Earlier this year, a Silicon Valley software company told a story about a CTO candidate it wanted to hire. The deciding factor for the candidate wasn’t an issue of salary, benefits, stock options, insurance, a company car, or even working hours. Instead, the sticking point was something that scarcely would have been on the radar several years ago: unlimited internet access at work to any type of content, whether it was personal or business-related.
“The rationale for it was, frankly, understood in our business,” said the company’s HR manager. “We pay people well, but we expect them to be here when we need them. In the software business, it isn’t uncommon to see an 80-hour workweek when we are getting ready to launch a new product. We got our CTO candidate, and he got his concessions on the Internet use. This enabled him to take care of personal business during periods of long working hours.”
From legal, regulatory, HR, and IT standpoints, such situations open up new sets of risks and exposures. Yet some companies are beginning to dip their toes into the water with “bring your own tech” (BYOT) policies that cover not only internet usage, but also computers and mobile devices. Among these companies are Kraft, Citrix and Carfax. All allow employees to purchase their own personal computers and mobile phones, as long as the devices conform to corporate standards on security and the software running on the devices is certified for corporate use.
Of course, this practice has been going on in small businesses for some time. Here, employees are encouraged to bring their own computers and mobile devices because companies want to avoid the expense of purchasing them. It becomes a different matter; however, in enterprises that must conform to more formal IT, security and regulatory practices. For instance, it might be great to let an insurance claims adjuster who works out of her home use her iPhone to take photos of car crashes — but do you really want an employee in a payment processing department to use a personal smartphone equipped with camera to take snapshots of account numbers on credit card statements?
The moral is simple: Flexible “bring your own” policies can work in enterprises if they are carefully crafted, but it takes time to accomplish this. This is why a majority of companies are currently still evaluating BYOT policies — and it is also why departments like legal, HR, and IT are increasingly spending more time together in discussions.
It is still too early to tell how widespread BYOT policies will become, but early adopters are already embracing a few best practices:
All devices must conform to corporate IT security standards;
Only approved applications can be loaded onto the device;
In many cases, organizations provide employees with a list of makes and models of equipment that they can choose from — and employees must select their computers and devices from this list.
Other issues still remain hazy, such as:
Who owns the data and the software on the device, and what happens when the employee leaves the organization?
How should the organization deal with the security risk when other people (such as the employee’s family) will also use the device?
If the device requires repair or the employee makes an upgrade, who pays for this?
If you adopt a BYOT policy for employees, do you have to extend it to all employees?
These are difficult questions, but apparently, companies see enough benefits that they are willing to take a closer look at BYOT policies.