5 min read

6 Risks Your BYOD Policy Must Address

Strong company policies are a must for managing legal and other risks of personal devices used in the workplace. Are you addressing all the issues?
3. BYOD Devices Are Subject To Border Search And Seizure.

If you've got employees that travel internationally, their devices might be subject to search or seizure at border control -- something they need to be aware of in advance if they're going to use their own when they're on the road. This falls into the category of employee awareness. They need to know, via policy and education, that they're forfeiting certain rights to their personal devices by using them for work.

4. Who's Responsible For Repetitive Stress Injuries?

Employers can manage the costs and risks of an employee getting hurt on the job in a variety of ways: Insurance, safety training, ergonomic office equipments and so forth. This would include desk-bound employees who develop repetitive stress injuries from typing, mousing or similar tasks. But what if they get "BlackBerry thumbs" from a device they own? Can they take action against their employer? If you think that sounds far-fetched, think again: Overly said they have already seen two cases where an employee at least explored a claim against their employer as result of using a personally owned device. "This is another policy and training thing: By putting employees on notice that there are issues, particularly repetitive-stress issues, with regards to the use of technology," employers can limit their liability, Overly said.

5. The Demise Of The Great American Novel.

BYOD discussions tend to focus on the hardware that made it famous, namely smartphones and tablets. But bring-your-own can include laptops, netbooks, ultrabooks and other gear -- something bound to increase if Windows 8 hardware proliferates. Overly noted a situation involving a person who alleged that his employer deleted files from a personal laptop after he brought it to the office to have security software installed. Those files included the only copy of the novel he'd been writing for years; the claim stopped just short of court. Again, this scenario -- the responsibility for loss of data on an employee-owned device -- can be proactively managed via policy, provided the employee is made aware of the risks. (That particular employee might also need a tutorial on the many low-cost options for backing up files.)

5. What Happens When An Employee Shares A Device?

A strong BYOD policy would protect the company in the case of the employee's deleted novel-in-progress. It would not do the same if that novel was written by the employee's spouse. If you've ever shared or borrowed a computer, tablet or phone with family or friends, this one's for you. Overly called shared used of employee-owned devices one of the most pressing BYOD issues around, in part because it can't be easily mitigated with policy. An employee sharing a BYOD-use iPad with his spouse certainly opens up potential issues such as corporate data loss or security breaches. But it also creates a much thornier problem in terms of potential legal action against the employer. Overly described a case in which a spouse used a BYOD device to photograph an important, one-time life event. The company, in the course of routine device management, later deleted all of the photos -- the only copies -- via remote wipe. "How does the company protect itself against a claim by that spouse?" Overly said, noting that the employer doesn't have any policy or contract with that person governing use of the device. "It's very, very difficult to do," he said. The total separation of personal and business data on employee-owned devices is "the holy grail" for BYOD shops, Overly added.

6. What About When An Employee Gets Rid Of A Device?

Employees that sell or recycle a BYOD device after upgrading pose another risk, as do lost or stolen devices. A common policy and technology strategy is to enable remote wiping of the device's data and require it as a condition of program participation. Like most protections, remote wipe is not fool-proof. But it's a key tool in managing the downside -- which can be steep simply because of the sheer volume of devices. Device disposal occurs millions of times when Apple releases a new iPhone, for example, or more incrementally when people accidentally leave their phones in taxicabs or airport waiting areas. Employee termination is another scenario where remote wipe can be crucial.

"Terminated employees [are] always a challenge because they may not be interested in helping the company with anything," Overly said.

A security information and event management system serves as a repository for all the security alerts and logging systems from a firm's devices. But this can be overkill for a company that is understaffed or has overestimated its security information needs. In our report, Does SIEM Make Sense For Your Company?, we discuss 10 questions to ask yourself in determining whether SIEM makes sense for you--and how to pick the right system if it does. (Free registration required.)

Editor's Choice
Sara Peters, Editor-in-Chief, InformationWeek / Network Computing
Jessica Davis, Senior Editor
Richard Pallardy, Freelance Writer
Carrie Pallardy, Contributing Reporter
John Edwards, Technology Journalist & Author
Carlo Massimo, Contributing Writer
Salvatore Salamone, Managing Editor, Network Computing