The Apple Watch is Coming: Do You Have a Wear Your Own Device policy?
Wearable devices, which include fitness trackers and a limited assortment of not-so-user-friendly smartwatches, have become more prevalent on the wrists of the American workforce. In turn, wearables are becoming a workplace issue as they are slowly but surely finding their way into the workforce. This trend is not likely to subside anytime soon, especially since Apple will launch the Apple Watch in April.
In other words, like the Blackberries, smartphones, and tablets that preceded them, wearables are the next big thing in workplace technology, and businesses would be wise to start planning accordingly.
Given that the wearable trend will reach its next level in April, the questions for businesses are: Should they be concerned? If so, what should they be concerned about, and what should they do about it?
The Past: Blackberries, Smartphones, and Tablets
The intersection between business and technology is nothing new. Businesses have been dealing with workplace-technology issues for sometime. It started with laptops and remote connectivity, and moved on to Blackberries, then smartphones, then tablets.
Here is what that looked like. First, many businesses required their employees to have a Blackberry, which combined a cell phone with a secure, enterprise-level mail system. Blackberries were fairly easy to control. IT departments could control the use of technology because they could lock down a company-issued device with a corporate firewall.
This type of firewall, however, proved an insufficient control to contain information on personal devices that became a significant issue when smartphones came out. When smartphones came out, they changed the game by completely changing how people use mobile phones and, soon, everyone had a mini handheld computer. These devices, combined with inexpensive mobile apps, transformed smartphones into multimedia tools. For some time, the norm was that employees had two devices, a company-issued one and a personal one. Many companies, however, have broken away from the two-phone company-issued structure for a one-phone option where the company reimburses the employee for part of the employee’s data plan expense.
The tablet market took this technology trend to yet another level.
Many businesses handled these issues by employing a few strategies, including implementing Bring Your Own Device (“BYOD”) policies, which set specific parameters on what employees could do on their smartphones and tablets in the workplace or for conducting work business on those devices.
Because of the rapid rise of the BYOD trend with the onslaught of smartphones, tablets, and, worse, security breaches, the vast majority of companies found themselves reacting and putting out fires, instead of staying ahead of the technology-related issues.
The Future: Wearable devices
Enter the next big thing – wearable devices. Fitness trackers were the first wearables to make their way into workforces, but smartwatches are about to take over. They will sync with smartphones and tablets, and allow for increased functionality and crossover between and among an individual’s devices, which will include devices being used for business that contain sensitive company information.
This relationship was described recently in Wired by Neptune founder, Simon Tian, as a master/slave relationship where the phone is the master, and all wearables the slaves, borrowing off the power and capabilities of the phone. But if Tian is correct, smartphones are actually on their way out and wearables will take their place and the master/slave relationship will flip to the wearable essentially being the brain. This could help alleviate some security concerns, but certainly not all.
This is not the current state, however, and it is still too early to tell what we can expect as wearables become even more prevalent in our workforces. If smartphones and tablets are any indication, we can expect to see increased productivity and bigger bottom lines. Some companies have embraced wearables and see them as a way to increase employee wellness. The EEOC has yet to weigh in, but given its recent challenges of some employer-sponsored wellness programs, it is likely that the agency will, eventually.
We can also expect to see some increased risks, particularly IT security concerns, such as data privacy that will be significantly heightened if auto-syncing of corporate data is enabled. Anytime these devices are connected to a corporate network or set to store corporate data, a business increases its vulnerability to cyber attacks.
Implementing a WYOD policy
Many businesses simply do not have the proper security measures and protocols in place to keep up with all these new devices. For example, while some businesses have begun to implement BYOD policies, most only address smartphones, tablets, and laptops. Technology is simply moving faster than policies can and, for businesses that have been slow to implement BYOD policies, they are just starting to policy devices that will soon be obsolete.
With wearables, though, a BYOD policy must be combined with a Wear Your Own Device (“WYOD”) policy. In other words, any policy addressing devices should include wearables.
Whether it be guarding against wearables or smartphones and similar devices businesses are more familiar with, the key to any BYOD/WYOD policy is to have a preemptive and timely policy instead of a reactive one. Technology will always grow faster than business policies can keep up with; however, it is important for businesses to quickly adapt to new technologies and not shy away from them. It can certainly be done and, if done correctly, it can certainly be a positive for the company.
Part of this preemptive and timely strategy means not banning devices from the workplace. Rather, it means businesses need to work closely with their IT departments to understand the benefits, risks, and functionality of new technologies, and implement policies and guidelines that foster productivity and growth while protecting against cyber attacks and misuse. One way to do this is for businesses to incorporate wearables into their data protection and device management policies – a BYOD/WYOD policy. This will help mitigate data security challenges as more and more employees bring these devices into the workplace.
This should be done immediately. Certainly before the Apple Watch finds its into way into the workforce. When the functionality of the Apple Watch is known, businesses should work closely with their IT departments to understand the full scope of the functionality, how it will crossover to other devices, particularly any that are company-issued or that contain company data.
What should be included in a BYOD/WYOD policy
As for a BYOD/WYOD itself, here are some items that businesses may want to include:
- Define and specify what will be supported: The business must determine what devices it is going to support – all mobile devices, cell phones, fitness trackers, tablets, smart watches, etc. Next, specify what versions and levels of devices the business will support. For example, cell phones that run "iOS 7.0 or higher" or "Android 4.2 Jelly Bean or higher." This is important so IT and the employees stay on the same page with what will be supported, the security issues, and keep employees from bringing in and attempting to use devices that are outdated. One thing to keep in mind: the greater the variety of devices a business allows in, the higher the risks for data loss.
- Set strict password rules: Employees may not like picking a 16 digit, multi-character password, but password protection is key for businesses to protect against outside security threats. A policy must outline password specifications for users. Not only should long, complicated passwords be required, but the passwords should change every 90 days, at a minimum, and the device should be required to lock after so many minutes of inactivity and after a certain number of unauthorized attempts to access data.
- Define which apps will be supported: There are new apps everyday, but a policy can at least try to keep up with some of them by clearly defining which ones will be supported. Some businesses support only email functionality. Some, more, like calendaring, PDF, or Microsoft Office.
- Data protection/security: A policy should expressly define the types of protection and security the business requires on devices, which should include anti-malware programs, restrictions on downloading company information, and restrictions on accessing certain types of websites.
- Reimbursement: A policy should clearly define who is paying for the device, apps, usage changes, etc. Employees need to understand which charges they are responsible for.
- What happens at separation: A policy must also address what happens when the employee no longer works for the business and what happens if a device is lost. It is key that all businesses retain the right to remotely wipe all data from the device if either one of these scenarios occur. Some companies use compartmentalization software that allows for corporate information to be accessed via a particular application. This compartmentalization application allows the business to wipe just the corporate data and leave the employee’s personal data, like pictures, in tact.
- Access/collaboration: The policy should address how corporate information will be shared on these devices, i.e., will the business use a corporate Dropbox or Yammer account, or will employees be allowed to access their desktop from their mobile devices.
- No expectation of privacy: The policy should note that employees do not have a right to privacy for any work or communications done via a mobile device, and that any and all communications passing through the device (even personal ones) could be accessed and referred to at any time.
- Liability: The policy should also contain a section defining liability. Specifically, it should provide that the business is not responsible for the loss of any of the employee’s data and from any service disruptions. In addition, the policy should also note that the business has the right to remove any supplied applications from the device as a result of a violation of the policy.
- Follow the laws: Lastly, the policy should include a statement informing employees that they are expected to follow all laws, including safety laws, when accessing devices and wearables, including no texting or connecting to the Internet while driving.
Some IT security measures that may also prove helpful:
- Implement minimum system requirements and configurations
- Install security-related software to the device
- Encrypt company data on the device
- Apply security patches
- Device monitoring to detect hacking, malware, or misuse
- Anti-virus software
Technology and business is a balancing act, and allowing devices and wearables into the workforce is not a choice. It is going to be something every company is going to have to figure out how to deal with on its own terms. BYOD/WYOD policies are more than just policies; they demonstrate a shift in the times and in corporate culture. These devices can increase productivity and efficiency, and allow employees to work more freely and not be chained to a desktop. These are all great things. The counter to this is that they do increase security risks and may create other problems. This is why it is imperative for every business to take steps to proactively decide what its corporate culture on devices and wearables will be. If a company does not, a security breach or an employee lawsuit will likely do it for the company later.
And do not forget training. A policy is not worth the paper it is written on if an employee does not actually understand how it works, what it means, and what is actually expected of them. Businesses would be wise to train their employees in this regard.