To: Managing Partner(s) & Management Team at Ernst & Young
From: Team Names, analysts
Date: 5/01/2017
Subject: Reassessment of the Bring Your Own Device (BYOD) policy at EY
EXECUTIVE SUMMARY
This report analyzes the advantages and risks that one of the “Big Four” accounting firms, Ernst & Young (EY), might experience in continuing with the Bring Your Own Device (BYOD) policy at work. This report will also provide helpful recommendations to address some of the risks.
Pros of BYOD
There are many advantages to embracing a BYOD policy including increasing employees’ satisfaction, flexibility, and productivity. According to a study, BYOD can increase workers’ contentment in the workplace (Chen, n.d.). Employees also tend to work longer hours if they can bring their personal devices to work and are even willing to work while on vacation. BYOD boosts staff and management productivity (Rotholtz, 2015). Employees also spend less time dealing with complex tasks because they are already familiar with their own devices. Ultimately, BYOD is a great policy for companies to put into practice because it is a method to reduce the cost of hardware, data plans, and labor.
Cons of BYOD
There are some disadvantages to implementing a BYOD policy including data leak problems, a lack of regulatory policies, and privacy issues concerning employees’ personal information, which could lead to legal problems for the company. First, the IT department must deal with network security problems to control data leakage from within the organization and therefore, companies may find it challenging to keep their data private from competitors. Second, companies that adopt a BYOD policy may lack the adequate regulations required to define acceptable usage. Third, there is a privacy concern that employees’ personal identification data may be purposefully collected by the employers or other parties because employers may have access to employees’ personal devices.
Conclusion
EY should still keep the BYOD policy because the benefits outweigh the risks. Although there are risks in network security, governance and data privacy, these risks can be minimized through the recommendations provided in this report. As a result, the BYOD program can increase employee satisfaction and flexibility, and further reduce operational costs for EY.
Recommendations
- Reduce network security risk:
Adopting an MDM (Mobile Device Management) system Segregating offices’ public network from corporate internal network Enhancing encryption technology
Increasing employee’s awareness of security issues
- Lower the risk of governance:
Listing out permitted types of device Optimizing the internal security policy
- Lessen the risk of data privacy:
Enforcing the mobility policy Implementing related tools to protect data
INTRODUCTION
Purpose of The Report
This report was prepared to provide critical recommendations for EY’s reassessment of the BYOD policy. The report analyzes the performance of the policy since it was implemented by EY. Through evaluation of the pros and cons of the BYOD policy, this report helps the EY management, especially the Managing Partner(s), to make a decision on whether the BYOD policy should be continued in the firm’s operation. To further help the decision making, some recommendations will be provided towards the end of the report.
Background
The BYOD concept entered the workplace during 2009, after the Director of Intel Corporation, Elaine Mah and her associates, pushed for the policy (BYOD, 2012). Intel Corporation had launched a pilot program that allowed employees to bring their own devices to work. During the year of 2009, there were only three thousand people who participated in the BYOD program. Later on, nineteen percent of employees also joined the BYOD program. To this day, BYOD is still a growing trend as more prominent companies, such as Cisco and Google, are starting to adopt the policy. EY is a company that has already been using this policy since 2012.
Sources and Methods of Data Collection
Most of the sources used came from EY’s website. Finding credible sources and data involved official business websites like Forbes and searching through academic journals from the SJSU library database. Some of the articles that we present support the performance of the BYOD policy in a positive perspective, while other credible articles present it from a negative perspective.
Scope
This analytical report compares some of the advantages and significant disadvantages of implementing the BYOD policy. However, the report does not discuss the cost of embracing the BYOD program, or the detailed steps to follow the recommendations provided in this report.
ADVANTAGES OF ADOPTING BYOD
Allowing employees to bring their own devices such as smartphones and laptops to the workplace, instead of providing corporate devices, not only increases employees’ satisfaction, expands staffs’ comfort zone, and improves staffs’ productivity and flexibility at the same time, but also reduces the cost of running the business.
1. Increase Productivity
Almost everyone has iPhones or Smartphones, and they use their personal communication devices every day. It is likely that employees will bring their communication devices that they like to the workplace. If they bring their phones with them to work, then they will likely use them during the day. Employees will be happier and feel more comfortable if the company allows them to do so because allowing personal devices increases their employees’ productivity and fosters good communication among their employees on the job and outside of work. Kaneshige (2014) explains that BYOD program can not only expands employees comfort zone but also enhances their accessibility for work. BYOD employees are willing to work additional two more hours per day due to the ease of using employees’ personal devices. Employees can increase productivity by sending another 20 emails on a daily basis during the early morning and late night.
Moreover, BYOD employees have the chance to upgrade their personal devices at any time which allows them to perform more efficiently. As a result, employees are happy to upgrade their devices because updated personal devices will allow BYOD employees to have a faster device (S, 2017).
2. Increase Management Flexibility
BYOD policy increases EY’s management flexibility. After adopting the BYOD policy, business entities are able to gain access to their staffs at any time, in any location, which enhances the management flexibility from an organizational perspective. Forbes reported that about 60% of the employed people in the U.S. keep working while taking vacations (Rotholtz, 2015). It is a great achievement to increase the productivity by allowing EY’s staff to continue using their own devices. The enthusiasm of adopting this policy has also allowed their staff to make any place became their workplace.
3. Increase Employee Flexibility
BYOD policy provides employees greater flexibility to multi task by working with different personal devices at the workplace. For instance, an EY’s auditor is preparing an audit report for a client. By working with her/his own personal devices, she/he can use her/his phone or iPad to email the clients to request information that is needed for this auditor to complete the audit report, while simultaneously typing the audit report on her personal laptop. On the other hand, if EY has not adopted the BYOD policy, this auditor able to do only one thing at a time, at a lower productivity level with limited flexibility. Furthermore, Chi-wen Chen (n.d.) provides a great example in his article “BYOD Flexibility” to illustrate how restricting the BYOD policy can reduce workers’ flexibility. In Chen’s research, we see that when employees are doing complicated tasks with the lack of knowledge using the organization’s devices, there is a higher degree of complexity for employees to do their jobs. The confusion of understanding and processing the information requires more energy for an employee to complete the tasks. It decreases the employee’s satisfaction and ability to perform the tasks while increasing his or her frustration.
4. Reduce Cost
Companies that have implemented the BYOD policy experience a cost reduction in operational expenses. Forbes released some statistics regarding Cisco’s average cost of personal devices, and how the company was able to save per employee approximately $965 on personal devices, $26 on community support and $734 on data plans annually. The adoption of BYOD policy can save companies up to $1700 per employee on hardware and data plan expenses. Ackerman (2013) further illustrates that Intel staff are able to save about one hour per day, thus reducing Intel’s salary expense. Ackerman (2013) referenced nucleus research and explained that “If 23,500 employees saved this much time with a .5 productivity factor, Intel is stating that it gained roughly $700 million just from BYOD.” The statistics showed above pointed out that business entities can shift the devices and some of the IT service to their employees. Many other cost-saving advantages
could be applied, depending on the type of business and the organization structure.
DISADVANTAGES OF ADOPTING BYOD
Although adopting the BYOD policy can increase employee’s satisfaction and productivity within a limited cost; there are some risks of the program that cannot be neglected. The following paragraphs analyze the risk in three broad scopes, which include network security, governance, and privacy. These three scopes are the area that the most underlying risk can be found (Olalere, 2015). Please see the chart below for your information. Network security, governance, and privacy are not only the risks but also the essential requirements to successfully implement the BYOD program. Furthermore, the related solutions of risk will be presented, and some of the continuing concerns will be addressed in the “Recommendations” section.
1. Network Security Issue
Network security issue ranks the highest in importance among the three risks. It has always been business’ primary concern, and therefore, the IT department is set up to manage corporate data and maintain security. However, the Bring-Your-Own-Devices Policy breaks this operation flow. Under the BYOD program, IT department cannot monitor all the data delivery; instead, data is delivered to the employees’ devices that are out of IT department’s control. As a result, the
implementation of protecting network security from data leakage and data theft becomes more challenging. Data leakage can happen if an employee loses his device or his device gets stolen. Also, using vulnerable applications can increase the risk of data theft. As introduced by Olalere (2015), data can be stolen though DDoSs attack and Malware attack. The former one vandalizes corporate application by denying certain employees’ access to the internal network. The latter one steals enterprise confidential information and ruins the application at the same time. If the BYOD program were implemented, IT department’s control on devices would become very limited, which could expose the corporate network security in a precarious place.
2. Governance Issue
Governance of BYOD policy can also be problematic if there is a lack of adequate policies to define the acceptable usage. A case discussed in Sands’ (2014) presentation clearly supported the importance of an adequate regulation. The case was about the misconduct of using the personal device. An employee purposely used her personal Dictaphone to record conversations in work, without asking other co-workers for consent. Later on, the employer found the Dictaphone in office, and it continued recording even though its owner was not nearby. Consequently, the company destroyed the recording and dismissed the Dictaphone’s owner for gross misconduct. On May 23, 2012, French Supreme Court ruled that the employer’s action was unfair. The company had no right to listen to the recording when the Dictaphone’s owner was not present; instead, the proper action the employer could take was giving a prior warning first. Also, the employer’s act of destroying the recording did not respect the adversarial procedure. From the above case, we can understand the importance of rule-making before putting the BYOD in operation. Without an adequate policy to support the BYOD program, misconduct can easily happen in every business. Therefore, using BYOD program without an appropriate policy is another underlying risk that needs to be aware.
3. Privacy Issue
Privacy of data is another issue that each company should pay attention. BYOD policy encourages employees to bring their own devices to work, but it also brings the company a dilemma: implementing a security program on each employee’s device may violate their right to privacy; However, if no security program is installed, corporate data may be under risk of leakage or attack. Sands (2014) mentioned that even if the employee consents to install minimum security program, it will be a challenge to deal with the personally identifiable information that is collected without a business requirement and protect the personal information from being destroyed or corrupted. Legal concerns of the data privacy are the disadvantage that comes along with the BYOD policy. It allows employees to access corporate data and applications on their personal devices. However, employees have very limited control of their personally identifiable information if they use their own devices for work. How should the company protect employees’ personal data from being wiped off in the case that they lose their own devices or the identity check fails several times? If no adequate policy were rolled out, data privacy would remain in risk of lawsuits.
CONCLUSION
In conclusion, if the BYOD program is well-managed, the benefits can far outweigh the risks. EY should continue to adopt the BYOD policy because it both satisfies employees and employers at the same time. Only with some adequate regulations and proper applications to support, BYOD program opens a win-win situation to EY. BYOD policy can put into EY’s operation smoothly only with some changes and improvement. Although allowing employees to bring their personally own devices to work may lead to network security, governance, and data privacy problem, EY can take actions to minimize the risks and make BYOD suitable for the firm’s operation.
RECOMMENDATIONS
- To reduce the risk of network security, EY can:
- Adopt MDM (Mobile Device Management) solution to allow IT department remotely configure personally own devices. (“Bring your own device (BYOD) trends”, 2012)
- Segregate mobile devices’ network from the corporate network. Setup a Wi-Fi network in the office that does not grant access to internal confidential data; to prevent the infected device from accessing sensitive information. (McEnaney, 2016)
- Enhance the encryption technology to protect sensitive data. (Banham, 2017)
- Educate employees about data leakage and train them to recognize the suspicious emails or texts. (McEnaney, 2016)
2. To reduce the risk of governance, EY can:
- List out all the BYOD permitted devices.
- Establish a security policy of BYOD.
3. To reduce the risk of data privacy, EY can:
- Establish a corporate mobility policy, which employees must sign up before using their own devices to work. Set up terms regarding employee exit and termination, clarify the solution dealing with employee’s personal data on the working device. (McEnaney, 2016)
- Implement selective remote wipe, disk partitioning and virtualization on personally own devices. (“Bring your own device (BYOD) trends”, 2012)
Following the suggestions above can improve the adaptability of BYOD in the firm. The risk of network security, governance and privacy can be minimized by adopting proper applications and implementing the adequate regulation. Eventually, BYOD can perform better by improving employees’ productivity and satisfaction while maintaining operation cost to a considerable level. This analytical report is prepared for the Managing Partners in EY. The recommendations are developed to support the Managing Partner’s decision regarding the continued adoption of the BYOD policy in EY.
REFERENCES
Ackerman, E. (2013, June 02). Calculating The True Cost Of BYOD. Retrieved April 20, 2017, from https://www.forbes.com/sites/eliseackerman/2013/05/28/calculating-the-true-cost- of-byod/#2d598abd1a5c
Bring your own device (BYOD) trends and audit considerations. (2012, October 4). Retrieved April 5, 2017, from https://www.sifma.org/uploadedfiles/societies/sifma_internal_auditors_society/bring%20 your%20own%20device%20trends%20and%20audit%20considerations.pdf
Chen, C. (n.d). BYOD Flexibility: The Effects of Flexibility of Multiple IT Device Use on Users’ Attitudes and Continuance Intention. Retrieved April 18, 2017,
from http://www.bing.com/cr?IG=2F0048A7ECE745DEA4C99D87EA45CD22&CID= 1F02AB7A9645647F2C79A11297D565C9&rd=1&h=_9eAvn6NZam7JzC5G31TKeFLg
ZFKcLtLn8cB49mrSts&v=1&r=http%3a%2f%2faisel.aisnet.org%2fcgi%2fviewcontent. cgi%3farticle%3d1562%26context%3damcis2014&p=DevEx,5062.1
Kaneshige, T. (2014, July 02). BYOD Users Work Longer and Earlier. Retrieved April 30, 2017, from http://www.cio.com/article/2449817/byod/byod-users-work-longer-and-earlier.html
McEnaney, M. (2016, May 16). Cybersecurity Concerns in a BYOD World. Retrieved April 14, 2017, from http://www.enterprisemobilityexchange.com/eme- byod/articles/cybersecurity-concerns-in-a-byod-world
Olalere, M. Abdullah, M. Mahmod, R and Abdullah, A. (2015, June 1). A Review of Bring Your Own Device on Security Issues. Retrieved April 5, 2017, from http://www.ijcncs.org/published/volume4/issue1/p3_4-1.pdf
Rotholtz, B. (2015, June 25). BYOD Legislation: What California’s Case Could Mean For Businesses Everywhere. Retrieved April 19, 2017, from https://www.forbes.com/sites/groupthink/2015/06/25/byod-legislation-what-californias- case-could-mean-for-businesses-everywhere/#368b37385564
Sands, R. (2014, February 13). Bring your own device (BYOD). Retrieved April 5, 2017, from http://www.ey.com/publication/vwluassets/ey-bring_your_own_device/$file/ey-bring- your-own-device.pdf
S. (2017, January 05). The Challenges Of A Bring Your Own Device (BYOD) Policy. Retrieved April 30, 2017, from https://simplemdm.com/2017/01/05/challenges-of-bring-your-own- device-byod-policy/
