By Jason Moody
As bring your own device (BYOD) takes root in enterprises, the line separating personal and corporate data has blurred. For employees, it usually seems simple: work email and files belong to the company. Personal email and family photos belong to the employee, and the company should have no access rights. But employers, focused on risk, are struggling to set proper policies, parameters and expectations.
Depending on the industry, size, locations and other risk factors, companies take dramatically different approaches toward BYOD policies. A company with a dozen employees in one location may have no issues with employees using their inexpensive personal tablets to receive corporate email. At the other extreme, a company with thousands of employees and offices around the world may require access to any personal device used for work for the purpose of wiping the device clean in the event it’s lost or the employee leaves the company.
What’s the right balance between a company’s need to protect data and an employee’s right to privacy? Left unanswered, this question presents a significant risk to employees (e.g., privacy, job security) and employers (e.g., regulatory fines, loss of IP and reputation). And even when the questions are answered, if the governing policies aren’t effective and enforceable, risks remain.
To answer these questions and create enforceable BYOD policies, bring all the relevant stakeholders together to make sure everyone understands the issues and agrees on an outcome. HR, legal, IT and end-user representatives must be involved, and the focus should be on educating each group about the concerns of the others and the consequences of getting it wrong. It’s imperative that IT bring to the table a deep understanding of new technology options that will enable employees to use their personal devices while protecting both user privacy and corporate data.
Most important for stakeholders is recognizing that if they agree on a policy, and if the reasons for the policy are clearly explained to all employees, then most users will accept the policy and not try to find unsanctioned workarounds that may compromise the company. The need for education, specifically education employees are required to pay attention to, cannot be overstated. Failing to explain why employees cannot use their personal devices leads to the rise of “shadow IT.” Everyone must understand in very clear terms the potential dangers.
As BYOD and other emerging technologies bombard an often shell-shocked IT department, companies will continue to face new ethical dilemmas. But by getting all stakeholders to agree on appropriate policies, companies can resolve the ethical questions around BYOD. The result creates a technology framework that enables employees to use their personal devices for work while keeping personal information separate and safe while allowing IT to control and protect sensitive data.