Bring Your Own Device

Page Content

It began with a simple question posed by frustrated employees: "Why is the laptop or smart phone I use at home so much better than what I have in the workplace?" When executives at companies such as software maker Citrix Systems began taking the question to heart, the bring-your-own-device movement was born. Today, fueled by the growing popularity of Apple's iPad and iPhone, more organizations are allowing workers—beyond just the executive and information technology staffs—to use personal mobile devices at work.

It's not just a preference by younger workers that's spurring companies to adopt bring-your-own-device policies. Business leaders find that offering greater choice in work technologies can:

• Boost productivity and satisfaction levels of most employee generations.
• Reduce capital equipment costs.
• Lift some computer support burdens from the IT staff.
• Others say bring-your-own-device programs aid in recruiting.

According to a July 2011 study from the Aberdeen Group, a Boston-based human capital research firm, 75 percent of 415 surveyed organizations around the globe are now allowing employees to use their own mobile devices for business purposes. In addition, a fall 2011 survey of 1,663 IT workers in the U.S. by Forrester Research found that 48 percent of the respondents now buy the smart phone they want and use it for work. Given the mushrooming popularity of tablets—which are less expensive than most laptops—most experts expect the trend to grow.

This "consumerization" of workplace technology has implications for human resource functions. While positives include enhanced productivity and morale, the use of personally owned devices for work also presents threats to data confidentiality, security and employee privacy.

What happens, for example, if an employee leaves the company but still has sensitive company data on a dual-use iPhone or iPad? What if hackers prey on the less-mature security features of an HR manager's preferred smart phone or carrier network, embedding malicious software or gaining access to personally identifiable information copied there for temporary use? And if an employee breaks copyright law in downloading material from the Internet to a personal device while on the job, is the organization subject to legal action?

Human resource, legal and line executives must understand these issues before launching any bring-your-own-device programs.

Power of Choice

Citrix Systems is a pioneer. It launched a bring-your-own-device program in 2008 after a survey found that many employees were happier with their home computing devices than those in the workplace. Participating employees each receive $2,100 to purchase their choice of laptop along with a three-year service warranty, says Brandy Fulton-Moorer, vice president of human resources. With an average three-year cost of $2,600 to procure, manage and support an enterprise-supplied laptop, executives say the program represents a cost savings to the company.

About 20 percent of 6,800 worldwide employees use the program, including members of Fulton-Moorer's HR department. "We have people who've purchased their own laptops or iPads, and some like to have separate devices for different work purposes or situations, with one being company-provided and the other employee-owned," Fulton-Moorer says.

Citrix takes data security and employee privacy issues seriously, Fulton-Moorer says, employing homegrown "virtualization" technologies to ensure that sensitive HR data remains centrally managed and locked down on servers so it can't be transferred to employee-owned devices.

As a multinational company, Citrix's HR professionals have to keep up with data privacy regulations around the world. In countries with stringent privacy laws, for example, employers aren't allowed to monitor the activities of employee-owned devices on a corporate network, even if that smart phone or tablet resides on business premises. That means multinationals often have different policies for different global regions; as a result, employees in some regions remain ineligible for bring-your-own-device programs.

"Data privacy rules tend to be different or more restrictive outside of the United States, and we strive to adhere to the highest common denominator," Fulton-Moorer says.

Despite technology safeguards, she says, training HR staff regarding access to and use of sensitive corporate data remains paramount. The more private the data are, Fulton-Moorer says, the tighter they should be locked down.

Social Security numbers or health care data "shouldn't even be visible to most HR staff," Fulton-Moorer says. On the other end of the spectrum sits sensitive data that should be highly secured but that employees need to access regularly, such as performance evaluations.

The proliferation of dual-use devices in the workplace presents legal, data security and compliance issues for all companies.

"HR team members have to access evaluations to coach and provide services to individuals they support, but there is never a need to copy or load them onto personal devices, and our technology doesn't allow them to do so," Fulton-Moorer says.

Freedom with Accountability

At consumer products company Kimberly-Clark in Irving, Texas, executives' fondness for Apple's iPhone led to a new policy allowing employees to connect their own mobile devices to the corporate network for business purposes.

Some 3,000 Kimberly-Clark employees now use their personal smart phones or tablets to access corporate e-mail, calendars and contacts. Should their device be lost or stolen, or if they attempt to enter an invalid password a maximum number of times, all the information on the device is "wiped" remotely through the company's mobile-device management system. Employees sign an agreement consenting to this arrangement, since such destruction runs the risk of wiping out personal information like family photos or contacts.

Martin Evans, vice president of human resource business enablement, says the program helps employees be more productive, positions the company as progressive to potential recruits and sends workers a positive message. Specifically, it says that the company will treat them like adults, it demonstrates that the company cares that they have the right tools to do their jobs well, and it acknowledges that there are different work style preferences, Evans says. Anecdotal evidence shows that the bring-your-own-device program gets "a strong positive reception."

At Carfax, a Centreville, Va., provider of vehicle history information, executives say a bring-your-own-device initiative boosts productivity and helps attract candidates. Employees can apply for an interest-free loan from the company for up to $2,000 to buy their devices, and they have two years to pay the loans back.

"It's a good feeling from a recruiting perspective when we talk to a candidate who says, 'I don't want to give up my personal smart phone, I love it and have had it forever' and we tell them they won't have to carry a second, corporate-owned phone," says Toni Amey, vice president of human resources at Carfax.

About 800 employees participate in a two-year-old bring-your-own-device program at Kraft Foods, the Northfield, Ill., food and beverage conglomerate, says Mike Cunningham, chief technology officer. Kraft provides a stipend for workers to purchase Apple or Windows devices of their choice. Not everyone is eligible, however. Managers who frequently handle personally identifiable information, for example, including some members of the legal and HR departments, aren't allowed to participate.

Cunningham says the program creates a lower-cost model from an IT perspective, and it has clear employee satisfaction and recruiting benefits.

The program "strengthens work/life balance for our employees," Cunningham says. "No two people work exactly the same, and by giving employees the freedom to choose the computer that best suits their work style, we think we're accommodating their work needs in a more proactive way."

Rather than giving employees a stipend, Sybase, a Dublin, Calif.-based software provider, picks up the monthly service fees for personal devices used for work, says Jim Swartz, chief information officer. With their managers' approval, employees order services such as text messaging, international service and certain data plans.

In return, participating employees agree to let Sybase install security software on their devices to perform remote data wipes should the equipment be lost or stolen. Data encryption technologies provide additional security.

"The program is designed to help our employees be more productive from anywhere, anytime from almost any mobile device," Swartz says. "From an HR standpoint, employees can do things like conduct personnel requisition approvals and make or approve vacation requests from their mobile devices."

Ensuring Data Security

The proliferation of dual-use devices in the workplace presents legal, data security and compliance issues for all companies—and such issues are heightened in heavily regulated industries such as government, health care or financial services. In addition, although data security features for the iPhone and the iPad have improved, experts say they still can't match protections provided by Research In Motion's venerable BlackBerry. Although not invulnerable, the BlackBerry is known for its ability to combat hacker incursions and malicious software. Yet it has become a less popular choice in bring-your-own-device programs.

According to the 2011 iPass Global Mobile Workforce Report, iPhone now holds 45 percent of the worldwide smart phone market share among mobile workers, which is up from 31 percent a year earlier. In 2010, BlackBerry held the top spot.

Under bring-your-own-device policies, more responsibility for security protections such as keeping anti-virus software up-to-date falls to workers instead of technicians in IT departments. IT is typically only responsible for troubleshooting problems on employee-owned devices associated with corporate software, not the operating systems.

Making employees responsible for the security of their own technology devices represents the best safeguard against sensitive information reaching an employee-owned device. Many employers protect such data with "virtualization" technologies that keep the data or intellectual property locked on servers in central data centers, even when accessed remotely by mobile devices.

Many corporate leaders embrace the idea that, once they’re educated on the risks, employees will take better care of devices they own.

According to Citrix Systems' policy, "Never have unencrypted data that is subject to regulation on your mobile device, which includes personally identifiable information," says Kurt Roemer, chief security strategist. A protected network folder holds HR applications at the company, Roemer says, and employees must use virtualization technologies to access it.

"The system prevents anyone from cutting, copying, pasting or saving any data to their local mobile device that the company doesn't want them to," Roemer says. "Our technology makes sure just keystrokes, mouse clicks and screen refreshes are moving across the corporate network, not actual files or data."

So, for example, an HR specialist can no longer copy an Excel file with salary information to his laptop to work on at home.

Many corporate leaders embrace the idea that, once they're educated on the risks, employees will take better care of devices they own—even from a data security perspective—than they will company-supplied laptops or smart phones.

With employee ownership, "They're more diligent about keeping devices updated, want them set up a certain way and welcome use of virtualization technologies, since they keep sensitive data from being stored on their devices," Roemer says.

The author is a freelance writer and editor in Minneapolis.