Cutting Tech Costs Comes With Risk

Your staff wants to use their own phones and tablets for work, arguing that it will boost productivity and reduce costs. Let them use the devices they want and they’ll be happier and more efficient. They already carry their own phones everywhere and don’t want to have to carry another or settle for the slow, outdated models provided by the organization.

There’s also cost savings, since you don’t have to assume the purchase and replacement expense for hardware provided by staff. But, is that actually true?

“If you don’t have to buy devices for your staff, it can look like a benefit,” said Jay Leslie, IT Director for the nonprofit Cambridge Housing Authority. “But you still have to support those devices, and support is probably the major cost. Hardware is cheap compared to IT support time.”

There are other downsides and risks, ranging from security to support issues. If you’re considering letting employees bring their own devices or use them to access email or calendar functions, how can your organization manage the details and minimize the risk?

“Put parameters around it,” Leslie said. Developing a Bring Your Own Device (BYOD) policy can make it clear what is and is not allowed and establishes rules for use, cutting off problems before they arise.

Which Devices Will You Support?

The first thing to decide is whether you’ll support personal laptops and computers or just mobile devices. Like many organizations, Cambridge Housing Authority provides laptops to staff members who travel because supporting personal computers would be too much work, Leslie said.

“Aside from being a security risk, having company information on someone else’s laptop is just an administrative hassle,” he said. “You’ve got multiple platforms, Macs, older versions of Windows, and everyone saying, ‘Hey, make this work for me.’”

There are ways to manage it. Organizations can install antivirus and firewalls onto staff members’ devices, for example, but that requires significant IT involvement and can lead to disputes about privacy issues. They can also install virtual desktops, essentially creating an online portal staff can use to access work software on an online server. “Virtualization provides pretty good security,” Leslie said. “If anyone steals their computer or tablet, they get the hardware but no data.”

Atlantic Philanthropies does not allow staff-owned computers to connect to the network at all, said IT Executive Steven Chang, for reasons of both security and support.

“Personal computers are not allowed, period,” he said. “A.P. provides users with webmail, which they can access from home or on personal devices, but staff who need computers for travel use machines owned by the organization.”
Smartphones are easier to support because less is asked of them. They’re primarily used for email, web surfing, and calendar functions — and, occasionally, for telephone calls. Atlantic Philanthropies not only allows staff members to use their own smartphones. They are required to do so. Staff members have the option of letting the organization contract with a mobile service provider to manage the phone number and account directly, or managing it on their own and submitting receipts.

Chang said he supports all models of Apple devices at the foundation, and those running Android to a lesser degree. He encourages the latest versions of hardware and operating systems for both.

“Our organization is fairly open in terms of software installs,” Chang said. “The Apple ecosystem is relatively safe compared to Android. If you choose to go Android or any other OS that works with our email, we’ll give you support, but it will be limited.”

Large organizations can also mitigate some BYOD issues using Mobile Device Management software, which makes each device a spoke connected to a central hub. IT staff can use it to upload software and updates, and even remotely wipe lost or stolen devices.

Smaller organizations struggling with IT issues and costs aren’t likely to be able to take on such software — or even to want to do it. BYOD is often simple for small organizations. If your organization uses Gmail, for example, staff members can access it — along with contacts and calendars — from any smartphone or device without the phone ever touching the organization’s network, eliminating many of the security concerns.

What Should You Be Concerned About?

“From an IT point of view, it’s all about security at the end of the day,” said network administrator Fausto Tavarez. “No matter what your business is, there are always people trying to find their way in. Nobody notices when you keep them out, but when they get in, everyone notices.”

It’s a lot harder to secure organizational data when it’s on employee-owned devices. “There’s a hack every day,” he said. “Every device that has Flash is a sitting target. There’s a new exploit every week. By allowing outside devices into our network, we’re opening ourselves up to Flash, Java, even Windows exploits. With BYOD, you’re kind of shooting yourself in the foot.”

Outside threats are not the only concern, either. Users put data at risk by sharing phones with other family members or losing them outright. There are ways to wipe or lock devices remotely without MDM software in the event of a lost or stolen phone, including features built into the Apple iOS and apps available for Android phones. A good BYOD policy might require installation of such tools, Tavarez said.

There’s also the question of apps, and who owns them. Staff want to be able to download any apps they want on their personal phones, but those apps might carry malware that puts all of the phone’s data at risk. Incautious users might also click links in emails and on web pages that introduce malware.

This can happen on a work phone just as easily as on a personal phone, but it’s a lot more complicated to restrict certain webpages on personal devices. It can also be a challenge to find the line that restricts usage of personal phones without eroding the appeal of BYOD.

What Should Your Policy Cover?

As technology and privacy issues evolve, policies should evolve with them. Generally your policy should cover the key areas discussed above. Be specific about what devices are allowed — will you support Apple, Android, or Windows phones? — and whether your organization will own the service contracts or reimburse staff. You should also establish a clear policy for when and how you’ll provide technical support for devices and what it will cover.
Chang said the Atlantic Philanthropies requires strict passwords, screen locks, and the installation of remote locate and wipe tools on staff phones. “That minimizes the risk,” he said. “If you happen to lose your device, whether or not you find it you should notify us right away so we can help you track it down or institute a remote wipe procedure and clear the device of anything sensitive.”

Security is a concern to all organizations, but to varying degrees. “It really does depend on the organization’s culture and what they consider to be high risk in terms of information,” Chang said. “Our organization does not operate in risky geographies, so in terms of data security, we’re more relaxed than a lot of organizations. We are primarily concerned about intellectual property and theft of data, and those things need to be a concern for everyone.”

A more complicated issue is identifying who owns the phone’s data, especially if the phone is lost or stolen and needs to be wiped. That could result in the loss of all personal data, including photos, music, and apps, though a good backup plan can ensure that data can be restored. A good policy will address backup requirements.
You should also consider how to handle employee departures, which is more complicated than just having them hand over a phone you provided to them. What happens to the data? What happens with the phone number and billing? Establishing a clear policy can prevent misunderstandings or arguments regarding what gets deleted or wiped.

“BYOD is still young,” Leslie said. “It’s something people are still evaluating, but a lot of organizations have pulled back from it. They jumped in, but now their legal departments are coming back and saying ‘Hey, you have no control over these devices.’”

If your organization has legal counsel, consider letting them review your policy for obvious concerns. A good policy will be tailored to fit the needs of your organization and staff. It should be realistic and manageable. Talk to staff and other stakeholders, including IT, to find out what’s feasible and involve all of them in the process.

There’s no need to reinvent the wheel. Many organizations have posted their own policies online, and other sources have created and shared templates. Start with one of those and customize it to fit.

Chris Bernard is research and editorial director at technology nonprofit Idealware and a frequent writer for The NonProfit Times. His email is chris@idealware.org