Is Your Mobile Workforce Exposing You to Unseen Risks?
Recently, using mobile phones and QR codes have become the newest hi tech tools for trade shows and with that bring-your-own-device (BYOD) to work has fast become a popular trend. Employees often prefer to use a single smartphone, laptop and tablet for both work and personal use, claiming they are more productive when they can access email and other corporate resources at any time and from anywhere.
Initially, companies embraced BYOD as a workforce management strategy that fulfilled employees’ demands for flexibility while lowering telecommunication expenses. Now it’s become clear that BYOD also comes with many business risks that require further review, evaluation and action to reduce growing concerns with security, compliance and privacy issues.
Employees are quick to download unapproved, third-party apps to track their calendars and expenses, and they utilize cloud-based storage sites like Dropbox to store work documents. But easy and convenient mobile access to corporate email and intranet also exposes companies to the risk of security breaches, data theft, compliance violations and the gray areas that are emerging around employee privacy, wage and labor laws.
The kicker is that in many cases, the anticipated cost savings of BYOD have largely turned into increased IT expenses to support users and increased mobile device security.
Regardless of these risks, the mobile workforce is here to stay. According to Gartner, a leading information technology research firm, by 2018 the size of the mobile workforce will more than double. Most of the companies surveyed by Symantec, the information security giant, allow employees to use personal mobile devices for business purposes — and also accept the probability that they will experience a mobile security incident as a result.
Mobile device use and management is a dynamic trend. Set your policies and design your security architecture around these broad areas:
1. Share responsibility
Update your mobile device policies to engage employees in shared responsibility for protecting corporate data. Many of today’s mobile security policies are often limited to employees who access the corporate network through devices that are company-owned.
Review, update and extend those policies to include employee-owned hardware usage. Regardless of who owns the device, an effective policy includes a user agreement that clearly defines employee eligibility, usage, approved devices and platforms.
2. Maintain balance
Balance flexibility with confidentiality and privacy requirements. To regain control over mobile devices, companies are developing novel models like COPE (company-owned, personally-enabled) and CYOD (choose your own company-owned device). Other employer responses include using new technology that provides secure portals to corporate data and allows remote monitoring and wiping of confidential information from even employee-owned devices.
These plans may give employers more access to mobile devices, but they are not foolproof. If you allow personal use, then you’re blurring the lines between corporate confidentiality and employee privacy. Even if your policies eliminate the expectation of employee privacy, companies should not cross into password-protected personal accounts, websites and social media.
3. Protect what’s yours
Protect your intellectual property and confidential corporate data. In the mobile device universe, at most risk are your valuable corporate assets like intellectual property, computer source code, proprietary research, client lists and confidential financial information.
In a survey by Symantec, 50 percent of departing workers kept confidential corporate data and almost half of this pool said they would use this data in their new jobs. COPE and CYOD devices may offer some data security advantages, perhaps as a psychological deterrent. If nothing else, employees may be less inclined to steal proprietary information if they are using a corporate-owned device that is monitored.
4. Check with HR
Carefully consider how your mobile device policy aligns with employee expectations. It’s a good idea to involve HR in mobile device policy development.
A federal court case in Chicago involving overtime claims by policemen for off-duty texting and calls using department-owned smartphones is only one of many that could have far-ranging implications about wage and labor claims related to after-hours mobile device use. One implication is whether employers must pay nonexempt employees overtime under the Fair Labor Standards Act (FLSA) for time spent reading and responding to email on their smartphones after work hours.
Technology moves far faster than the law can keep up, and this case may be the tip of the iceberg when it comes to legal risks for employers from BYOD.