As improvements and affordability in mobile technology continues, more and more organisations are adopting Bring Your Own Device (BYOD) allowances into their workplaces, giving freedom and flexibility to the employees that feeds back into greater productivity for the company.
However, as BYOD becomes more mainstream, the control that organisations once had over the computing systems and files in their workplace is slipping.
“When people use company-owned devices, they can make very strict policies about one specific type of device and the set-up and configuration,” Rajiv Shah, communications, data & security solutions at BAE Systems Detica Australia, told HC.
“[It] becomes very hard to control once an employee brings their own device to the workplace. You are going to have a much bigger variety of devices and you are not going to be able to control all aspects of it,” Shah added.
The lack of control spills into both legal and security areas, ranging from confidential information to company policy. “It is very difficult to mandate the use of that device in a non-working capacity,” Pattie Walsh, head of employment at DLA Piper, said.
Walsh explained that while organisations may be able to dictate what employees can use their device for at work, lawful activities outside of work that may be in contradiction to these terms are harder to control. Contracts can be put into place, but employees may not agree to them, and they are difficult to enforce.
In addition, employers must become aware of possible legal liabilities that come with allowing employees to bring their own devices to work, such as the use of these devices for illegal activity.
“Employers are vicariously liable for the activities of their employees,” Walsh said. “In just the same way if an individual employee sexually or racially harasses another individual or does something unlawful.”
Although the employer is not responsible for everything an employee does, a level of civil liability exists in regards to the measures taken to prevent such actions. “I think in that scenario you’d have the same potential responsibility of employers and the question would be ‘Did they do enough to protect the interest of the third party?’,” Walsh explained.
The main concern, however, surrounds security breaches. A terminated employee may retain confidential data, and the loss of a phone or other device containing important information is also a likely occurrence.
In the case of a security breach, both Walsh and Shah recommend the use of security systems to gain control of the data. Shah explained to HC that portions of a device can be wiped remotely using mobile device management.
Organisations also need to be aware of the commonality of cyber-attacks and hacking. Instead of ignoring the problem or becoming secure in the strategies they have in place to prevent them, they must plan for when it all goes wrong.
“Companies have to accept that at some point they will be the subject to an attack and they have to have a plan in place for how they would respond and deal with that,” Shah said.
He stressed that a blanket approach to how an organisation treats data would not be beneficial. “You can be 100% secure but you can also then have a 100% useless device.
“You have to say ‘If this information is the absolute crown jewels of our organisation and it would be irreparable if it was to get out’, then you might have to say ’No, the only place you can access the information is when you are physically in our office’. But I think trying to apply it as a blanket across the organisation is not a sensible approach.”
A more measured, risk-based approach which evaluates information on a case-by-case basis is a more effective way to tackle security concerns based around BYOD. “There are a lot of benefits that BYOD and work mobility in general bring to a business and you’d be losing those benefits by going back to only allowing people to access information while they are sat at their desks,” Shah said.