Users, IT clash on BYOD policies: 4 keys to fix it

There’s always been tension between users and IT when it comes to BYOD security. A new survey by Webroot shows where these two groups disagree and where they could find some common ground.

With both personal and corporate information on devices, there’s incentive for everyone to be on the same page when it comes to BYOD policies. Unfortunately, things don’t always work that smoothly.

According to the survey, 86% of respondents have taken some security measures to try to protect their devices. Some measures include using:

In addition, a full two-thirds of employees (67%) report having a security app installed on their work smartphones and tablets. Of those:

  • 37% only have an app that came pre-installed on the device
  • 19% have apps that were personally selected
  • 17% have a security app that was required by their employer, and
  • 10% weren’t sure.

Employees have BYOD concerns

From these figures, it might seem like users are high on BYOD security. But the survey shows there’s some real tension between users and their IT departments.

Forty-six percent of respondents said they’d stop using a device for work if its security features caused them to lose productivity. That shows that whatever protections IT puts in place on mobile devices, they better run silently in the background. If users notice the security apps or measures and are inconvenienced by them, they’re going to look for workarounds.

It’s a matter of trust, too. Users seem to be unsure how they feel about IT’s reach when it comes to mobile security.

Users who were worried about IT’s control in BYOD cited:

  • employers having access to personal data (55%)
  • personal data potentially being wiped by their employers (47%)
  • devices being tracked for location (46%)
  • performance being impacted by security measures (45%), and
  • battery life taking a hit (42%).

IT’s worried about BYOD, too

Of course users’ worries are important to take into account. But IT isn’t feeling so rosy about BYOD, either. A full 95% have employees using mobile devices at work and indicated they were concerned about the security threats that could pose.

IT does at least seem aware of the dangers and prepared for them. According to Webroot, 98% of respondents have a mobile security policy in place.

Almost two-thirds (73%) allow for personal device access to some degree. This includes:

  • 33% that require an IT-mandated security app
  • 21% that allow access without security, and
  • 19% that require users to install a security app on their own.

While some organizations have taken a more extreme step of having a no-personal-device policy, it doesn’t appear to work. Less than 19% said they’re able to enforce that ban.

Living with mobile devices

It’s clear that there has to be cooperation between IT and users on BYOD.

Without user cooperation on basic protection, security risks abound. Without IT’s promise of maintaining users’ privacy, employees will work around the security measures in place.

A good BYOD policy (see our policy template here) needs cooperation. Here are four points to cover with your users:

  • Trust. Explain to employees that although their devices may be subject to scrutiny, you’ll take every measure necessary to protect their personal privacy on devices. One way this can be done is to sandbox or isolate corporate apps from personal information.
  • Wipe policies. This is always a sore point for users – their whole lives are on the smartphones, so finding out that they could lose personal information is a scary proposition. Sixty-two percent of respondents were extremely or very confident they could remove work information from a device without completely wiping private information, however. Stress that you’ll make every effort not to lose their information, but that you reserve the right to wipe in a lost or stolen device situation.
  • Balance. Security apps are valuable, but user behavior and common sense are also crucial to protecting mobile devices. Make sure users realize security doesn’t stop with anti-virus apps or MDM. At the same time, make sure the security apps you do require aren’t too cumbersome.
  • Enforcement. Your BYOD policy must ultimately rule the day. Users must be aware that if they’re unwilling to follow your policies every time, their privilege can be taken away.