Legal Operations, Technology

3 Reasons BYOD Policies Give IT Folks A Headache

BYOD policies are not more secure, they're not more convenient, and their legal risks simply outweigh their benefits.

By  
on

(Image via Getty)

BYOD practices at companies and firms can be a huge headache for IT professionals. A few weeks back, I had the opportunity to present the counterpoint to arguments in support of so-called Bring Your Own Device policies. We were in Chicago for the PREX Conference — an event devoted to corporate legal professionals  — and my friend and colleague David Cohen made the argument in favor of BYOD.

I took the position that allowing employees to connect their personal devices to company systems creates unnecessary security risks; they impact legal, compliance, and management decisions every organization has to confront, and they create a huge burden for IT professionals, with negligible cost savings. Moreover, I argued, allowing employees to connect personal devices at work encourages personal activity on company time, and it could give rise to wage and hour claims.

For those legal operations readers who were not in Chicago for PREX, I thought it may be useful to recap the three big reasons BYOD policies are problematic.

Security. Under BYOD policies, employees are accessing company information on their phones, tablets, and laptops. Some would say that Apple devices are pretty secure, while Android devices are less so. It’s easy to swap out a SIM card on an Android device.

There’s also all the WiFi and hotspot connections all over the place. Anyone who’s even marginally paying attention has heard horror stories about hacked WiFi connections. It is true that if a hacker really wants to get your data, they can. The question is: Why make it easier?

Laptops present a whole other dimension of security risk. In a virtual desktop environment, it’s better; but with VPN connections, there is data going back and forth and applications are running on the laptop. It’s just another opportunity for a hacker to intrude.

Sponsored

BYOD policies basically surrender control of the device to the user and experience tells us that do so more often than not results in bad outcomes.

Inconvenience. It is a logistical nightmare to manage employee devices under a BYOD policy. Some people may have two or three devices. IT professionals need to support all these devices, with different operating systems, and there are software incompatibility issues. Consequently, IT folks need to buy Mobile Device Management programs, hire additional staff, and constantly push out updates and security patches to all these different devices. If you’re a small organization, this affects scalability and impacts organization infrastructure, not to mention costs.

Legal. BYOD policies implicate storage, retention, data transfer under the GDPR, and other regulatory schemes. And there are privacy issues. What about legal holds? Legal holds, incident response, and data breach — it’s difficult to imagine three more important risks that legal operations professional face. How do you put a legal hold in place when every employee has three devices and they are geographically dispersed? In today’s interconnected world, these devices often contain the most critical evidence.

Lastly, wage and hour claims have been on the rise in part because of BYOD policies. Hourly or non-exempt staff may need to be instructed not to answer emails after hours unless you want to pay them overtime, and even that may not suffice.

In short, BYOD policies are not more secure. With company-issued devices, the company can control them and dictate the terms of their use. BYOD policies are also not more convenient. In fact, they present a logistical and management nightmare for IT folks. And lastly, the legal risks simply outweigh the benefits of having a BYOD policy.

Sponsored

And frankly, it is not at all clear if BYOD polices are more cost-effective because IT can bulk purchase devices and employees insist that employers pay for data plans and software licensing.

Mike Quartararo is the managing director of eDPM Advisory Services, a consulting firm providing e-discovery, project management and legal technology advisory and training services to the legal industry. He is also the author of the 2016 book Project Management in Electronic Discovery. Mike has many years of experience delivering e-discovery, project management, and legal technology solutions to law firms and Fortune 500 corporations across the globe and is widely considered an expert on project management, e-discovery and legal matter management. You can reach him via email at mquartararo@edpmadvisory.com. Follow him on Twitter @edpmadvisory.

CRM Banner

Topics

, , ,