I have 10 people in my company. And a half dozen other contractors. These people are using smartphones, tablets and laptops to access our data. We do not have a BYOD policy. Do I really need one? Do all businesses, big or small, need to really worry about this? Or is just another scare tactic from a bunch of IT guys looking to put fear into their clients' minds and generate additional billable hours.
The fact that everyone in my company has a different smartphone is of no concern to me. Why should I care if Sam prefers his iPhone but Josh likes his Droid? They are using their phones to call clients on Verizon or AT&T or whatever so I'm not exposed to any risk there. The same with texting. But uh oh...then there's email. Am I exposed to security issues when they send and retrieve email from our server? No. That's because we have a hosted mail server and each employee has their own login to their email account. They set up their email on their own with instructions we gave them. Viruses, spam and all the other evil things that could happen via email are (hopefully) controlled by the security software running at the server level.
But what about devices like tablets and laptops? Should I be requiring everyone to use an iPad? A Galaxy? A Surface? I'm not sure why I would do this either. As of now we don't have any type of customized mobile application that we're using as a company. Instead we, like most of our clients, are using these devices to connect into our server via Remote Desktop.
Some people prefer Citrix. To me, it's all the same. The device is nothing more than a dumb terminal. All the work is being done on the server. The connection is secure. A setup process was required to get the client application installed and configured. But the connection is made through our Virtual Private Network so it's a secure tunnel. No data is stored on the device either. If anything, the biggest concern we've had (as have our clients) is that the screen on the typical tablet it just too small to really do effective work. But from a security standpoint, I'm not seeing the need for a small company like mine to establish a BYOD policy.
But there are legitimate issues about all these devices.
For example, synching of company data to a device is a good reason to have a BYOD policy. Anyone with a good customer relationship or contact management system will likely want to bring their contacts and calendar down to their device to look at offline. How this is done will vary depending on the device and could eat up support time. Securing this data is also a headache, and although most of that is normally done at the application level it's right to be concerned about company data that's out and about with an employee. Particularly if that employee ups and leaves the company. Every business, big or small, should be worried about that.
And larger companies have larger support problems. I have a friend who's a partner in a 200 employee law firm. The firm has a strict BYOD policy and the IT department only supports certain devices. In fact, he has to carry around a BlackBerry for business along with his personal iPhone. It's a royal pain for him. But I can sympathize with his IT department. I understand the reasons why they want a BYOD policy. The more devices accessing email, remote desktop, Outlook, etc., the more support issues come up and IT resources are stretched. It's not their fault. It's a resource and budget issue. So therefore a strict policy must be enforced to minimize these costs.
So there are legitimate reasons to justify a BYOD policy, even for smaller companies. But in my opinion it's still a bad idea. Because a BYOD is just one of many policies that enables IT people to exercise too much control and not enough customer service. That's not their fault. It's senior management's fault.
I see this all the time. IT departments that lock down security to the extent that people can't access data from the road. Or disable key features of applications because they don't want to support them. Or nix the idea of iPads for the sales group, even though the sales group would be much more productive with them, because iPads aren't supported internally. When I see a company controlled by powerful IT guys I see a company with a lousy corporate culture. I see a company where senior management are hamstringing their IT people who must then hamstring users.
My lawyer friend hates his Blackberry. He prefers his iPhone. It's more user-friendly. He's more productive with it. He has to spend time transferring contacts or forwarding messages between his phones. This guy is a lawyer. The most profitable thing he should be doing for his firm is practicing law. Not dealing with technical headaches because the firm's senior partners have limited their IT group to such an extent where they require a BYOD policy that limits him to using just a BlackBerry. It's like a team requiring every baseball player to a 34 ounce bat because management doesn't want to buy bats that are heavier.
Does it cost more money to support multiple devices? Sure it does. But really, what's best for the employees? What will help them do their job better? What will make them most productive? Maybe the extra cost for that additional IT person will result in 10 more billable hours a month for that attorney or five more orders placed this week from that salesperson. Thank goodness my business, and most small businesses, don't have to deal with this. But for larger companies considering a BYOD policy I suggest you consider your organization's culture first.
A BYOD policy isn't good policy. It limits users. It hurts productivity. And it impacts profits. An employee should be allowed to use whatever device that helps him or her do the best job possible. But don't blame the IT guys if it's they don't allow that. The issue goes higher than that.