WITH the dramatic growth of cloud computing services and the proliferation of smart gadgets, more employees are asking to use their own devices during work hours. This trend has become more pronounced as the line between work and personal time continues to blur.
Allowing an employee to use a personal device that he or she is more comfortable with brings with it a number of benefits. The biggest is the cost savings on hardware, as a company does not have to keep up with constantly evolving technology trends. It may also improve productivity as employees can carry around fewer devices and are able to work from any location, and at any time using hardware they are familiar with.
Yet, organisations need to strike a balance between the convenience of a Bring Your Own Device (BYOD) policy, and the risks of theft or loss of data. Such a policy results in increased pressure on IT departments to manage and secure devices and data. The company's IT services also have to support multiple types of gadgets and operating systems.
"Once sensitive information passes on to a BYOD it is more difficult for a company to track what becomes of that information," says Bill Bowman, senior director, risk management and internal control, at Infineon Technologies Asia Pacific.
He adds that the use and management of BYOD is particularly challenging for companies whose competitive success relies on research and development (R&D).
Security and legal risks
However, this new scenario brings with it some critical security and data management risk especially when using private devices to access company data and the risk of this data being leaked. Companies also need to be aware of data privacy laws in different markets when implementing corporate mobility and security policies.
"It may be thought that cost savings is an obvious pro, since the organisation does not have to provide the devices. But this is not necessarily the case," says Tan Kay Kheng, a partner at law firm Wong Partnership.
"Why? Because the obvious con is the legal risk that exists, as to whether confidential or sensitive information residing in the employee's own device remains safe and secure at all times, and the resultant costs that may have to be incurred to provide some acceptable level of security."
Confidential information can relate to an organisation's information such as trade secrets, pitches to prospective and existing customers, as well as information belonging to clients and customers.
Confidentiality can be compromised when the device is lost or misplaced, or when information is not accessed in a "safe" environment. For instance, if e-mails or documents are printed outside the office and not kept in safe custody, or worse, simply left unattended on the assumption no one else would be looking at them, notes Mr Tan.
What employees need to know
BYOD is not just an issue that employers have to deal with. There are also issues for employees to consider when they decide to use their own device for work.
The difference in the access and speed of public cloud services and those of a company's IT services may cause some frustration among employees, says Jean Lee, vice-president (finance), Asia-Pacific, at software solutions provider NICE Systems.
She adds: "From the perspective of employees using their own devices, they also need to be aware that the company may install monitoring devices that will also be able to access personal data."
For instance, new regulations demand that all communications on the trading floors of financial institutions are recorded and monitored for compliance issues. These recordings include the regular desk phones and trading turrets, but also any mobile devices that traders are using business wise.
"Many banks do not yet allow their regulated traders to use their own BYOD mobile device, as long as these devices are not recorded on the banks' recording systems," says Arno Sybrandy, Global FMC product marketing director at NICE Systems.
Storing these recordings of BYOD mobile devices "in the cloud" is currently not secure enough for compliance. NICE offers solutions to add the recording of BYOD mobile devices on an on-site compliance recording system that is encrypting all recordings, says Mr Sybrandy.
Employees also need to be comfortable with the possibility of being contractually required to surrender their devices to their employers for inspection and analysis, as part of implementation, ongoing risk management, or when an incident has occurred.
"Employees need to understand that there may be adverse consequences for them when non-compliance with official policy is discovered, such as the taking of disciplinary action or even termination of employment," says Mr Tan.
They therefore have to watch over their devices and how information is kept secure while the devices are in use, and to ensure that there is no risk of a breach of confidentiality.
Confidentiality aside, staff who opt for BYOD must also be prepared to bear the cost of repair if their devices are damaged.
Says Ms Lee: "Since the ownership and warranty are not under the company's name, the employer will not be able to provide services for repair. What's more, not all applications can be downloaded into the device and there is less flexibility if they choose to register their own device for workplace use."