It happens so fast – a moment’s inattention on a business trip and someone has made off with your laptop or smartphone. Inconvenient to say the least, but even more so if it is your personal device that is also being used for work purposes. Who is going to pay for the loss? And, what about the stored data – the RFP that was just completed, the lead information you gathered at the trade show you were just at, or your client rolodex. All this information is gone and likely not backed-up to another hard drive or the cloud. On top of the corporate data is the loss of personal data, such as photos and contact information, which adds to the blow.
Companies and employees are confronted with this situation more and more because corporate IT is increasingly adopting the ‘bring your own device’ (BYOD) to work trend. This idea is popular among employees and corporate management alike particularly in companies where computing resources and budgets are limited. Employees know how to use their own devices and can more efficiently manage their work and life in an integrated fashion. Further, companies can save money on hardware and simply focus on usage policies and packages for their employee base. Regardless of the benefits, corporations and employees often forget important consideration factors. What happens if a device is lost or damaged? Will a lost or stolen device be remotely wiped? How will the device data be backed up? Many employees are not aware of the amount of responsibility they are assuming when using their devices for corporate purposes or that their privacy is at risk.
Before employees use private devices for work, they should ask some important questions and clarify these issues with their company’s IT department:
Backup Responsibility: As soon as company data is involved, certain compliance requirements apply. Is it the employees’ responsibility to save their own data at specific intervals or do the company’s IT specialists take care of that? What tool is used to conduct the backup, who makes it available and who monitors compliance?
Data Loss: Mobile devices are not robust and the memory is easily damaged. If there is no backup and the data is important, a professional expert may be able to help. But, who has to arrange for this and who will foot the bill? In addition, many people don’t realise that it is not possible to distinguish between company and private data during data recovery process. When a data recovery is preformed, data will simply be restored. Often times the file names can no longer be read, so all files have to be opened and checked in order to disentangle private and company data. In this case, privacy cannot be maintained.
Loss of the Device: Two main issues arise if the device is lost or stolen – first, who will replace it, and second, the obligation to inform the employer. Are their rules as to how soon the company must be informed about the loss? Does the company intend to take quick action, such as remotely blocking access or deleting data?
Remote Deletion: Some companies require employees to install a program on their device that allows data to be deleted remotely in case of loss or theft before they may use the device for company purposes. Many people do not realise that the deletion is not specific to company data, but affects personal data as well. In other words, if employees don’t regularly save all their personal contact information, photos etc. – via their provider’s online services, for example – they may lose them all.
End of the Employment Contract: Most people change employers sooner or later. What happens to the company data on the private device in that case? Who checks that it has been deleted? Will care be taken to ensure that private data is not lost during the process?
Convenience or Privacy: Of course it’s convenient to have just one device for both private and professional purposes – only one password, only one charging cable, etc. However, it is still not possible to separate the different kinds of data precisely, so companies often save employees’ private data as well, depending on backup and logging requirements. BYOD often means sacrificing privacy and everyone has to decide for themselves whether it’s worth it.
Everybody has a part to play
IT support is another aspect of BYOD that requires careful consideration before adoption. If problems arise accessing data or programs necessary for work, employees using private devices turn to the company IT department for support. This means that IT experts are suddenly confronted with a variety of devices and software versions they were not previously expected with which to be familiar. As a result, IT now has considerably more work. Therefore, it makes sense to restrict the range of devices that are permitted for BYOD. Maintenance and service issues also need to be defined clearly, even though employees are usually more careful with their own devices than they might be with company phones or tablets.
The smaller the company and the more recent the introduction of BYOD, the more likely it is that issues will arise that have not been clarified sufficiently in advance. In this case, all those concerned – management, IT and employees – need to work together to set up the best possible procedures.
The HR and legal departments should be involved at the outset of contemplating adopting this trend to elevate important considerations and help define clear guidelines that cover the aspects mentioned above and to allocate responsibility for each procedure. Employees should study these guidelines thoroughly before agreeing to them and company management should offer regular training on the topic, so employees comply with the policy and are not surprised by standard operating procedure.
Neither employees nor management should let themselves be dazzled by the temptations of the BYOD approach without weighing the benefits against the risks. If companies opt to move forward with implementing BYOD, it is critical that clear guidelines and training are in place. Doing so will better ensure cost savings and employee enablement, which will ultimately improve general company satisfaction in the long run.
About the author
Adrian Briscoe is general manager – APAC, Kroll Ontrack. For further information visit www.ontrackdatarecovery.com.au