BYOD blues: What to do when employees leave
- 25 June, 2013 15:15
The bring your own device (BYOD) trend is gaining steam, thanks to the cost benefits and increased productivity that can come from allowing employees to provision their own technology. Mobile workers are more likely to put in more hours, so if your employees want to buy their own equipment and do more work on their own time, it's a win for the company.
At least, a BYOD-practicing workforce seems like a win right until you have to let one of your BYOD workers go and there's no easy way to ask if you can please see their iPad for a moment because you want to check if there's anything on their personal device that doesn't belong to them.
As more workplaces embrace BYOD practices, they'll increasingly confront the question of how to balance the benefits of a self-provisioned workforce against the risks of company assets walking out the door when workers are let go. What can IT departments currently do to minimize risk when BYOD-practicing employees are laid off? What practices and policies can they put in place to make future departures as smooth as possible?
BYOD layoffs: What you can do now
It's a fact that some data always walks with the employees: email addresses of business contacts, or knowledge of the organization's key business practices and initiatives. In the old days, people slipped files into their briefcases. Digital files just mean that copying and moving information can be done quickly.
Skip through the denial and anger stages and just accept that some data is inherently more vulnerable than others, and it's that vulnerable data, such as emails, that will be walking out the door.
"There's no definitive way to get on to a [departing] employee's personal devices and undo what's been done," says Joshua Weiss, CEO of mobile application development firm TeliApp. "And if your workers have been using off-the-shelf solutions like Dropbox, it's virtually impossible with some sort of exit interview."
Rick Veague, CTO of IFS Technologies, says that you can sift structured communications data into three distinct categories: email, files that could contain company information, and mobile data. Once you've sifted out the data, you can figure out whether your soon-to-be-ex employee is really in danger of walking out with the company's assets on an iPad.
"Mobile data is a big problem, so it's time to start compartmentalizing risks. This way, you can find a balance between the benefits of a [BYOD] workforce and the risks," Veague says.
And how can your IT department manage the risks without cutting into the perceived BYOD benefits? By planning ahead for the next employee departure.
BYOD layoffs: Plan for the future
If your company is in the happy position of not having to lay anyone off in the near future, then you have time to get a game plan together. Here is a rundown of policies and practices you should consider implementing to make the unfortunate event go more smoothly, while mitigating company risk.
Have a written BYOD policy
This is a simple idea in theory, but not an easy one in practice. TeliApp's Weiss says that it took his company three months to come up with their current policy. "It started off as a simple paragraph and turned into what felt like a three-page demand letter," he says.
Why did it take so long? TeliApp treated it like a software development project. After that one paragraph, Weiss and his management team began compiling what-if scenarios and incorporating them into the policy -- what Weiss calls the policy's "alpha testing." Once the team discovered they hadn't thought of everything, they expanded the BYOD policy to include the real-life situations that arose. After this beta period, the policy was set.
For managers looking to establish a BYOD policy, here are some of the issues to consider:
Defining "acceptable business use" for the device, such as which activities are determined to directly or indirectly benefit the business.
Defining the limits of "acceptable personal use" on company time, such as whether employees will be able to play Angry Birds or load their Kindle's ebook collection.
Defining which apps are allowed or which are not.
Defining which company resources (email, calendars, and so on) may be accessed via a personal device.
Defining which behaviors won't be tolerated under the rubric of doing business, such as using the device to harass others on company time, or texting and checking email while driving.
Listing which devices IT will allow to access their networks (it helps to be as specific as possible with models, operating systems, and versions).
Determining when devices are presented to IT for proper configuration of employment-specific applications and accounts on the device.
Outlining the reimbursement policies for costs, such as the purchase of devices and/or software, the worker's mobile coverage, and roaming charges.
Listing security requirements for devices that must be met before personal devices are allowed to connect to company networks.
Listing the what-ifs, including what to do if a device is lost or stolen, what to expect after five failed logins to the device or to a specific application, and what liabilities and risks the employee assumes for physical maintenance of the device.
Consider other employee policies
Most companies have established noncompete, confidentiality, and nondisclosure agreements. With these legal protections in place, Weiss says, your employees are already constrained from walking off with a company's intellectual property and using it for their personal gain.
Monitor where your data is going
This is where IT can shine. By setting up shared company file servers and as well as protocols for who can access files and how, IT can monitor people accessing any locally hosted files.
Weiss says that TeliApp runs on the understanding that anything on the company server is company property, and so users don't copy files to their desktops. If someone does copy a file, the action is immediately logged and remedied. "Everyone understands the policy after their first well-meaning screw-up," Weiss says.
Try to keep data off local devices
When choosing applications and services, make sure a lot of data can't be downloaded and saved to local devices. One of the keys to minimizing risk in a BYOD workplace is restricting user access to networks and central repositories. You'll want to find tools that can sync all user data to a central account that an administrator controls access to. You'll also want to find ways to place intermediary technologies between the company network and employee devices. It will ultimately reduce IT's workload and add a layer of security to the company's networks.
"If you mobile-enable users and they have access to your enterprise data in an unrestricted fashion, you have to actively manage that device, which is difficult to do," Veague says.
One example of a cloud-based service that can minimize risk to the BYOD workplace: YouMail. The voicemail service stores all its customers' voicemails and call history in the cloud, so an employer who has YouMail as its voicemail standard will retain contact information and voicemail content even after an individual user leaves. The downside? In the current business-class offerings, users can still access their old accounts. However, in a forthcoming enterprise product, which is still in private beta, but aiming for customer deployment by the end of the summer, an administrator will be able to activate and deactivate individual user accounts.
You'll also want tools that let an administrator remotely wipe or delete an account. This way, former workers can maintain their device, yet they will no longer have access to their old accounts in certain apps.
Find applications that minimize the amount of data that's downloaded to any mobile device, Veague suggests, and follow this rule of thumb: "If you can't access the app, you can't access the data." If this rule is followed, then all an IT admin has to do when an employee leaves is shut off the individual user account; the data remains safe.
Do sweeps regularly
One of the downsides of a self-provisioning workforce is that not every worker is going to be as assiduous about application updates, security measures, and backups as a dedicated IT professional is. So have IT step in and do regular security check-ups on any devices that are allowed to access company networks. Because security requirements will be written into any BYOD policy, users will know that their devices are going to be scanned and updated regularly.
This last step may be out of IT's hands, but it is often the first step in avoiding any problems. Weiss says, "You have to know who you're hiring -- it all comes down to that. If you don't think a person's trustworthy, regardless of what their credentials are, then don't hire them."
With these steps in place, the risks of letting employees provision their own hardware are managed in a way that lets IT professionals still maintain their primary responsibilities to a company without being perceived as an obstacle for mobile-mad employees to work around. And being seen as business-friendly while also protecting the business? That's the real win-win when you think about employees' departures as you're bringing both them and their devices on board.