Google+

BBC Capital

Smart business — or a security nightmare?

BYOD

Personal devices can be useful at work – but some companies shy away from allowing employees to use them. (Thinkstock)

Comfort Care Services thought it had made great technological strides by issuing laptops to about 200 of its mobile workers last year. But things didn’t go as planned.

Despite having been trained on the company-issued computers, many employees throughout the social service organisation’s 51 UK locations instead used their own devices to take notes during patient visits. Some even used scraps of paper.

“People were reluctant to use the laptops because they found them a bit cumbersome,” said Gee Bafhtiar, operations director at Comfort Care Services, which provides housing and rehabilitation services for adults with mental illness and other special needs. In fact, about 30% of the laptops deployed were barely touched.

Some employees didn’t want to wait through the multi-step logon process. Others worried that pulling out a big, black piece of hardware would upset their more anxious patients — using a smartphone or tablet seemed less intrusive.

“Many of our staff members were saying, ‘We’re perfectly happy with our own devices’,” Bafhtiar said. “We realised that without allowing [bring your own device] in, we weren’t going to realise the efficiency gains.”

The “bring your own device” genie is out of the bottle at workplaces worldwide.

A new survey by international recruiting company Robert Half found that three-quarters of UK employers let workers use their own laptops, smartphones, tablets and other devices in the workplace. Similar Robert Half surveys conducted last year found that nearly half of Canadian employers and one-third of US employers allow staff to access corporate networks with their own devices.

The challenge for companies and managers lies in creating a BYOD strategy that keeps workers happy, while also keeping sensitive corporate and client data secure.

Viruses and device theft aren’t the only concerns. Also keeping IT departments awake at night: workers who use their own devices to e-mail sensitive company data outside the corporate network; use of mobile apps like Dropbox and Google Docs to store corporate documents; and the ever-growing roster of contractors, consultants and freelancers using personal devices to work on company projects.

“Everybody’s trying to deal with this,” said Richard Jordan, principal at eBusiness Strategies, a workplace management consulting firm based in Houston, Texas. “It creates all kinds of security problems, but there’s no way to stop it because it’s becoming more and more pervasive. It’s an atom bomb with a pin pulled and put back in with tape.”

Securing data, not devices

To combat such issues, some companies try to ban all on-the-job use of personal devices. But given their pervasiveness, that’s not always realistic.

Instead, companies should develop a BYOD strategy that reduces risk without stifling employee productivity, said Steve Durbin, global vice president of the Information Security Forum, an independent non-profit that develops best practices for data security.

“The answer is to manage the access to the data,” Durbin explained. “Worry about that first and the shiny new toys second.”

That’s how international cloud computing company Citrix handles the situation.

The company began allowing workers to use their own devices five years ago. Today 40% of laptops, 73% of smartphones and 90% of tablets used at the 8,500-person company are employee owned. People choose what makes sense for them, said Michael McKiernan, Citrix’s vice president of business technology.

To prep a personal device for corporate use, employees must download a plug-in, much like downloading a smartphone app. A quick two-step authentication process then connects the device in question to the corporate network. Employees cannot save data to personal devices; instead, data gets stored in a cloud-based data centre the company owns.

“It’s not zero risk, but it’s a manageable risk,” McKiernan said. In fact, he added, “we have fewer security issues with the employee-owned devices than we do with corporate devices.”

He chalks this up to “rental car syndrome” — the idea that people do not take care of borrowed equipment as well as they do their own. Case in point: McKiernan said the IT department regularly gets laptops back with “tire tracks on the screen or a nail in the keyboard.” Not so with the personal devices employees use for work.

“When you have personal information like pictures of your kids or your music on one of these devices, people take much better care of that. And that’s what translates into fewer security issues,” McKiernan said.

A solid data security policy is key

Of course, a BYOD programme is only as strong as its data security.

“You have to make sure people understand what they can and can’t do,” said Jordan, the workplace management consultant. That means providing workers with clear, concise guidelines and training.

Take Lafayette College in Easton, Pennsylvania. The school’s data stewardship policy details the type of data that faculty and staff cannot store on personal devices, including students’ personal information and information subject to federal regulations.

John O’Keefe, Lafayette’s vice president and chief information officer, stresses that the school’s BYOD rules — and for that matter, the private cloud computing platform storing its proprietary data — are a work in progress.

“It is constantly evolving, changing as technology does,” he said.

Nor are BYOD policies one size fits all.

“We have a small number of users that we put special restrictions on,” Citrix’s McKiernan said.

For example, the company prevents workers in its mergers and acquisitions group from including attachments in e-mails sent via mobile device.

And technology companies and educational institutions aren’t the only ones making strides with personal device programmes.

BYOD at Comfort Care Services has come a long way in the last year. Now, instead of requiring mobile staff to work on company laptops “any device is allowed, subject to it being loaded up with our desktop client,” Bafhtiar said.

If an employee loses his or her device, the IT team can now erase all company software from that device and block it from the corporate network.

This particular security policy has been critical as the rapidly expanding social service organisation hires new staff and shares medical reports with authorities and healthcare professionals outside the company.

Since moving to this new system, “we have less complexity in the organisation,” Bafhtiar said. “We haven’t had a single data breach.”

Follow BBC Capital on Twitter @BBC_Capital or follow us and join the conversatio