BYOD: Personal gadgets at work cut costs but cause problems

Companies are subsidizing employees' own laptop and tablet purchases, which gives workers added flexibility but raises significant security concerns.

Tech heavyweights like Microsoft Corp. and software maker Citrix Systems were among the first to do it on a formal basis, but small businesses of various stripes are catching on to a trend that promises greater workplace flexibility and satisfaction — while also posing significant security concerns.

When companies let their workers use home PCs, iPads and personal smartphones for work, there's a risk corporate information could be stolen or leaked.

Dubbed BYOD, for "bring your own device," it’s been happening for years in myriad ways  — logging on to work email from a home computer, for example, or using a personal laptop to get work done done during the commute. But it saw a rapid push into the realm of formal corporate policy with the 2008-09 recession and the recent explosion of consumer-oriented mobile devices, particularly Apple's iPad tablets and iPhones. 

As the iPhone emerged in 2007, companies faced a dilemma: Should they allow employees to use a popular but essentially consumer device to access corporate email, rather than the then-dominant BlackBerry smartphone which was designed with a bigger focus on data security? The issue came to a boil with the release of the iPad tablet in April 2010.

Meanwhile, some cash-strapped employers trying to trim overhead during the recession figured they could split the cost of office hardware with their employees. They hoped workers would go for it because it gave them more choice about the equipment they used at the office, and greater freedom to use machines for both work and personal tasks, says Mark Tauschek, research director at Info-Tech Research Group, an IT consulting firm in London, Ont.

SPECIAL REPORT: Small Business

Coverage of the latest small business news, trends and issues, as well as advice from experts on everything from starting and marketing a business, to managing staff and improving the bottom line.

BYOD "has origins that go back awhile. In any given company, you could probably find someone using their own laptop to do their own work," said Krista Napier, a senior analyst for Canadian digital media at market-research firm International Data Corp. "But more recently, some of these newer devices that have great consumer appeal have helped to drive BYOD, among them definitely media tablets."

Not surprisingly, the tablet that Canadian companies most commonly support on their IT systems these days is Apple’s iPad, Napier said. A fifth of companies surveyed by IDC in July said they support employee-owned iPads, just over a year after its release in Canada, while another five per cent said they planned to.

The vast majority of iPad sales, more than 90 per cent, are to consumers, not businesses. But the tablet’s widespread popularity — Apple sold more than nine million in its most recent quarter — means companies can’t ignore it if they want to give employees full liberty to pick up at home where they left off at work.

The iPad is "the predominant device that has become the catalyst for BYO, because it’s just the right form factor to be able to get consumer information and business content when you’re mobile," said Sumit Dhawan, vice-president and general manager of Florida-based Citrix, which makes software that lets companies set up remote servers for employees to securely access corporate data and applications.

‘People are more productive’

True BYOD policies are ecumenical, and don't favour any one device or platform. The aim is to let people work on the devices they're most comfortable using.

At IT Weapons, a 60-person computer-consulting company in Brampton, Ont., employees with a least a year’s service qualify for $500 biennially toward any computing device they want to buy, provided it meets the IT department’s basic specs. That’s over and above their work desktop or laptop, as well as the choice of a company-supplied BlackBerry or iPhone.

What drives it?

An International Data Corp. survey conducted in July found that the No. 1 reason Canadian companies are implementing bring your own device is influence from high-level executives. The typical case sees a senior manager buy a new device — a smartphone or tablet, say — for themselves, like it and then pressure their IT department to allow other employees to use it.

"People are more productive when they're happy with the stuff they’re working on, and that's a very important insight that we took seriously and implemented the program," said Jeremy MacBean, the company’s director of development. "And if someone wants to bring in their own technology prior to their first year, that's OK, as long as it's blessed by our technical team."  

One result is that employees are doing more work from home, MacBean said. "If people are happy to do work at home then great, and they feel comfortable, they don't feel burdened. They've got something they can sit in front to the TV [with] and check email on."

IT Weapons still has standard office hours, but its BYOD policy allows greater flexibility. During nasty winter storms, for instance, the company lets people work from home while roads get plowed. "They come in later, and they’re being productive and then can come in on safe, clean roads and already have an hour and half of productive work under their belts," MacBean said.

It’s a similar arrangement to what U.S. food giant Kraft began in May 2010, when it started funding employees’ own purchases of work computers. At a company that traditionally used only PCs, staff who preferred could opt for a Mac, for instance. The company found that, not surprisingly, some employees are simply more productive when using the tools they prefer to work with.

Security risks

But with employees mixing work and leisure on one machine, and taking that machine away from the more secure confines of the office, all kinds of concerns come to the fore.

Sensitive corporate intellectual property might be at stake, or competitive secrets like how much a company is bidding on contracts, or personal data on clients and patients, in the case of the health-care sector. So companies considering the double-edged sword of BYOD need to have strict policies around access to data, experts caution.

IT Weapons, which sells Citrix’s remote-server software, uses it in-house as well. All work done on personal staff computers is done "in the cloud" — hosted on secure, central so-called virtual machines. Employees don’t literally take work home with them, they access work information from home. Their desktop, applications, folders and email all appear on their computer, but actually reside on a workplace server.

That also means no copying files to USB keys or your BYOD laptop’s C: drive.

"The reason we're so comfortable is that we have that remote-access infrastructure. If that laptop gets stolen, none of that data is available on the device. It's on the data centre, where everything’s secure," MacBean said. "People get smacked on the wrist around here if they store anything locally."

For some small businesses choosing to go this route, the cost of setting up their own servers could be too steep. But there are plenty of third party options for scalable, remotely accessible cloud computing. At the basic end, with the least support and security, is something like Google Docs – which is essentially free.

At the high end, a boutique financial firm needing next to zero server downtime, 24/7 access to a live help desk and ironclad encryption can pay hundreds of dollars a month per user to a third-party hosting company, essentially renting time and space on secure servers.

In the middle, there are scores of service providers that will host small business data and applications based on a monthly fee that varies based on the number of users and the services they use.

For all small businesses implementing a bring-your-own-device workplace, whether they have their own servers or work with a third party hosting service, vigilance is key, says Robert Beggs, CEO of Toronto-area IT security firm Digital Defence.

"You have to put the focus not on the device, but the data," Beggs said. "The risk is huge. The policy should be that mobile devices are convenient, so we’ll let you connect to our network once you meet our security level. Your laptop has to have antivirus, your mobile phone has to have a password and encryption."