October 01, 2019 Feature

Bring Your Own Device: The New Bring Your Own Beverage?

Shreya Biswas Ley

Our firm’s first hire was someone to help us with marketing efforts. We bought her a laptop, bought her an external monitor, and also purchased a “company cell phone” that she could use while at work to make calls. In retrospect, some of this was silly—our entire law firm is in the cloud, accessible from any device, but we wanted to “do things right.”

We wanted an air of professionalism—we wanted to ensure that a company phone number would be listed for outgoing calls; we wanted to ensure smooth knowledge transfer if she moved up or out; and we wanted to ensure security of data. We thought there would also be some mental and emotional benefits to receiving work devices. After all, our first jobs came with equipment and it felt “official” receiving that company computer or cell phone.

These days we get so attached and comfortable with our own devices, and most people are creatures of habit. Our new hire struggled with using an unfamiliar laptop and an unfamiliar phone, on top of getting used to her new position.

Before “Bring Your Own Device” (BYOD) was a thing that people wrote about, I remember working at a large corporation and setting up work e-mail on my personal iPhone. As an employee, I didn’t think of it as BYOD, I wasn’t concerned about data security, and my managers not only knew that I was using my personal iPhone, but they encouraged it. After all, they had done the same. It was normal to send off quick, after-dinner e-mails or log in to work for late-night conference calls with international colleagues.

And with our employee, there were holes that we didn’t anticipate: As she took on our marketing efforts to find groups to speak to, she reached out to dozens of people on Facebook and LinkedIn using her personal accounts. Ultimately, her employment didn’t work out, and we transitioned her out. The we realized the gap: How could we ensure these connections that she made with people through her personal accounts got transferred to someone else? And she had received and was going to continue to receive communications about our firm on her personal e-mail and devices despite our best efforts. So, how do we adapt for the next time?

And was it just her? Or do we need to stop fighting the inevitable intertwining of business and personal?

The three main concerns associated with BYOD are security, knowledge transfer, and privacy.

The three main concerns associated with BYOD are security, knowledge transfer, and privacy.

Is Having a BYOD Policy Really Beneficial?

There are two main factors that organizations consider when thinking about adopting a BYOD policy: (1) Will it save money? and (2) Will it boost productivity? Many articles and organizations seem to equate these questions with, “Is it beneficial to adopt a BYOD policy?” However, it appears that “Is it beneficial to have a BYOD policy in place?” is not necessarily the same question as the other two. The answer to “is it beneficial?” appears to be a resounding “yes,” while the answer to the other two questions appears to be the very lawyerly, “it depends.”

Studies conducted by Dell Software, CISCO, and a collaboration between Samsung and Frost & Sullivan all seem to conclude that BYOD policies boost productivity and increase savings. The Samsung and Frost & Sullivan collaboration states that BYOD boosts productivity by 34 percent. The CISCO study reports that companies save an average of $350 per employee per year and save as much as 81 minutes a week by letting employees use their own devices. The Samsung and Frost & Sullivan study more optimistically reports 58 minutes of time savings per day with a BYOD policy and increased personal time as well.

In contrast, a CIO.com interview of Brandon Hampton, a founding director of Mobi Wireless Management, questions these results. He states that once companies factor in stipends for reimbursements and implementing effective mobile device management systems, there is little, if any, cost savings. That said, he also states that BYOD policies could be seen as a perk for legal professionals, specifically. In a separate article on the same website, the authors state that actual, quantitative data (rather than more anecdotal or qualitative data) around increased productivity is hard to come by.

Despite the lack of quantitative findings supporting cost savings and productivity, it is clear that employees and IT professionals perceive that there are benefits in time, productivity, and cost. This perception may be just as important as the actual benefits. Dell Software reports that 61 percent of Generation Y and half of all workers over 30 believe that the tools and applications they use personally are more effective and productive than their work-provided tools and software. I can attest to this attitude—I’ve worked at companies that used what I perceived as extremely outdated technology. Because I felt like I could be more efficient on my own software and computer, I used my own and then transferred the work to my work computer using a flash drive or e-mail. Was I allowed to do that? I have no idea, but I figured that what they didn’t know couldn’t hurt them. Plus, I was providing them with a faster, better product, so what could they really complain about?

My personal anecdote illustrates the story of many workers, which goes to show that even if you don’t have a BYOD policy, it’s likely your employees are using their own devices anyway. It’s better for your firm to have a policy in place to address the usage rather than turning a blind eye to what people are already doing.

Additionally, there may be other, less measurable benefits. Amy Nelson, a former corporate litigator and founder of the national membership network the Riveter, is an advocate for flexible work environments. She writes about their necessary role for parents, particularly women, in balancing their parenting duties with work. Particularly, she discusses how more flexible work environments would lead to retaining more women in the workforce (tinyurl.com/yytapzbr, tinyurl.com/y23jnetf). Allowing workers to use their own devices allows increased flexibility so they can work on the road or from home.

Speaking of working on the road, some law firms are building new, innovative models that are fully reliant on BYOD policies so workers would have no other option than to BYOD. One example is Greg McLawsen of Sound Immigration in the Seattle-Tacoma area, whose firm has an entirely distributed workforce. Taking advantage of remote workers saves costs associated with having traditional brick-and-mortar office space and creates owner and workforce autonomy. Employees, contractors, and owners can, within reason, dictate their own work and travel schedules. Their clients don’t have to spend precious hours of their day commuting to and from their lawyer’s office, and they appreciate the convenience. Additionally, due to the nature of his practice, Sound Immigration is able to serve clients nationally.

I can attest to clients having this preference—most of my clients with ongoing needs, even those who are in the same city as me, prefer to send me an e-mail or hop on a short phone call rather than driving to my office for a meeting. They have jobs, family time, and businesses that they are juggling. And, for our firm, we have found it beneficial and necessary to work with people outside our city.

We’ve also seen an uptick in potential candidates who are interested in being “digital nomads.” And this last winter my partner and I worked from various co-working spaces, coffee shops, and remote locations in Southeast Asia. The summer before, we worked from Jackson Hole, Wyoming, for a few days before attempting the Grand Teton summit. We’ve instituted our own mobile device management policy and follow it ourselves while on the road to ensure that our data is secure. So, if we are interested in it, we can’t blame candidates for also wanting that flexibility.

What Are the Concerns?

Regardless of the benefits, tangible and intangible, I think we have established that implementing a BYOD policy is beneficial. This policy should exist and be adopted regardless of whether you choose to have corporate-owned devices, all personal devices, or somewhere in between. But let’s dive into the concerns with employees using their personal devices for work and how to mitigate those concerns.

The three main concerns associated with BYOD are (1) security, (2) knowledge transfer, and (3) privacy (for employees).

Security. First, security is a major concern for many industries. Because lawyers’ licensure is on the line for maintaining client confidentiality and clients often entrust our businesses with sensitive personal and professional information, security issues hit particularly close to home for the legal industry. For example, legal businesses don’t want someone on their workforce inadvertently leaving a mobile phone with access to client information at a restaurant where a third party who scoops up the phone could potentially access that information. Alternatively, there may be bad actors who could access internal business and client information if someone on the workforce logs onto an unsecured Internet connection open for interception. These days, hacking and identity theft seems more inevitable than preventable. So, any BYOD policy should address the question of how your firm handles breaches of security when they happen and dictate the disclosure processes for when they happen.

Knowledge transfer. Second, one of our specific concerns regarding those who work with us using their own devices has been knowledge transfer: When they change positions or move on from a position, how do we disable access to client information, ensure that their work product is available to the next person in their position, and transfer the policies and procedures that they followed? In the story I told at the beginning of this article, we thought of some of the ways that we could ensure knowledge transfer, but we clearly didn’t consider all possibilities. The CIO.com articles mentioned previously also touch on this: In sales or marketing roles, if people use their personal phone number or social media accounts to build relationships, then how do you transfer ownership of that intellectual property? Our firm had a solution for the phone number issue, but not for the relationships created or the social media accounts used. And I haven’t found an answer in my research, either.

Our law firm is one of many small firms that runs exclusively on cloud-based software. It’s a constant source of consternation for my partner that I choose to save things locally to my computer instead of to our secured, cloud-based drive as I work on them, only saving them to our drive once I have a finished product. Even in that case, though, my “hard drive” is backed up and is retrievable in case of a worst-case scenario. Having a cloud-based firm, including using voice over Internet protocols (VoIP) instead of traditional landlines, allows us to manage knowledge transfer and personal device usage. With the use of cloud-based software, we can remotely wipe or disable certain users or devices, we don’t have to worry about software compatibility, and we can ensure that information is readily available to members of our workforce when necessary.

Of course, using cloud-based software comes with its own necessary disclosures and security measures. We consulted with a cybersecurity specialist to create protocols. We use a combination of virtual private networks (VPNs) for using the Internet over public or unsecured wireless Internet; strong password guidelines shared to password managers; regular scans and backups; carefully vetted applications; and two-factor authentication with YubiKeys.

Privacy. The third concern is your workforce’s privacy. Your workforce may have concerns about what you, the business they work for, can gain access to and what you cannot. For example, will you look through their personal e-mail or their personal photos? I think that clear communication of policies and trainings can address some of these concerns, as well as allowing people the option to opt out of using their personal device.

How to Craft a Policy

We have developed our policy in discrete chunks, over time. And as technology advances, we know our policy will need to be revisited and revised over time. We consulted with a security professional for our firm in creating our system and policy, and now we are maintaining it ourselves. Alternatively, you could completely outsource your mobile device management or cybersecurity needs to a qualified third party.

One piece of advice that resonated throughout the research, but was particularly pointed out by the Dell Software study, is that policies that focus on the users rather than on the devices are the most successful. Lee Rosen, from the Rosen Law Firm and the Rosen Institute, shared his BYOD policy, and it was evident that he did just that. His firm’s policy covers a lot of great points, including: (1) operating system requirements, (2) password requirements, (3) use of mobile devices while driving/traveling, (4) reimbursement/stipend policies, (5) required or “whitelisted” apps, and (6) what to expect if something goes wrong.

I would add a few things to those points.

It may be important to distinguish between the different types of employee roles in your business. You may have attorneys, paralegals, marketing professionals, finance professionals, and other support. It is not that one of these professionals may be more or less likely to be responsible for data breaches, but they do have different roles and responsibilities. Not everyone needs access to the same information or the same accounts, and they shouldn’t have access to everything.

You may also want to “blacklist” certain apps in addition to “whitelisting” ones. Certain applications may have well-known privacy and security issues; employees who insist on having that app on their personal device should be prohibited from using that device for work.

Finally, it is important that there be multiple levels of security and passwords for access to work-related applications on a personal device. This includes the device itself being password protected, the application being password protected, and requiring some form of two-factor authentication.

For more inspiration about how to craft your own policy, IBM offers a free top-ten list of rules for BYOD.

Craft a BYOD Policy or Your Employees Will

People are most likely going to use their devices whether you create a policy about it or not. Furthermore, creating the policy and allowing people to use their own devices may foster a healthier work environment, may increase productivity, may increase worker retention, and may help you to mitigate cybersecurity threats by addressing their possibility before they happen. Whether you expect people to use only personal devices, want them to use only corporate-owned devices, or something in between, it’s worthwhile for your firm or business to craft a policy and identify what is and isn’t acceptable so that your workforce knows, too.

Entity:
Topic:

Shreya Biswas Ley is a Lawyer-Human with LayRoots. While on a surfing trip in Westport, Washington, she and her partner in life and business chose to open a practice focusing on estate planning and asset protection, with a special interest in how small business owners can protect their personal assets, can continue to provide for their families in case of an emergency, and can protect their intellectual property. They discuss their love of the outdoors, their business, and their legal perspective on their Lawyer-Human podcasts.