BYOD Brings Fear, Uncertainty and Doubt to the Enterprise

You lost your smartphone, which you also used for work. Think that's bad news? It gets worse. You wait a few days to tell IT. These days that can get you fired. So now you're thinking, 'I really wish I read that BYOD policy.' Five years after BYOD first caught fire, IT is still trying to figure out how to handle it.

BYOD, enterprise BYOD, consumerization of IT

Imagine you're working for a big financial services company and you stupidly left your BYOD smartphone on the seat in a commuter train, yet you're not really sure where you've misplaced it. So you search high and low, in your home and car, at restaurants and coffee shops.

In the back of your mind, you know that the company requires you to contact those robotic IT folks within 24 hours of losing your phone so that they can remotely wipe it, but you don't want that to happen. They'll delete precious notes that you need for a client, maybe even personal photos that you forgot to back up. Besides, you haven't searched everywhere yet.

You miss the 24-hour window, and the company promptly fires you.

Fiction? Hardly.

"I was at a CIO roundtable last year where a bunch of CIOs talked about the challenges of moving to BYOD and how they're establishing policies, and a few said that their policies state very clearly, if you lose your device and don't report it within 24 hours, you lose your job," says Bill Versen, director of mobility solutions at Verizon Enterprise Solutions. "A financial services company said they lost three people because of that policy."

The Three Phases of BYOD

It's been five years since the first iPhone lit the fuse on the BYOD fireworks, yet many companies are still in the trial-and-error phase of a BYOD rollout, with a few giant companies going to extremes. Three dramatic, real-world measures have emerged: mandating BYOD, pushing BYOD costs on employees, and tying performance reviews (up to termination) to BYOD user policies.

The BYOD mandate requires all employees to provide their own smartphones and perhaps tablets for both work and personal purposes. It became a hot topic steeped in controversy after a Gartner CIO survey last summer showed mandatory BYOD gaining steam. The survey results led to Gartner predicting that half of employers will require employees to supply their own device for work purposes by 2017.

[ Slideshow: 12 Big BYOD Predictions for 2014 ]

Of course, it's quite a policy that tells an employee to spend hundreds of dollars on a smartphone as a condition of employment. A BYOD mandate opens up a hornet's nest of issues. For instance, if an employee has a poor personal credit rating and can't qualify for a smartphone, should this affect his ability to land or keep a job? Maybe the employee doesn't want a fancy, powerful smartphone, so should she be forced to buy one?

Nevertheless, some companies are mandating BYOD, Versen says. Nearly two years ago, CIO.com reported that VMware was one of the first big companies to go all-in with BYOD in this way, requiring all 6,000 U.S. workers to buy a smartphone. Cisco and Ingram Micro enacted similar policies. (For complete BYOD coverage, check out our BYOD Guide.)

Passing the BYOD Cost (All of It) to Workers

Versen says he has also seen a giant consumer goods company force employees to shoulder the entire cost burden of a BYOD smartphone or tablet. That is, if you want to enjoy the convenience of carrying a single device for work and play, then you have to pay for it. Not just the phone and service but the apps, too. So if you want to make a YouTube training video for work on your BYOD mobile tablet, it'll come out of your pocket.

Hidden costs, such as expense report processing, international roaming charges, and the "zombie phone" -- a mobile device presumed dead yet still being billed by the carrier -- are driving non-reimbursement, no-stipend BYOD policies. The thinking goes, people will pay for their work-related BYOD phones and tablets much like they pay for wireless service in their homes that they use for work.

"A Fortune 100 company told me that they tried the stipend, but it was killing their backend systems, they were overpaying, and it was a breakage of revenue," Versen says. "By instituting this policy, they thought they were going to put their finger in the BYOD dam. Believe it or not, they had a huge uptick in enrollment."

Then there's the BYOD security threat that has some companies taking extreme measures. Especially for highly regulated companies, the threat is real.

In order to ensure employees follow BYOD security policies, companies might want to think about tying those policies to performance reviews.

Early BYOD adopters found that users wouldn't report a lost or stolen phone for weeks, which constituted a huge risk for corporate data loss. So they began enacting strict policies endorsed at the highest levels of a company, and they hit employees where it hurts.

"We think it's a good policy to make sure that security is not just part of an overall HR policy but, especially for some people, it's part of their annual performance evaluation," Paul Luehr, managing director at Stroz Friedberg, a global data risk management company, told CIO.com.

The Causalities of BYOD

The aforementioned large financial services firm told a roomful of CIOs why they fired three people for breaking BYOD policy, which set off a firestorm discussion, Versen says.

Some CIOs said it was a little harsh, but the financial services firm held to its guns. The company explained that it rolled out BYOD selectively to financial advisors and salespeople who know what's at stake, signed a policy stating that they would be given access to customer financial files and records on their mobile devices, and understood that failure to comply with security policies would lead to termination.

After the firings, there was a slight drop in BYOD enrollment, but it soon picked up again.

"In some ways, the [policy] protects the employee," says Versen. "If you leak customer information, especially in the financial services industry, not only can the company get sued but that individual can be wearing an orange jacket as well."

BYOD employees should be thankful that a single company isn't combining all three practices -- at least not yet. It'll be a crazy moment in BYOD history when a company requires you to buy a smartphone as a condition of employment, makes you pay for the phone and monthly service, and then attaches security policies to your phone that, if violated, will get you fired.

"Companies are still trying to refine their BYOD programs, find the right balance," Versen says. "It's not a one-size-fits-all, rather it's different for every company based on their culture, job function and industry."

Tom Kaneshige covers Apple, BYOD and Consumerization of IT for CIO.com. Follow Tom on Twitter @kaneshige. Follow everything from CIO.com on Twitter @CIOonline, Facebook, Google + and LinkedIn. Email Tom at tkaneshige@cio.com

Join the discussion
Be the first to comment on this article. Our Commenting Policies