What your company needs to know about BYOD

In the debate over personal technological devices in the workplace, bring your own device (BYOD) has taken a lead among big businesses. But companies of all sizes need to be prepared for the impact of employees using their own smartphones, tablets and laptops to access corporate computer networks.

The vast majority of large US companies already are allowing BYOD, new research indicates. Cisco Systems polled 600 chief information officers and IT managers at US corporations with at least 1,000 employees, and found that 95% of those businesses support, or at least tolerate, BYOD.

The BYOD debate has been going strong ever since consumers started showing up to the office with their own tablets and smartphones. Indeed, the surface issues of technological freedom, productivity and convenience seem pretty basic. But finance and technology executives have had to wrestle with a host of complex, intertwined factors – including cost savings, security risks and even employee satisfaction and retention – before granting or denying permission.

Supporting BYOD

Large enterprises aren’t just tolerating BYOD, the Cisco study indicates. They appear to be embracing it.

More than three-quarters of the IT leaders surveyed by Cisco characterised BYOD as “somewhat” or “extremely” positive for their businesses. An even higher percentage are providing some kind of technical support for BYOD, with 36% supporting all employee-owned devices and an additional 48% supporting selected devices.

It would be unrealistic for businesses that allow BYOD not to provide some level of technical support, said Marc Staut, director of technology for the Maryland-based Reznick Group, one of the 20 largest US accounting firms. Employees inevitably will need to have passwords reset, network access restored and other services provided, Staut said.

But BYOD does present opportunities for IT departments to free themselves from much of the maintenance and support load they carry in more traditional setups, such as those in which the organisation requires each employee to use a company-issued smartphone and laptop.
 
In a BYOD environment, Staut said, employees could be encouraged to take their devices to outside parties for major repairs. For example, users of iPads and iPhones would be expected to turn to Apple when their devices are not working. IT staff might help employees determine whether they need to go to the manufacturer for help, but IT no longer would handle the repairs or supply replacements.

“IT would get away from being hardware providers,” Staut said. Instead, IT staff would focus more on how to best use technology to help the business.

The benefits of BYOD
 
IT leaders in the Cisco survey named two key benefits of BYOD:

• Increased employee productivity resulting from more opportunities to collaborate with colleagues; and
• Greater job satisfaction stemming from employees being able to choose the devices they use for work.

The right to select the smartphones, tablets and laptops they use ranks as one of the top two reasons that employees at large businesses want BYOD, according to Cisco. The other reason is that employees want the flexibility to do work and personal tasks on the same devices. After all, it’s much easier to carry around one device, rather than carrying, say, an iPhone and a company-issued BlackBerry. Also, Staut pointed out, many employees now have better technology at home than they do at work.

BYOD has monetary ramifications for both the employer and the employee. BYOD produces annual benefits to the enterprise ranging from $300 to $1,300 per employee, depending on the employee’s role, according to an estimate from Cisco’s Internet Business Solutions Group (IBSG). Factors that contribute to the BYOD benefits include greater employee retention, improved productivity, more effective collaboration, increased face time with customers and improved asset use, Joseph Bradley, general manager of Cisco’s IBSG, recently wrote.

Employees, meanwhile, are willing to pay for BYOD convenience. Cisco’s BYOD employees, for example, pay an average of $600 out of pocket for devices that will provide more control over their work experience.

Risky business

BYOD doesn’t come without risks. IT leaders cite two main concerns: potential security and privacy breaches and the difficulty of providing IT support for so many different types of mobile devices.

Staut suggests a couple of options to address those issues. The first is to offer a stipend or allowance to employees who want to use their own mobile device. Companies can set up a system in which they select four or five vendors and offer monetary support for employees who use those vendors. In the case of a laptop, for example, the business could provide $1,000 over two years to employees on the condition that the employee buy what the computer needs—processors, memory and hard-drive space—from one of the approved vendors.

This approach can help the business maintain some control over the types of devices accessing the network. It also can produce bottom-line benefits. For example, it can cost a business $2,000 to $2,500 for every new laptop it provides employees. If the company instead is providing a $1,000 stipend for BYOD, money is saved.

Staut’s second option focuses on mitigating the security risks related to personal devices connecting to the business’s computer network. The risks for businesses include the possibility of employees unwittingly infecting the network with viruses, malware and backdoors. A backdoor is a file that executes on an infected computer, dialing a criminal’s computer and opening a port through which the criminal can access an employee’s laptop or other device. The criminal can then use the employee’s connection to the network to slip past any firewalls and steal data such as personal identification information for customers, clients or employees. Such a breach can expose organisations to possible liability under various privacy laws.

Another risk stems from employees downloading confidential data onto their personal devices. In a BYOD situation, IT should require the employees to sign a mobile use agreement in which employees agree to encrypt and password protect their smartphones and other devices and agree to allow IT access to delete work-related files in the event the device is lost or stolen.

The emerging use of virtual desktops might help to address these security issues, Staut said. Desktop virtualisation allows employees to access their desktop at any time via their smartphone, tablet or laptop. A virtual desktop is merely an access point to applications and data stored on a server. This approach would allow IT to exercise more controls, such as preventing employees from downloading confidential information from the server to their personal devices.

“The data itself stays within corporate,” Staut said. “That’s what makes BYOD sustainable.”

Staut is far from the only IT expert paying attention to virtual desktops. Of the IT leaders surveyed by Cisco, 98% were aware of desktop virtualisation, 68% agreed that most knowledge worker roles were suited for desktop virtualisation, and half said that their organisation is in the process of developing a plan to implement virtual desktops.

The stance among small businesses?

The Cisco survey did not assess BYOD among smaller companies, and other data about the prevalence of such policies in smaller businesses are inconclusive.

“We have seen that technology adoption and usage patterns can vary significantly between (small and medium-size businesses) and larger enterprises,” Bradley said.

Others have seen evidence that BYOD also is gaining acceptance at smaller companies, especially organisations such as accounting firms.

“Smaller firms are more agile and able to try and adopt newer technology faster,” Staut said, “though having the right CIO really helps.”

—Jeff Drew (jdrew@aicpa.org) is a CGMA Magazine senior editor.