At Citrix we set up a meeting including with the HR and Legal departments to not only introduce the programme, but to have discussions around existing corporate policies,” he says.
“After our meetings, we concluded that all existing policies do apply to BYOD participants. We agreed that just because someone brings their own laptop into the office, doesn’t mean they can violate corporate policy.”
Hwa stresses that designing the right BYOD policies is “critical”.
“At Cisco, our IT drives and designs the policies but will seek HR, Finance, Tax, Legal and Corporate Security inputs and buy-in,” she elaborates.
“Some of the notable BYOD policies formulated for our staff include: a clear Cisco entitlement and eligibility policy; the Cisco Rules of Use which allows the company to remotely wipe a device in case of a breach or loss, and requires an acceptable password and 10 minutes time out.”
Depending on the project and the kind of information being shared, employees at Leo Tech can choose different ways to contribute and stay in touch, explains Shah.
“For example, teams use Skype on their desktops, laptops and mobiles as a more convenient means of sharing progress and discussing topics, as compared to mail,” he says.
“Apps such as Slack that help archive and share information are also becoming an increasingly popular way to keep track of what’s happening in a project.”
The organisation also has a hybrid policy in place for those who work with sensitive information and prefer to use their own device.
In such cases, the company’s IT staff will set up these devices with enhanced security features (such as password locks) and the ability to remotely wipe the data. That way, the device can be rendered unusable should the owner ever lose it.
“Allowing employees to use their own devices enables them to work in ways they deem best, instead of being restricted to pre-set working standards and practices,” adds Shah.
“As such, they are likely to be more satisfied in the workplace, which is a key driving factor behind employee engagement and productivity.”
In addition, Shah says running company applications on employees’ personal devices enables Leo Tech Services to widen the range of devices and operating systems that it is testing on.
“This translates into more in-depth and insightful test results that can be used to better refine the technology,” he adds.
Tackling security and privacy
Nevertheless, for all the clamour of implementing BYOD policies in workplaces, security and privacy issues are serious forces at play.
According to the Tech Pro Research study, security concerns were identified as the chief reason against BYOD by 78% of respondents.
In another report, Fixing the Disconnect Between Employer and Employee for BYOD by Webroot, top concerns from employees regarding company-mandated security apps include employer access to personal data (55%), personal data being wiped by an employer (47%), and employers tracking the location of the device (46%).
Hwa explains that these concerns are partly why BYOD is a voluntary option for all Cisco employees.
“Cisco BYOD policies are clearly stated and available on the IT website, and all employees are required to read and accept these terms before their device is allowed to access Cisco corporate network,” she explains.
From a business perspective, Hwa says all Cisco employees are bound by the organisation’s Code of Conduct (which employees need to recommit to annually) that stipulates the importance of protecting Cisco information and intellectual property.
The department monitors the company’s network on a 24-hour basis.
“When employees sign up for BYOD, they are required to read and accept the terms and conditions,” says Hwa.
“A security package will be pushed to employees’ personal laptops once they are joined to our network and detected by our systems. Security certificates will be installed on personal owned smart devices to identify users and personal identification numbers.”
Communication and employee trust are key aspects of Leo Tech’s corporate culture, says Shah.
“While we do have IT security measures in place, our employees are encouraged to be aware of the potential risks of storing sensitive information on their personal mobile devices,” he explains.
“We enable our employees to better communicate with their colleagues – It’s more about the employee controlling access so as not to intrude on their personal time, rather than them providing us with personal information which might somehow be revealed.”
Shah says employee agreements include guidelines on how they are expected to deal with sensitive material – whether it’s on their phone, in a laptop, or a printout in their bag.
“For employees who routinely deal with sensitive material, we either provide them with a separate corporate device (in which case BYOD does not apply) or install security safeguards on their personal device to protect the information,” he highlights.
“Some examples of such safeguards include encryption, password policies, and the ability to wipe the device remotely.”
The risk of losing sensible data or having software copied onto personal devices is controlled in similar ways to any professional software company, Shah says.
Citrix’s technology allows the company to overcome the employee privacy barrier. The organisation is able to create separate dedicated workspaces that allows employees to keep private and business data separate from each other.
“This also allows us to secure data across a device without reducing privacy for our employees,” Stickler says.
He also acknowledges that many Chief Information Officers (CIOs) worry that further consumerisation of IT will lead to greatly increased business risks.
“While the installation of applications directly on non-corporate devices can increase risk, a BYOD programme based on enterprise mobility management, Windows app and desktop virtualisation and secure file sharing, such as the one we have at Citrix, manages and reduces risk.
“All business information remains secure within the data centre, residing on the endpoint only when absolutely necessary.”
Access to apps and data on mobile devices can be controlled, secured and managed with policies based on device ownership, status or location, he adds.
“Our IT can enrol and manage any device, detect jail-broken devices, and perform a full or selective wipe of a device that is out of compliance, lost, stolen or belongs to a departed employee or contractor,” says Stickler.
Rolling up the sleeves
With employees now exposed to a wide variety of devices, organisations have every right to be wary. Staff can often become distracted amid the deluge of gadgets, resulting in faltering productivity levels.
Hwa says Cisco Systems has strong core values, where employees are expected to do the right thing for the company.
“Moreover, we are a performance-driven company, so everyone is measured for their deliverables agreed with their direct managers,” she says.
Hwa says the company’s workforce is made up of diverse talents from different backgrounds, ranging from Generation X to millennials.
“Each has their own preferred work styles and, given we are now into the social media age, people need to be connected at all times. As long as they meet their deliverables, we don’t stifle them.”
Shah says his company has heard of clients that keep lockers outside the main office where, for security rather than focus reasons, mobile devices must be stored before employees enter the main work area.
“At Leo Tech, we don’t see a need to restrict our employees’ access to the outside world, which is why we provide them with desktops or laptops,” he says.
“These are not unlike their personal devices in terms of the features and myriad of potential distractions available. If we can trust them to work on a machine that also serves as their calendar, music collection, cinema, TV, newspaper, library, and game arcade, then it seems fair to say that the problem doesn’t lie with BYOD if they do get distracted.
“As employers, the onus is on us to hire quality staff – people that can be trusted to manage their own time and attention to deliver what is required of them,” he says.
Stickler concurs with his counterpart, stating that employee distraction is not a concern for Citrix.
“We believe that setting challenging and achieveable goals for the whole organisation helps us to align and focus our teams around the goals we need to achieve,” he adds.
“BYOD is one tool that supports employees to achieve these goals from any place, at any time – taking their personal work styles into account. In our experience this leads to increased productivity and does not cause any distraction.”
BYOD and security fears
Source: Fixing the Disconnect Between Employer and Employee for BYOD (Bring Your Own Device) by Webroot
Reasons for not allowing BYOD
Source: Tech Pro Research conducted in November 2014