BYOD Roundup: The “BYOD for You” Book, Liability, and Shadow IT

by Joey deVilla on April 17, 2013

A New Book: BYOD for You

byod for you cover

Most BYOD guides we’ve seen cover BYOD from management’s or the IT department’s point of view; BYOD for You is the first we’ve seen that covers it from the rank-and-file employee’s angle. Written by Daniel Lohrmann, who blogs at Government Technology and has a site at BYOD4U.com, this Kindle ebook is a quick read that helps you determine an organizations BYOD maturity level, secure your BYOD mobile device and maximize its benefits, and how to cope with the way personal mobile devices are handled where you work.

BYOD for You is an easy lunchtime read; it’s divided into eight chapters, most of them about a half-dozen pages long, which cover these topics:

  1. Categorizing your BYOD enivronment: Gold, Silver or Bronze?
  2. Your workplace’s BYOD program, or the lack thereof
  3. Security: How to safely use your mobile device at work and home
  4. MDM
  5. Privacy and other legal considerations
  6. Maximizing the financial benefits of BYOD
  7. Ethical dilemmas and proving you deserve your mobile device
  8. Building a personalized BYOD plan that outlives your device

Each of the chapters end with a section that provides suggestions on how to handle its topic depending on the BYOD maturity level of your organization. Lohrmann’s model for BYOD maturity has three levels, which are explained below:

  • Bronze: An organization operating at the Bronze BYOD level has employees who bring their own devices to work, but doesn’t have an official BYOD policy. It’s unclear about what happens when company information security policies and personal devices collide, if employees’ personal data will remain private, or if their work-related activities on personal devices will get them in trouble. Employees also bear all costs of using the device, even for work-related purposes. MDM is practically or completely non-existent.
  • Silver: In organizations operating at the Silver BYOD level, there is a basic BYOD policy that spells out how its data can be accessed, as well as issues of security and privacy, and there is tacit permission for employees to access their work email from their devices. Employees can choose between all-expenses-paid COPE devices or BYOD devices without any reimbursement for operating costs. MDM is limited; it’s often something basic, like what’s provided by Microsoft Exchange ActiveSync.
  • Gold: At the Gold level of BYOD, there’s a full BYOD policy, and employees are fully reimbursed for all device costs. All devices are under full MDM.

Even though it’s written for end users at a workplace, it’s a useful guide for managers who are new to the idea of BYOD and want to get a grasp of the major issues that can arise when employees bring their own devices to work. I expect that we’ll be using this in our consulting work and recommending it to our customers.

There’s a special deal if you buy it today (Wednesday, April 17, 2013): it’s selling at a dollar off — a mere CAD$3.03 at Amazon.ca, and USD$2.99 at Amazon.com.

BYOL: Bring Your Own Liabilities

justice

Mobile technologies bring new capabilities, but new complications as well. The CIO article BYOL: Bring Your Own Liabilities points out that the dual nature of BYOD devices — owned by the employee, but used part of the time on behalf of the company (and possibly subsidized) — present some new potential legal issues, whether or not your organization has a formal BYOD program. The article lists a number of ways you can reduce the risk of legal exposure in your BYOD program; the article goes into more detail, and we’ve summarized the main points below:

  • Policy: The article says that a policy defining your organization’s BYOD program is most important element of any BYOD strategy, and we’re inclined to agree. Such a policy should clearly define how your BYOD program will operate, specify the risks and responsibilities of the organization, employees and third parties, and define acceptable technologies and acceptable use. Most of it shouldn’t have to address legal issues, but having such a policy will help reduce your legal exposure. (By the bye, we’re pretty good about crafting mobile device policies, and we even have a guidebook to help you build your own.)
  • Liability issues: Figure out whether your organization or your employees are liable in certain cases, such as: Who’s responsible for misplaced or stolen devices? Who’s responsible in the event of a malware attack? Who pays for support?
  • Licensing: Are the apps on mobile devices — both company- and employee-owned — properly licensed?
  • Insurance: Will your organization’s insurance policy cover devices that it doesn’t directly own or lease?
  • Data security: As the article says: “Two topics generally colour the legal framework in the context of data security; these are confidential information and litigation obligations, both of which are concerns for any mobility based system.”
  • Confidentiality: We take our mobile devices (especially our smartphones) everywhere, and sooner or later, they’ll get lost or stolen. You need to consider the implications of missing mobile devices, from the loss of your organization’s sensitive information, to inadvertent breaches of confidentiality agreements with other parties, to remote wipes, to the consequences of remotely wiping an employee’s personal data. Along with the issues that come with confidential or sensitive data on the device, there’s also the issue of such data off the device, stored with third-party cloud services like Dropbox.
  • Discovery obligations: Data stored on mobile devices used for work may be subject to electronic discovery, the pre-trial phase in litigation where each party can get evidence from the opposing party. You may need to take measures to keep work and personal data separate, keeping in mind that your organization can’t object to producing some information in the discovery process simply because it has some personal employee information mixed in.
  • Privacy: One reason to try to keep work and personal data separate is to preserve employee privacy, especially when backing up information. Ideally, you want to back up only the work-related information and store no personal employee information (such as their address book or photos) on your organization’s backup system.
  • Surveillance and tracking: The ability to remotely track a device is a useful thing to have when it’s lost or misplaced, but it can be a cause for concern about its use for tracking employees. The article recommends the use of a data surveillance policy that clearly spells out how devices will be tracked, and if your organization will record information stored or transmitted by the device.

BYOD and Shadow IT

the shadow strikes

From an earlier article:

Shadow IT sounds like some kind of future slang that [William] Gibson would’ve coined, but it’s an office term referring to the set of applications and systems that are used in organizations without that organization’s approval, and especially without the approval of the IT department. It’s usually the result of one or a handful of employees discovering an application, service or system that solves a problem in a way that seems more effective, expedient, and more free of red tape than if it were solved by IT. Shadow IT usually starts off as an ad hoc solution, but if it becomes popular within an organization, its use can become standard practice, even without the approval or oversight of the IT department.

When people talk about shadow IT, they usually talk about the security issues. Mike Foremen in Huffington Post UK writes about another equally important issue: the creation of data silos, where information vital to the business lives in places where it can’t be found.

Previous post:

Next post: