BYOD or CYOD?

A look at which policy works best when it comes to employees’ mobile devices
By Steven Leo
|Canadian HR Reporter|Last Updated: 10/06/2014

Organizations today need employees connected and mobile, with continuous access to their networks. The handheld devices we’ve become so accustomed to, such as cell phones and tablets, are now everyday business tools.

The challenge organizations face is whether to allow employees the option to "bring your own device" (BYOD) or "choose your own device" (CYOD). While these descriptions may sound similar, they have distinctive differences and arguments can be made for the value of each practice. Employers need the facts to be able to make informed decisions and develop device usage policies and procedures that help mitigate any security risks.

CYOD is generally considered the more costly option. Employees choose from a limited selection of devices the organization purchases for business use, such as a company-issued iPhone, BlackBerry or Android. Often the device can be limited to use for work activities only.

Organizations interested in reducing these purchasing costs can choose BYOD, which gives employees the freedom to choose an option that best suits their personal and business needs.

But both policies, and particularly BYOD programs, need careful planning in a world of changing security risks. With the constant threat of data breaches, employers need to make decisions that best fit their business.

Some security experts believe the CYOD approach provides greater security as the device usually has limited use, so organizations with security concerns tend to choose this option. IT departments have more control over the device and its capabilities and can pre-install security software. In addition, administrator, firewall and network settings can be controlled, and IT staff can provide better support.

To reduce technology costs, however, many organizations are adopting the BYOD policy as it not only lowers the IT budget but also allows for increased productivity. But this option does come with more security challenges. These devices can have additional issues because they can mix business and personal use. What control would an employer have if an employee is downloading movies and unlicensed applications on her own cellphone if it is the same phone she uses for company business?

Without a well-designed and unified BYOD management strategy in place, companies risk exposing sensitive data to outside sources — even competitors. The goal is to adopt effective usage and security policies, while not making it more difficult for employees.

If an organization chooses a BYOD policy, here are three ways to adopt a successful plan:

Maintain transparency

Attempting to hide the unflattering aspects of a BYOD plan can backfire if employees discover them; being truthful about employee privacy rights and enterprise mobility management components fosters a sense of trust. The technology is designed to protect corporate information.

However, some systems collect employees’ personal location information and personal apps. Successful BYOD programs have privacy filters installed to restrict access to most personal identifiable information.

At the same time, building trust works both ways. Business leaders should feel confident employees are responsibly embracing the freedom of enterprise mobility. If at any point leadership feels workers are not handling company data securely, they should have the option to implement stricter controls.

Additionally, BYOD deployment should complement employee training. It’s a growing trend for companies to teach employees what is and is not acceptable, and which apps require caution. For example, corporate documents shouldn’t be forwarded to personal email accounts or work photos uploaded to the web or social platforms.

Maximize security

If a device is stolen or lost, real-time monitoring and remote wipe capabilities are some of the features IT can use to identify security threats quickly and respond effectively.

Health-care and financial services firms have traditionally had the highest security standards, but all industries are restricting the copying and pasting of sensitive information from email, calendaring and contacts to non-approved applications. The separation of corporate and personal data can help ensure appropriate levels of security are in place.

Monitor consistently

If a security breach occurs, it is important for IT teams to respond quickly and effectively. Some companies set up automated alerts to notify them in near real-time when a device is outside its predetermined "geo" fence, when a blacklisted application has been installed or when a user has reached his data limit.

These strategies can help companies adopt enterprise mobility programs that not only encourage more efficient work processes but also reduce security risks. The most optimal mobility strategy makes devices secure without impeding employees’ pace of work.

Steven Leo is the Toronto-based director of enterprise and workplace services, responsible for the network, security and workplace services offered by IBM Canada’s global technology services through IBM’s ITS division. For more information, visit www.ibm.com.