With most people living off a smartphone nowadays, it seems pragmatic to allow employees to use them for work. But BYOD carries as many risks for franchises as it does benefits
The majority of employees now have mobile phones and will typically bring them into the workplace every day. Indeed, the smartphone is the main contact point for most of us. But how does this impact on office policy? How much should franchisors allow, enable or actively encourage the use of staff mobile phones, tablets and laptops in the workplace? The practice has become increasingly popular and has earned the moniker bring your own device (BYOD).
There’s no denying that BYOD has some clear advantages. With most staff having their own mobiles, it means they can be contacted when in the field or on the move. Moreover, most mobiles are smart devices that offer people access to a suite of applications that they can use to aid their work. Some applications are used informally for work purposes and at an individual’s discretion, such as travel and weather apps, ticket wallets and search engines. However, there is increasingly a demand for mobiles to aid collaborative working, document sharing and accessing internal systems. Staff don’t want to carry around two phones and often prefer to use their own devices, which is where BYOD enters the equation.
But the use of BYOD raises a thorny issue for businesses: security. Computer hackers are always looking for new ways to infiltrate commercial IT systems and staff mobiles are seen as a potentially easy target. Andy Crocker, founder and CEO of Protect 2020, the cyber security firm, has spent much of his career fighting cybercrime. The former policeman was a senior investigator in the UK National Hi-Tech Crime Unit and has pursued hackers around the world. He says the increased strength of company firewalls has meant that hackers have looked for alternative methods of entry, with staff mobiles proving a favourite. “Criminals are always looking for an easy access point and often that involves a human being,” he says.
Crocker says many people leave themselves vulnerable by not updating their software regularly or, worse still, not even having anti-virus software on their mobiles. He also explains that many apps are created by criminals to allow their malware to spread. This means that the risks of allowing unfettered BYOD are high, which in turn increases the need for companies to take action. “Having a BYOD policy is very important,” Crocker warns.
For some franchises the risks associated with BYOD are too high. Mark Llewellyn is managing director of Revive UK, which provides minor car repair services such as cracked windscreens and damaged tyres. Following an incident a few years ago his business decided to take steps to ensure that staff don’t accidentally compromise the company’s IT system. “Someone bought a ticket online and viruses from the website got into our system,” he says.
Llewellyn says the challenge is educating employees on the dangers of BYOD. “Malicious intent is very rare; the biggest problem is that staff aren’t always aware of the issues involved,” he says. “There are so many factors it’s difficult to stay in control.” The business therefore decided to provide mobiles for some staff members and block access from personal phones. “If staff require a mobile for their work then we provide them with one,” says Llewellyn. “[But] if someone plugged a mobile into our network, it would be blocked.”
Nevertheless, some cyber-security experts say there are ways to reduce the risks of BYOD. Stuart Hutchinson is also a former police detective turned cyber expert. He now works as a forensic analyst and instructor at BlackBag Technologies, advising companies and public bodies on how to deal with cybercrime. He says there are risks associated with BYOD and companies have to weigh them up with the advantages of allowing people to use their own mobiles. But if franchises do decide to use BYOD – or allow staff to use work phones for personal use – they need to develop effective policies. “You need a written policy that members of the business can sign up to,” says Hutchinson. “Staff have to abide by certain rules so that, if they break them, there are consequences.”
Company IT policies have to outline what is acceptable when it comes to the use of mobiles, as well as business wifi and computer networks. Hutchinson says that IT policies can be more effective if they are accompanied by training – so that staff understand the reasons for a policy – and dictate what the minimum requirements are. Staff must ensure their software is regularly updated, that their phones have anti-virus software and possibly have locations services activated. A franchise may also ask that employees’ mobiles are logged with the IT department so their usage can be tracked if necessary. Additionally, an IT policy may dictate that mandatory security features are added, such as tracking apps that enable lost devices to be found.
Yet while these are all sensible measures, human error can still lead to security problems and data loss. Therefore, Hutchinson recommends that businesses with a large number of BYOD devices and mobiles consider using mobile device management (MDM) software. This enables IT professionals to ensure that staff are abiding by company IT policy and enforce it if necessary. MDM can also prevent misuse by restricting access to company data and setting conditions for access. “MDM packages come with their own specific internal apps and only through these apps can you access company data,” says Hutchinson. “These apps are ring-fenced and encrypted, while other apps on the phone won’t be able to access their sensitive data.”
However, MDM software can be expensive and typically requires management by IT professionals for it to be effective. Regardless, even without MDM, Hutchinson says franchises should enforce an IT policy that sets minimum standards. “Privacy is an issue and this is why there needs to be an agreed IT policy,” he says. “If people are using their own phones for work purposes they need to understand that their employer will need to access that device from time to time.”