Bring your own device (BYOD) policies are corporate policies that dictate the rules around the use of employees personal tablets, smartphones, laptops and other devices for work purposes. Often, a BYOD policy is brought to help manage IT costs or are developed out of a recognition that employees will be using personal assets for business purposes whether there is a policy or not. Having a BYOD policy enables the organization to manage the risks and security issues associated with company files being accessed using personal devices. The organization may also decide to develop a BYOD policy to fulfill the needs of their employees or for other business reasons.
There are always risks to a BYOD policy especially within the public sector context where files and user information is considered secret and should be protected with the utmost care. While not all of us work at the RCMP or at the CIA, we do work with sensitive files that often contain personal information or information that could put our country at risk. A BYOD policy raises the obvious security questions when dealing with the day to day work of the public sector. How can the public sector organization ensure that the necessary security and encryption are met while enabling employees flexibility in the devices and services they use to do their jobs? The easy answer is to ban personal devices and cloud services (see: Google Docs, Windows Skydrive, Dropbox etc.) I argue that banning personal devices and locking access to cloud services is the wrong approach to the problem.
Rising IT costs are challenging the dated public sector IT infrastructure. It’s hard to lifecycle your IT equipment when the budgets are drying up or non-existent. Service delivery to the public takes priority over the back office support needed to keep things running. As a public sector worker, I understand that my technology will not be top of the line and with budgets being stretched thin that is not changing anytime soon. But, a BYOD policy solves this problem. I can bring in my own device and use it to do my work saving the typical lifecycling cost. But, how do we overcome the security problem? At Health Canada, we have developed an application called Weboffice built on Citrix which allows employees to access our secure network remotely from any PC or Mac. Set-up building wide wi-fi and you could have your employees bring their own laptops to the office, access Weboffice and do their work securely. After all, the Weboffice platform allows access anywhere there is an Internet connection and it’s designed to access government files and the government network.
Cloud services like Google Docs and Dropbox present another challenge. There are legitimate business reasons for accessing cloud services. Unfortunately, the government largely does work within local servers at a high acquisition, maintenance and upkeep cost. Using cloud services presents the same security issues as a BYOD policy but also privacy issues. Who owns the information? What information is collected from users? Would public servants information be sold to any third parties?
Similar to what the US government has done with major social networking sites, the government of Canada could enter negotiations with the largest cloud providers such as Google and Dropbox to negotiate special government terms and conditions for Google Docs and Dropbox. Through this process, the government could be assured of privacy, security and protection of its information and of its users information. But, you might say, wouldn’t that be costly? Well, would it be any more costly than developing, testing, deploying and maintaining your own solution?
BYOD is picking up steam in the private sector. Employees love the convenience and flexibility of using their own devices. The public sector has unique challenges to face in implementing a BYOD policy including privacy and security issues. Employees will also face challenges such as the lose of personal information should the organization erase the device in the event it is lost or the employer accessing personal information on a personal device since the device is now being used for business reasons as well.
BYOD can work in the public sector. It’s just a matter of the right people in the right place taking a leadership role and making it happen. As an individual employee, you can ask your manager or your IT support desk if they are willing to allow you to bring your own device to work. If not, ask why you can’t and offer the solutions to the most common shortcomings they are bound to point out.
Scott McNaughton, thenewbureaucracy.ca