The BYOC model is here to stay, in different scales at different companies. If you are in denial, just look at...
that iPad on your buddy's desk. It's time to consider the implications of this model and do what's necessary to protect your company from legal issues.
Consumers can buy a myriad of devices that offer a lot of computing power for relatively low cost, with way more power and a much richer user experience than what the company IT department provides for them. So, it's only natural for your employees to want to use their own devices for work. In fact, Bring Your Own Computer (BYOC) should be called "BYOD" -- Bring Your Own Device.
It used to be that IT would simply refuse to integrate employee-owned devices with the company systems. Until the day a VP or CEO emailed some IT guy telling him to make his "thing" work with their systems. The answer was different and BYOD was born.
I am not here to discuss if you agree with BYOD or if you should embrace it. The fact is you already did it. If you think I am wrong, let me tell you something: YOU are wrong. Your users bring their iPhones, iPads and shiny MacBooks to work and thanks to your VP/CEO, you have to deal with it.
After talking to several companies that decided to give the BYOD model a try, I presented two sessions (one at BriForum Europe 2011 in London and another session at BriForum 2011 in Chicago) on this topic. Here are some of the top concerns and some solutions for supporting BYOD discussed at those sessions.
BYOD considerations and implementation
First of all, there is no silver bullet or magic recipe for implementing BYOD. What works for company A may not work for company B, and different sectors have different regulations. But there are several things all types of companies have in common surrounding BYOD. Let's take a look at some common concerns and solutions:
Security: How do we make sure the connecting device is "secure?" That is the biggest issue for IT. Another big problem is how to prevent employees from storing confidential corporate data on their devices.
Technologies such as server-based computing (SBC) or virtual desktop infrastructure (VDI) can help because data lives in the data center. Those technologies may not work for everyone, but neither does BYOD.
Support: Another dilemma relates to how to handle broken devices. If an employee-owned device breaks, the user could be left with nothing for hours, days or weeks. In some cases, companies buy some spare devices to loan to users while their own devices are being serviced. Companies can also mandate that employees purchase very tight support/warranty agreements for devices they use (i.e. next day guaranteed replacement) to reduce the time they wait for repairs.
Implementation: What's the best way to implement BYOD? Some companies give a stipend to their users and let them buy anything they want. Others leverage their buying power with certain vendors and let the users choose from a list of approved devices. Some also come up with agreements clearly stating how much the users are supposed to pay back if they leave the company shortly after getting their new device.
Legal issues: Companies in the U.S. tend to downplay the legal implications of BYOD. European corporations seem way more aware of the potential issues and based on that, if they implement BYOD, they also put a new employment contract and/or use policy in place.
I've investigated the legal issues surrounding BYOD and thanks to Louise Taylor from Taylor Wessing in London, some very interesting issues were identified.
One example of a typical legal issue raised by a major wireless carrier in North America is, what happens in court if the data required to prove fraud is stored on a user-owned device. Will the legal system favor the device owner or the company if a device has to be retrieved? With not many cases or precedents so far, these questions are indeed a valid concern.
But these legal concerns aren't BYOD show stoppers. It is something that can be addressed by your legal department before the device is actually bought in by the user.
It is also a good idea to update your employee contract and device usage policies to mitigate the risks employee owned devices pose.
Licensing: What about the software running on employee-owned devices? If the End User License Agreement (EULA) clearly states it is not to be used for commercial purposes unless a license is acquired (typical case for many shareware/freeware applications), who becomes liable: the user or the corporation? What if his manager told him to download free software to do his work? How does a company guarantee all the software in use does not violate their own EULAs?
Clearly, BYOD becomes very complicated once we start digging into the legal implications and licensing.
From BYOD discussions with all sides -- from users to lawyers -- here are the takeaways:
- BYOD involves everyone: from IT to Finance, to Legal, to the users. This is not a one department effort -- it is a company effort.
- BYOD is not for everyone. Depending on regulations in your particular sector, your company's own culture and many other things, BYOD may not be for you.
- Most, if not all, concerns can be addressed from both technical and legal standpoints.
- As with any other solution, there are benefits and potential drawbacks. Do not expect BYOD to be the resolution to all your problems. It is not.
ABOUT THE AUTHOR:
Cláudio Rodriguesis a consultant and CEO of WTSLabs Inc. based in Ottawa, Canada. He has been deploying server-based computing solutions since the Citrix WinView days and was the first person to ever receive the Microsoft MVP award for Terminal Services. He was the CEO of Terminal-Services.NET, the company that developed tools such as WTSGateway Pro and WTSPortal. Rodrigues is also a frequent BriForum presenter and has helped clients around the world implement server-based computing technologies.
Dig Deeper on Application modernization and mobile app delivery
Friday Notebook, October 11: Okta Showcase; HP and Chrome Enterprise; macOS Catalina is out
Don't let BYOD legal issues sink your BYOD initiative
It seems like BYOC (computer) is dead these days, with everyone focusing on devices. Is that right?
BYOPC: Network security best practices for employee-owned computers