BYOD Policy: Pay Up or Play the Game?

BYOD Policy

Here are some considerations for assessing your organization's BYOD policy.

Bring your own device (BYOD) has moved from organizational buzzword to must-have for many businesses. It's easy to see why: According to ComScore, smartphone penetration of the U.S. market surpassed 80 percent in 2016 and shows no sign of slowing down. As a result, employees not only expect mobile permissions in the office but are typically more productive, leveraging their devices for both work and play when they're at home, on the train or traveling.

The challenge? BYOD policy must evolve to meet emerging security threats: Are finance leaders better off enabling mobile access for personal devices or embracing a corporate-owned, personally-enabled (COPE) strategy to help manage access concerns without stifling staff use?

In other words, should you COPE with cash or play the BYOD game?

The BYOD Battle

Mobile users present a real risk, especially when they're out of the office. As noted by CIO Dive, two-thirds of people will connect with unsecured Wi-Fi hotspots, in turn exposing both device and user ID. More worrisome? Business mobile users have the highest chance of malware infection, with more than 70 percent using risky apps every day.

But there are also advantages to BYOD. Employees get to use the device of their choice, helping reduce the stigma of corporate IT as "stifling" staff creativity and efficiency. Crafting effective BYOD policy remains difficult — firms need to create a list of "approved" devices that can access corporate networks and either implement containerization to address potentially damaging apps or develop a whitelisting policy that clearly communicates the consequences for using out-of-bounds software.

For finance leaders, BYOD is often appealing given the low-cost entry — users are responsible for buying their own device and footing the bill for monthly services. But security breaches thanks to lax policy or willful disobedience can quickly eliminate any savings given the cost to clean up network malware, manage PR fallout and re-secure access points after remediation.

Better COPEing Strategy?

Despite the headlines, BYOD isn't the only option on the table; COPE is now making a comeback as enterprises look for ways to both exert a measure of control and empower staff productivity. If corporate-owned devices are on the table, finance leaders have two broad options — pay for everything, or meet users in the middle. Both have their own advantages but come with unique BYOD policy challenges.

If your organization expects employees to complete work from home or on the road, you'll want to reimburse staff for some of their mobile costs. Under this model, users choose the device and businesses subsidize some or all of the monthly bill. As noted by ZDNet, managing this middle-of-the-road mobile solution demands that "a clear and detailed agreement must be signed, stating the rights and responsibilities of both parties around usage and handling of corporate and personal data and applications."

In other words, you need to lay out exactly what level of control IT has over devices, for example, mandatory data encryption, the installation of remote wiping apps and the use of access controls — and where employees enjoy privacy. Finance leaders can expect lower up-front costs and improved overall security, but don't underestimate the total complexity of this solution. IT staff will be busy making sure users don't violate mobile agreements, while employees may push back against evolving IT policies.

Finding the Middle Ground

Your other option? Pay for everything up front. Let users choose from a list of approved devices that are then purchased by the organization and billed to corporate accounts each month. For finance leaders, this means big spending up front and ongoing costs over time, but allows IT teams to create strong, straightforward and universal security rules. Employees, meanwhile, get some freedom of choice over their device and are given permission to use it for both personal and business tasks. The challenge? IT must be able to clearly demonstrate that personal data is kept secure, even as they monitor staff usage.

COPE, BYOD or a hybrid model? Each offers unique benefits. For finance leaders it's a question of risk vs. reward. BYOD costs are negligible up-front but potentially crippling downstream. COPE, meanwhile, demands significant spending but grants enhanced mobile oversight and the security of ongoing stability.