How much do companies monitor their BYOD users?


Most users who agree to BYOD policies do it reluctantly because of two main hang-ups: They are afraid of having personal devices wiped if they’re lost or stolen, and they don’t want IT to be able to monitor what they do on their phones. 

But according to a recent survey by SpiceWorks, users might not have so much to worry about with that last part.

In its Weathering the Mobile Storm report, Spiceworks found that:

  • 45% of respondents said they monitor employee activity on BYOD very little
  • 23% don’t monitor anything at all
  • 23% monitor “major stuff, like installing apps and connecting to cloud services,” and
  • 4% monitor every move.

It may not be so much the idea of what IT monitors that gets users up in arms, though. It could be the idea of what IT theoretically could monitor that’s unsettling.

Why not monitor BYOD?

Observing users’ activity on their mobile devices would seem not to be something that IT is too thrilled with. No one wants their department to be seen as a police force or spy agency that’s going to invade users’ personal phones or tablets.

But at the same time, the less employees’ mobile devices are monitored the greater the risk is to them and the company.

Most companies have some degree of security requirements for BYOD. The report found that among other security measures, companies use or plan to use:

  • mobile device management programs (49%)
  • antivirus or antimalware (41%)
  • central management (22%), and
  • application control (14%).

But 19% said they didn’t know what security measures they have in place. And 9% admitted to not using any security protection at all.

Disclose and observe

The best way to make sure users can live with your BYOD program is to be absolutely explicit about what they’re agreeing to.

Explain to users that yes, your company can monitor activity on their personal phones. But also make it clear what activity will be monitored – and why.

The crucial step of explaining that you’re not looking to see who they’re calling and texting, just what is being done with company information, needs to be made absolutely clear to users. It also helps to explain that it’s for their own protection.

In order to avoid the nuclear option of losing all their data when a phone is remote wiped, monitoring for security threats is a must.

For some users, this trade-off won’t be acceptable … and that’s OK.

Most BYOD programs are optional. Users need to know that their participation isn’t required, and they can leave the program or not join it if the terms and conditions aren’t to their liking. Acknowledge that, yes, policies aren’t always going to be very convenient or comfortable.

Consider tiered levels

Another option for getting users comfortable with and adhering to your BYOD program would be to offer multiple levels.

Most users only want the very basics of BYOD – access to calendars, email, etc.

According to the Spiceworks report, this is something 96% of organizations provide, much more than other features, such as access to:

  • file-sharing accounts (44%)
  • mobile apps and software (42%), or
  • secure network resources (42%).

If all users require is access to company email or calendars, have a lower tiered BYOD program to give them what they need without additional resources (and security restrictions). Of course, they’ll still need to agree to some security measures, but this could be more palatable than the full-fledged BYOD option.

Do you monitor users’ personal devices when they sign up for BYOD? If so, how do you go about it? Be sure to leave feedback in the comments section below. And check out our sample BYOD policy for an idea of how to craft a better policy of your own.

Make Smarter Tech Decisions

Get the latest IT news, trends, and insights - delivered weekly.

Privacy Policy