BYOD 101: Creating a BYOD policy for users

Bring your own device (BYOD) is already a reality. Ninety five per cent of the 600 IT and business leaders in the US surveyed for the latest Cisco IBSG Horizons Study indicated their organisations permitted employee-owned devices in the workplace.

The study found that 84 per cent of the organisations surveyed also provided support for employee-owned devices. And while the first reaction of some CIOs to the growth of BYOD might be to reach for the aspirin after a sleepless night haunted by dreams of data loss, the survey found that the overwhelming majority of IT managers considered BYOD to be somewhat or extremely positive for the business.

In some ways it's not a new challenge. Organisations have had to grapple for quite some time with employees wanting to use their own notebooks in the workplace. What's new, however, is the growth in devices equipped with cellular modems for anywhere access, the increased power of smartphones #8212; both in terms of hardware capabilities and in terms of potential as a productivity tool #8212; and the creation of a growing market for tablet devices since the release of Apple's iPad.

HP unveils Ethernet-powered thin client

Open Source Spotlight - Yabi: Bringing drag-and-drop to supercomputers

Open Source Spotlight - iSpy Connect

Open source case study: SugarCRM at Footprints Recruiting

"Over the past few years the proliferation of different devices has really taken off," says Telstye senior analyst Rodney Gedda. "There has been exponential growth in the power, the software and mobile networks. Apple changed the perception of what people expected from a mobile device and then android came onto the scene. You have a number of vendors that are pushing the limit of what's possible in a mobile phone #8212; you've got quad core processors, you've got large screens #8212; these are the sorts of forces that [exist] whether companies decide to let their staff bring their own devices to work or not."

Even in the case of a fleet of company-provided device, you're not going to stop people bringing their second device in their other pocket, says Gedda.

The rise of BYOD can reveal a gap in some companies' policies. Many companies already equip their employees with mobile devices, such as notebooks, tablets or phones. These devices will almost always be government by a usage policy that an employee will sign off on, with the threat of disciplinary action for misusing the device. However, it's not possible to just strike out "company-provided device" in the agreement in order to tailor it to employee-owned devices.

People love their smartphones and tablets; not just as phones and email devices, but for entertainment, personal organisation, photography and social networking. An approach that just treats a BYO device as another company device, just one purchased by an employee, won't work.

A BYOD policy for users needs to cover many of the areas covered by 'traditional' mobile device user agreements, but needs to take into account users' interests as well.

Making it readable

Acceptable use policies for IT, including for mobile devices, can tend to end up taking up hefty stack of paper. An employee will no doubt sign it, but in many cases they're unlikely to read it. A page that sets out clearly in summary form what a user's responsibilities are, as well as what rights an organisation is giving them, is much more likely to be read. Denis O’Shea, CEO of mobile device management company Mobile Mentor, says that the best approach is to have a system where an employee initials each point of the summary or marks a checkbox.

"Behind that you might have 18 pages of definitions and explanations and all that, but it's got to be light enough that your average employee will actually look at this and say 'Oh yeah, I get it. No worries,'" he says.

Page Break

A balancing act

The personal nature of the 'D' in BYOD means that employers need to strike a balance between their interests and those of employees. BYOD can be a way of building employee engagement, as well as boosting productivity #8212; people will be more productive on the device they're most used to working with. It's also a way of acknowledging reality: You can give employees a company-sanctioned device, but it doesn't mean they will stop using their personal tablet or smartphone, including for company business.

O’Shea says that a BYOD agreement should be a balancing act between employees and the employer: "Between what the company wants and what the employee wants". Mobile Mentor advocates a "meet us half way" policy for organisations.

The concern of most organisations with BYOD is data security. But on the flipside, just because your organisation provides its own smartphones to employees, it doesn't mean data is safe. "Just because a company goes out and buys a fleet of BlackBerries or whatever, it doesn’t mean people aren't going to lose them. It doesn't mean people aren't going to leak data somehow," Gedda says.

O’Shea says that security is an obvious concern, but what is often overlooked with BYOD is an employee's right to privacy. What people don't talk about enough when it comes to BYOD in his view is "giving the employee some assurances that the company cannot sniff the traffic going through their device, can't read their text messages, can't eavesdrop on their calls, can't read their email, and that the company is not taking a backup of the user's data, of iTunes and all that…

"We might do an enterprise wipe [if the device is lost] and remove all the stuff that relates to the company but we won't touch your photos and your iTunes and personal things."

Spend management

Spend management is another area that's often overlooked, O'Shea says. When BYOD is embraced, voice calls, messages and megabytes of data can increase. "People feel empowered and entitled to use their device for whatever, whenever," he says. "One of the key things for the policy to define is a set of rules of engagement that says certain categories of use we will consider to be legitimate business use and the company will pay for.

"Other categories of use we consider to be personal usage and the employee will some contribution back to the employee for the use of a company SIM card and connection on their device. That can be some kind of payroll deduction or we salary sacrifice. It might only be $10 or $15 but it gets the employee making some fair contribution for personal usage."

In addition, this can help indemnify the employer from any potential fringe benefit tax issues. "If the company gives you unlimited use of a fuel card or a company car, there's a fringe benefit implication. The advice we've had is if you give someone unlimited use of a company mobile connection you could potentially come into the same issues."

Formulating a policy

A BYOD policy doesn't just have implications for IT, but for HR, finance and legal. "It really forces the organisation to bring IT, finance, HR and sometimes legal together to get this right," O'Shea says. "And of course the user has to be represented in there as well."

The best method he's found is multiple cross-division workshops from stakeholders that focus around the outcome an organisation is looking for with a BYOD scheme. Is it aimed at employee engagement? Improving productivity? "Get clear about why we're doing this and then make sure that's worked into the policy and that the policy is reasonable and that the users are in the process as well, so that their interests around personal privacy and using the device outside office hours are all taken into account."

Act now

The shift to BYOD has often been a case of users leading and IT catching up. A balanced BYOD policy is vital to making sure that questions of privacy, security and cost are addressed in a manner that is acceptable to both employer and employee.

Rohan Pearce is the editor of Techworld Australia. Contact him at rohan_pearce at idg.com.au.

Follow Rohan on Twitter: @rohan_p

Follow Techworld Australia on Twitter: @techworld_au

Copyright © 2012 IDG Communications, Inc.

7 secrets of successful remote IT teams