Print this article | Return to Article | Return to CFO.com
In all their enthusiasm for the money to be saved and productivity to be gained by allowing employees to buy and use their own devices for work, are CFOs closing their eyes to the risks?
Taylor Provost, CFO.com | US
June 14, 2012
Now that a bit of the luster has worn off that shiny buzzword - BYOD - and the policy of allowing employees to work with their personal cell phones and tablets has had some time to settle in, some CFOs are discovering that actually deploying a "Bring Your Own Device" strategy might not be the smart, simple, productivity-enhancing, and money-saving solution many originally thought.
"Most of the conversation going on about BYOD assumes that it's necessarily a good thing," says Josh Lipton, CTO at Advantix Solutions Group, a provider of wireless and fixed telecom management services. "It's a much more nuanced thing than the broad strokes of, 'This will save you money.'"
The underlying problem with BYOD isn't its premise, Lipton says - the idea that workers will be happier and more productive using devices they choose and buy themselves while the business will benefit from that happiness in increased productivity as well as saving some capex and opex in device procurement and support - but the lack of reality that has informed the discussion since it became a hot topic.
The reality is that the costs of implementing a BYOD policy, while sometime subtle (and sometime not), are very real, and a hastily constructed policy can get a CFO into hot water fast. One issue that arises, Lipton says, both real and commonplace, is that of the lost or broken phone, and some employees' financial inability to replace it. The definition and parameters of an employee's responsibility for his or her device plays a pivotal role in the success of a company's BYOD strategy.
"So you get the [carrier-subsidized] $99 iPhone, and then someone drops it in a lake and it's suddenly a $500 iPhone [to replace]. Now you're already in the weeds," says Lipton. "We see this all the time: the notion that all employees are equally able to source their own phone. To many, the cost is not a trivial matter."
But some companies, who had BYOD policies before it had a name, have navigated the issue simply by acting as if the matter is somewhat trivial.
"When we started, like any start-up, you fly by the seat of your pants," says Sam Tarantino, CEO and CFO of five-year-old Internet music service Grooveshark. "Our BYOD policy is sort of built as a necessity. Pretty much everyone was joining the cause and using their own device."
Grooveshark subsidizes almost all its employees' phone bills, which Tarantino says costs about the same as would providing them with company phones. The difference, he says, lies in productivity.
"As a CEO, I'm pretty against trying to impose things on my employees," he says. "If you look at the most productive companies, it's all about creating a work environment where people love to be there. We're not necessarily saving money [on BYOD], but we have a lot of the newer features of today's workspaces where most people have laptops because they like the mobility of being able to huddle in on an impromptu meeting."
And in the case of the missing phone or laptop, Tarantino says the company, which employs about 80 people, would help replace a device "for sure" if an employee couldn't afford to in a timely fashion.
"We're a small company and all look out for one another," he says. "We would approve that expense to make sure the company stays efficient," adding, "within reason."
But what happens when those huddling employees take their laptops home, with all that company data in their bags, purses, and pockets?
The Enterprise Goes For a Walk
Brent Cossrow, employment law partner with Fisher and Phillips, helps companies with security and the legal issues associated with implementing a BYOD strategy. He says the key to a foolproof BYOD plan is linking it with existing company policy.
"Confidentiality policy, non-disclosure policy, ethics policy, and conflict of interest," says Crossrow, ticking them off. "A CFO should specifically say, 'This BYOD policy is meant to be used in connection with all these other policies.'"
The handling of confidential information should be a company's biggest concern in a BYOD environment, Cossrow says. Doing so can be easy as making sure all devices are password protected, or as intricate as a good master data management (MDM) solution. It depends upon the degree of risk an enterprise is comfortable assuming.
"We have clients in the health services industry with concerns about protected health information," Cossrow says. "We have adoption services clients who have obligations to protect all sorts of information related to the people they service. For those individuals, we need to make sure their information is protected the right way."
It's not just third-party information, Cossrow says, but also proprietary, trade secret information that, readily accessible from a worker's phone, could be stolen or sold to a rival. Employers that have a lot of critical intellectual property, he says, may need to coordinate their BYOD policy with their security clearance policies.
"Certain employees will probably have access to information that may be the basis of what makes the company money," he says. "Does everybody have access to the recipe for Coca-Cola? Probably not. You want to coordinate which employee has access to the system and apply your BYOD policy to that."
But what device your employee is using becomes a lot less of an issue when your company's server resides in the cloud, says Grooveshark's Tarantino.
"Most employees have access to everything stored on the cloud," he says. "It really doesn't matter what device it's being accessed on as long as it's being stored on a centralized server."
Allowing any employee to access Grooveshark's company data, including the code that runs the music streaming site, could put the company at risk, but Tarantino says there are security measures built in if the phone lands in the wrong hands.
"If the phone gets lost," says Tarantino, "we can automatically cut off its access" to e-mail and the servers. "But obviously," he continues, "if an employee's gonna be a bad actor, he's gonna be a bad actor. It's not about the device."
Lipton suggests that companies consider a sliding scale dependent upon their analysis of their risks and needs. For example, the Wall Street Journal reported yesterday that Wells Fargo declines to support Android-based devices, and if an employee wants to use one, well, that's just too bad.
Ultimately, BYOD can only be as safe as the employee who uses it, and the measures taken by the companies that believe in its value.