AllBusiness.com
Bring Your Own Technology: A Growing Trend Brings Growing Risks

Bring Your Own Technology: A Growing Trend Brings Growing Risks

TechnologyLegacy

More employees than ever are bringing their personal technology -- smartphones, tablets, laptops, and even desktop PCs -- to work. Businesses that take advantage of this trend toward "Bring Your Own" business technology can reap a number of benefits, including happier employees, shorter technology learning curves, greater productivity, and lower hardware and software costs.

But business owners, beware: BYO technology is no free lunch. And the dark side of this practice can be very, very risky.

BYO Tech: Hidden Risks?

For an example of how a BYO tech policy can create potential problems, consider the case of a chain of retail picture-framing business shops that operates three stores and a small warehouse.

"We're a pretty tight group," remarked the owner, who requested anonymity for himself and his business. (You'll understand why in a moment.) "We don't have a problem with our people doing their own thing if it helps them get the job done." As a result, his company allows employees to access the company's IT resources, including its email and intranet, using personal devices such as smartphones and laptops.

He sees the company's embrace of an ad hoc, employee-driven BYO tech policy as a positive development for his business. "My guys can work from home or a doctor's office waiting room on their phones," he said. "If it helps my employees be more productive or flexible, it's a win-win."

The owner goes on to explain that he knows his employees "well enough to tell them they're on their own when they use their own equipment, so tech support isn't an issue." In a large company, relying on personal responsibility is tricky, but with fewer than 20 employees -- many of them family members -- the policy seems to work.

Still, when pressed, he admitted that the company hasn't addressed -- or perhaps even considered -- the risks associated with its BYO tech policy. To allow remote access, the company has disabled most of its network security. It doesn't use network-level virus scanning, so unprotected home computers pose a threat. There's no companywide security policy governing data transfer, storage, or backup on mobile devices -- and no auditing of outside access whatsoever.

In the end, the framer admitted that employees could lose, leak, or steal critical information without leaving a hint of a trail. It's no wonder he didn't want to identify his company, even if he is happy with its current BYO tech policy.

Who Pays for Mistakes?

Another gray -- and potentially expensive -- area of liability related to the use of BYO tech involves software licensing violations. Even if a company plays by the rules when licensing its own software, employees can still bring unlicensed or pirated software into the office on their personal machines.

If a business is audited by the Business Software Alliance, that unlicensed software could cost tens of thousands of dollars in penalties and legal fees. The company may or may not actually be responsible for what software employees use on their devices, but the prospect of figuring out the answer to that question in court isn't very appealing.

Understanding the Risks

So what should a business do before it implements a BYO technology policy?

The first step is to assess the potential costs of the risks associated with a BYO tech policy. Clearly, software licensing audits and possible security breaches play a big role in these calculations. Yet one of the biggest and most important costs involves technical support: If you need to provide full support for multiple employee-owned devices platforms, the cost and complexity for your IT staff could be significant. You may also need to invest in training or alternate support options if your existing IT staff isn't qualified to support certain devices.

Some potential costs are going to be more significant for some companies than others. If you do business with the government, health care agencies, or financial services firms, for example, any security breach at all may be grounds to cancel your contract. You company may also be legally liable if customer credit card numbers or other personal data is lost or stolen after being transferred to an employee-owned device.

Others risks are even more specific. The IT director at one boutique video game developer recently caught a tester attempting to transfer a pre-release copy of an upcoming title to a high-capacity cell phone the tester brought into the office. If the software had leaked, it could have cost the company several hundred thousand dollars.

Starting at "No"

The first and most important way to manage these risks is to implement an official BYO tech policy -- something that surprisingly few businesses have done.

In addition, consider making the phrase "absolutely not" your default stance toward employees bringing their own technology into the workplace. The video game developer mentioned above took "no" to an extreme, locking down write access on drives, banning cell phones in testing and development areas, and firing employees on the spot for violations.

"We need a zero-tolerance policy to survive," the director explained. "The stakes are just too high, when one screw-up can sink us."

Your worst-case scenario probably isn't as dire, but you need to stay covered. Once you've created your policy, include it in your employee handbooks, and make every employee read and sign it. This may not pass legal muster in an audit, but it can't hurt, and it shows you're acting in good faith. It also gives you cause to discipline offenders who leave you exposed.

Many companies won't want to stick with such an absolute policy, and in fact, many of them don't need such a policy. But it still makes sense to begin with a blanket ban and then consider exceptions on a case-by-case basis, rather than start with a wide-open BYO tech policy that proves impossible to manage.

Simplify Your Systems

Whether you're concerned with support costs, device loss, auditing, licensing, or theft, moving to cloud-based applications can greatly reduce the risks associated with employee-owned technology in the workplace.

Cloud applications generally require only a Web browser to function, eliminating application-specific troubleshooting. Also, cloud systems store all their data on the server, reducing the risk of data loss or theft, and their monthly licensing fees are generally priced by the user, not the device, so you'll never get stung by the Business Software Alliance for users overinstalling your corporate software.

The biggest benefit, however, is that cloud-based applications keep vital data on your (or your provider's) servers, rather than on employee-owned devices.

Knowing When to Relax

Before you keep your company on a total employee-owned tech lockdown, do yourself a favor and consider your company's politics and culture. Every small business is different, and each has its own set of unique circumstances when it comes to how, where, and why employees use technology.

Ignoring these factors in order to manage risk could actually backfire; if you hamstring your employees with a draconian policy, they may react by bringing smartphones and other devices to work anyway -- except they'll do it quietly, without any oversight or management.

The best way to get a grip on this X-factor is to take an inventory of the most influential people in your company. What are they like? For example, is your director of sales in love with his iPhone, despite the fact that you only support BlackBerrys? Is he incredibly productive and well liked? If the answers to the last two questions are both "yes," you may want to build some flexibility into your company's BYO tech policy.

Profile: Cormac Foster