Who Will Foot the Bill for BYOD?

Wednesday, September 10, 2014

Patrick Oliver Graf

E595c1d49bf4a26f8e14ce59812af80e

The concept of "Bring Your Own Device" seems so simple. Employees can just tote their personal phone or tablet with them to the office – which they're probably doing anyway – and use it for work. Or, they access the corporate network remotely, from home or while on-the-go. BYOD and remote access have always seemed like a win-win arrangement – employers pay less hardware costs and employees gain convenience.

Of course, it's never really been that simple or straightforward. And now, following a ruling by the California Second District Court of Appeal, BYOD looks poised to become even more complicated.

Last month, the court ruled that companies in the state must reimburse employees who use their personal phones for work purposes. Specifically, the ruling covers voice call expenses, and reimbursement is not contingent on an employee's phone plan – even if the employee has unlimited minutes, for example, the employer must reimburse a "reasonable percentage" of the bill.

The consensus in IT circles is that the ruling muddies the water around BYOD. Now that there's a legal precedent for voice call reimbursement, mandatory data reimbursement could be the next shoe to drop. And why wouldn't it? Americans rack up more expenses for mobile data consumption than they do for voice calls. Should the law evolve, and if the California ruling sets a national precedent for other states, many companies may find BYOD no longer saves them that much money.

DataHive Consulting's Hyoun Park has said that the ruling would be a "deal killer" for many companies, while Forrester Research's David Johnson told Computerworld that BYOD could now be "sidetracked" for some companies as IT and business leaders scrum over how the ruling affects their own policies.

The 'Rights' of Employees

The reimbursement issue is one of many that have been whittling away at BYOD's appeal to workers. Also high up on that list are security concerns. Employers are worried that many workers who participate in BYOD do not use any additional security features beyond whatever came as the default with the device.

In response, employers have clamped down by adding more security, through supplemental applications and software. This not only undermines the whole concept of BYOD – since the devices are no longer fully the employees' "own – but there has already been a backlash by employees. Half have said they would stop using a personal mobile device for work if their employer forced them to install security applications. That seems like a very clear line in the sand.

Some have even called for some ground rules to dictate the relationship between workers and employers as it relates to BYOD and remote access. Webroot has gone as far as to call for a "BYOD Bill of Rights." Among its eight principles, employees' personal information would remain private, security applications would not denigrate speed or performance of a device, and employees would be able to choose whether to use their personal device for work.

One way for employers to create a secure BYOD environment, without infringing on any of the "rights" employees have defined for themselves, is through a VPN with central management capabilities, also in combination with container solutions like Samsung Knox or Open Peak Secure Workspace.

Network administrators can adopt VPNs to create a secure network tunnel through which devices connect to the corporate network. Central management functionality allows a network administrator to take action as soon as a breach is detected, whether that means revoking network access or deprovisioning a user.

The only way BYOD and remote access will continue to grow is if employers and workers are able to achieve consensus and compromise along the security-convenience spectrum.

Possibly Related Articles:
11022
General Network Access Control Network->General Enterprise Security Policy Security Awareness
BYOD mobile
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.