Have you ever encountered any of the following situations:
- During a board meeting, the president makes reference to a sensitive document, which she has e-mailed to her personal smartphone from her organizational account.
- An employee loses a phone that they use for work and personal affairs.
- An employee’s personal device (that they also use for work) is infected with malware.
These situations are common today. The increasing popularity and development of mobile devices such as smartphones and laptops allow users to share data anytime and anywhere. Many employees bring their mobile devices to their workplaces and connect to their company networks in order to perform their jobs. Using personal mobile devices for work has is part of a trend called “Bring Your Own Device,” or BYOD. Under BYOD policies, employees are empowered to use their own devices to access sensitive organizational data at work through the enterprise IT infrastructure. The prevalence of smartphones, tablets, and other personal devices signals that ignoring this trend is no longer feasible; rather it is already common in many industries. But what does your arts organization need to know about BYOD?
Many arts managers advocate BYOD policies by for several reasons. First, BYOD is a cost-saving policy. For many arts organizations, the cost to purchase a large number of computers or tablets is a tremendous financial commitment. Plus, most of the technology used by organizations is only updated for a certain, limited period and then becomes obsolete and needs to be replaced. By allowing employees to bring and use their own devices in the workplace, they can always have technology updated without the company regularly incurring costs. For some arts organizations, this practice has been beneficial as budgets are cut and organizations are forced to trim spending.
Additionally, BYOD policies have the potential to boost employee morale and enhance productivity. Take smartphones as an example. The device travels with the employee everywhere, whether on the job or not. Employees can have access to the Internet, their work email, and their contacts no matter where they go. Employees and organizations are connected at all times with smartphone in hand.
It makes sense, then, that employees would want to use their personal devices for work-related purposes. Employees buy their own phones based on their personal preferences, so they may be more inclined to use their phones for work purposes if they are more comfortable with them. This impacts the employee’s ability to do his or her job and may result in an employee being more satisfied with his or her work.
"An effective non-profit manager must try to get more out of the people he or she has," writes Peter F. Drucker in Managing the Non-Profit Organization. "The yield from the human resource really determines the organization's performance.” With BYOD, a company can boost employee performance by allowing them to perform work-related tasks on the platforms of their choice. This applies to personal computers as well as smartphones and tablets. Especially, with the rise of cloud virtualization and computing, workers are looking to use their at-home computers to access the company network and applications when out of the office.
In addition to keeping employees satisfied, BYOD can also help arts organizations to attract new talent from inside and outside of their community. In Bell Techlogix’ s white paper, it’s stated that the flexibility provided by BYOD - especially when combined with work-at-home opportunities - can be a major selling point for an organization looking to hire new workers. Such policies allow the organization to attract applicants who are best suited for and excited about the job, rather than those who are willing to settle.
However, if both employees and organizations are to reap the benefits of BYOD, then they must also worry about the threats that accompany the policy. For organizations, one of the most challenging issues is that sensitive data, such as donor information, is being delivered to devices that are not managed by an IT department. Thielens notes that the real BYOD challenge is not about the security of devices, it is about controlling access from the devices to sensitive data.
One of the potential negative results of these security concerns is data leakage. Let’s say employees have access to a donor information database via their personal smartphones. However, the organization’s control over the data is limited because the data is obtained and stored in personal devices. The toughest situation is that if the device gets lost, the donor information on the device will be available to anyone who finds the device, which hurts the organization’s credibility.
Another challenge for organizations is the threat posed by malicious applications. When a malicious application compromises a personal device, sensitive data in the organization, for example, audience profiles, can be stolen or exploited by attackers. In addition to compromising personal devices, malicious applications can spread to an organization’s applications and devices, such as office desktops, and thereby incurring additional costs when these applications lose their functions.
Aside from data breaches or the risk of a terminated employee sharing trade secrets with new employers, there are other concerns circling BYOD policies. Wage risks should be taken into serious consideration. Personal work devices used off-the-clock for business purposes may put a nonprofit employer at risk of liability for overtime pay. How managers standardize employee reimbursement is also a tricky problem. Organizations that expect employees to update technology devices regularly may struggle with questions such as “do we need to provide technology stipends” or “how much should be reimbursed?” Also, some employers might struggle to track the usage of dual-use devices in general.
The other primary risk is that of workplace safety. While driving, employees may talk on personal devices that are used for personal and work reasons. The reason for distracted driving is difficult to define. A BYOD program could potentially expose an art organization to liability under federal and/or state law for an employee’s injuries resulting from responding to work-related emails or text messages under unsafe conditions.
Also, there are labor law risks. IT safeguards protecting an organization’s reputation and assets may be considered unlawful surveillance of employees. The surveillance may raise some privacy issues and be considered as illegal actions.
Some arts organization may also encounter global risks. Arts organizations with international partnerships may face different wage-hour regulations, which require separate controls. Besides, device monitoring and security measures must be assessed under multiple privacy regimes, resulting additional time and labor inputs.
BYOD policies provide plenty of benefits to arts organizations, but arts managers should also be aware that risks always remain. If your nonprofit strives to have first-class risk management as a framework for BYOD use, make sure to craft a careful BYOD policy first.