The lockdown caused by COVID-19 has brought about a significant shift in the way companies are utilising their workforce and for many, the possibility of working from home may become more permanent as things ease.
Making greater use of IT is smart thinking. The forced lockdown will have resulted in two different scenarios, with both having important IT security implications, potentially requiring a change in the business’ IT policy.
For those workers being provided with laptops and mobile phones, these devices will already fall under the business’ IT structure. However, the business is still using broadband supplied by the member of staff. A decision therefore needs to be made whether there is an allowance for this and most importantly, is there a requirement for additional protection for their devices, especially if data was only accessed whilst at work?
What about those workers using their own devices?
This is known as BYOD – Bring Your Own Device although there are other terms such as:
- BYOT (Bring Your Own Technology)
- BYOP (Bring Your Own Phone)
- BYOPC (Bring Your Own PC)
With the massive surge in “consumerisation of IT” fuelled by the increase in sales of smartphones, tablets, and laptops, there has been a shift towards IT self-sufficiency among employees, who see their devices as superior to those offered by their company.
These newer, “superior” devices are seen as the future, and who can blame an employee from wishing to use their smartphone over an old-style, “app-less” phone, or the latest super-fast tablet or laptop over an ageing, slower, Windows-based desktop PC? It’s embarrassing to be given a relic of a phone and it rarely portrays a positive image of the business. Additionally, many workers may have difficulty housing a PC and monitor as they simply don’t have the space.
For many, there’s a desire to use one device for business and personal use which is understandable, although potentially impractical or dangerous.
There are many advantages of BYOD for business owners:
- Reduce capital expenditure by not replacing dated computers or phones.
- Portraying a more modern-looking, forward-thinking business by adopting BYOD.
- Increasing the feel-good factor among staff through modernisation.
- Potentially increasing effectiveness and efficiency through the implementation of new technology.
- The business is deemed more attractive business when recruiting because it is seen to be a flexible and modern employer.
- Of course, there are more far-reaching consequences of adopting BYOD, which will require consultation at the highest level with HR, IT, Finance managers/directors, and of course, consultation with your IT support company or IT department.
There’s a dark side to this business approach. Each issue is deep and requires careful consideration and a written policy behind it. This policy MUST be extremely clear to ensure you are protecting both the business and the employee’s personal rights…
By far the greatest challenge for any business when agreeing to a BYOD policy is the critical issue of security of data.
Think about it, you are allowing an employee’s personal device to access secure areas of data. There are three key aspects requiring specific attention:
- The level of access provided
- Storage of data on this device.
- Security of this device.
Within each of these critical areas, there are many additional questions to answer e.g. under point 1 “can the device access key data outside of the confines of the workplace?” If so, what additional IT security protocols are required, and will this conflict with personal settings on the device?”
“How is data protected if stored on a personal device and who must pay for the additional security software required?”
Companies often have a policy to restrict access to certain websites whilst at work. However, “if personal devices are used at work, how do you stop misuse of the internet on a personal device during work time or break times?” e.g. access to social media. Does this mean employees cannot access these websites on their break using their own personal device?
Let’s take a look at some of the other key questions to further raise the debate…
How is the device or devices funded? Are there tax implications for this?
What happens if the device gets damaged or stolen, who is responsible for replacement?
What happens when the employee leaves the business? How do you ensure that all data stored on the phone is wiped? Does this impact on the employee’s personal rights? How do you stop the employee’s clients and suppliers continuing to contact them as the telephone number does not belong to the Company? What if the employee moves to a competitor and takes this number with them?
Companies often install certain monitoring software which is perfectly legal to track data being sent and received from a device. How would this work and be viewed by employees?
Who is responsible for managing patches, upgrades, and what software can be installed?
Who and where do employees go to for support? Are their devices covered under the Company’s IT support contract? If not and there is a device failure, what are the dangers through loss of data, security breaches, etc through using an unknown third party to repair the device?
Whilst there are many advantages to working from home, there are major decisions to make regarding the IT the member of staff uses. In most cases, it would seem more appropriate to issue technology from the company, therefore negating the difficult challenges brought about by BYOD.
In most businesses today, network and IT security is paramount. Online fraud and hacking are serious concerns with far-reaching consequences if data is obtained and leaked to the press, or competitors. The potential use of BYOD requires new solutions to maintain network security whilst ensuring the device is not affected in any way.
Before you consider opening what could be “Pandora’s Box,” by agreeing to work from home, it’s important to answer the key questions relating to the technology to be used and how data is to be protected from the outside communication from the devices used.
If there is an agreement and requirement for BYOD in your organisation, recognise that the policy, procedures, and support mechanisms MUST be in place which will require considerable input from your IT support company and HR Department.