By Paul Starkman
At the top of the list of risks guaranteed to give HR a headache this year is employee use of personal technology for work.
It was only a few short years ago that employers began to embrace the bring-your-own-device (BYOD) trend, allowing employees to use their personal phones, tablets and laptops for work.
Today, bring-your-own-device into the workplace is a given, with nearly two-thirds of technology-dependent Millennials using a personal device at work.
BYOD policies growing rapidly
As the mobile workforce grows, more and more corporate IT departments are officially acknowledging that people prefer to use one device for personal and professional use.
According to Gartner, the information technology research firm, by 2017 half of all companies will expect employees to use their personal devices for work.
A mobile workforce increases security risks, challenging IT departments to develop solutions that aren’t heavy-handed. Employees understandably bristle over procedures and policies that appear to threaten their privacy or limit how they can use their smart phones and tablets to get work done.
HR can play a front-and-center role in managing the unintended consequences of tension and mistrust by working with IT to create policies that balance the corporation’s security needs with the employees confidentiality and privacy requirements.
5 areas you should focus on
In 2014, set your policies and design your security architecture around these broad areas:
- Update your mobile device policies to engage employees in shared responsibility for protecting corporate data. In the past, mobile device security policies generally were limited to employees who accessed corporate networks through devices that were company-owned. In 2014, review, update and extend those policies to include employee-owned hardware and software usage. Regardless of who owns the device, an effective policy includes a user agreement that clearly defines employee eligibility, usage, approved devices and platforms.
- Balance flexibility with confidentiality and privacy requirements. To regain control over mobile devices, companies are developing novel models like COPE (corporate-owned-personally-enabled) and CYOD (choose-your-own-device). These plans may give employers more access to company data on mobile devices, but they are not foolproof. If you allow personal use, then you’re blurring the lines between corporate confidentiality and employee privacy. Even if your policies eliminate the expectation of employee privacy, companies should not cross into password-protected personal accounts, websites and social media.
- Protect your intellectual property and confidential corporate data. In the mobile device universe, at most risk are your valuable corporate assets like intellectual property, computer source code, proprietary research, client lists and confidential financial information. In a survey by Symantec, 50 percent of newly unemployed workers kept confidential corporate data and almost half of this pool said they would use this data in their new jobs. COPE and CYOD devices may offer some data security advantages and can act as a psychological deterrent. If nothing else, employees may be less inclined to steal proprietary information if they are using a corporate-owned device or if they use a personal device that they know can be monitored for abuses of company policies.
- Carefully consider how your mobile device policy aligns with employee expectations. It’s a good idea to involve HR in mobile device policy development. A Federal district court case in Chicago is only one of many that could have far-ranging implications about wage and labor claims related to after-hours mobile device use. One implication is whether employers must pay non-exempt employees overtime under the Fair Labor Standards Act or time spent reading and responding to email on their smartphones after work hours. Technology moves far faster than the law can keep up and that the court is allowing this case to go to trial suggests we could see more cases like this.
- Keep up with technology. Complicating HR’s job is ever-evolving mobile device technology. Apps like Vine allow employees to quickly post short videos on the Internet. Dropbox and other cloud-based data-storage technology allows employees to easily download and send large amounts of corporate information to third parties. Now, there is also self-destructing social media that destroys messages and images soon after they are sent. Facebook has an app called Facebook Poke that purports to erase pictures and messages within 10 seconds of being sent.
Much of this new technology still leaves a digital trail that can be uncovered by computer forensic experts, but these new developments make it even more imperative for employers to address employees’ work-related use of personal devices.