What are your expectations or your thoughts when it comes to having a discussion about user device tracking technology? This was the opening question that I presented to spark a dialog about the topic of user device tracking. In my first post, I wanted to center the conversation on what the expectations should be with corporate owned technology. I shared my thoughts that any computer, laptop, phone or any other company device, belongs solely to the company and as such the company has the right to be able to have total control of those devices as well as the final say on how those devices are used. For the sake of this discussion, let's refer to this as old school expectations and in today’s world the technology and the way we do business has completely changed the twenty first century.
No longer is the laptop the only device that is used to access company resources in our day-to-day operations. What is new in the twenty-first century is the concept of Bring Your Own Device (BYOD) or is also called Bring Your Own Technology (BYOT), Bring Your Own Phone (BYOP), and Bring Your Own PC (BYOPC). This concept refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The term is also used to describe the same practice applied to students using personally owned devices in education settings.
The foundation of my argument has been that corporate, or academic owned assets are the property of the institutions and as owner of these devices, they get to call the shots. Companies and/or institutions have no ownership claim of these personally owned devices and that I believe changes the dynamics of the conversation. The concept of BYOD did not come about because a company thought it would be a good idea to give their employees this kind of freedom, in reality it was quite the opposite; they could not stop the employees from using their own devices and needed to figure out some kind of way to handle, control, and track the company data in this wild west free-for-all device world.
In all practical purposes, the technology is already available to track these personal devices using the same tools that are being used to track corporate laptops and other devices. Some of the most common methods use certificates to establish the identity of the device when connecting to corporate or academic resources and from there the MAC address of the device or the username can be utilized to track the connectivity inside the corporate network. Same rules apply and the technology is there, but is this type of tracking what we should really be focusing on? I believe this should be one part of the process with an even greater focus on data tracking. This is what will be the most challenging, but also one of the most important tasks for companies who utilize BYOD. The companies must develop a policy that defines exactly what sensitive company information needs to be protected and which employees should have access to this information, and then to educate all employees on this policy. However, is education and policy going to be enough? How much corporate control of the personal devices needs to be incorporated into these BYOD policies?
That idea of corporate control of personal devices is where things can really get out of hand in my personal opinion. I have seen corporation’s present policies to their employees where they welcome the employees bringing their own devices as long as the company can install a company approved image on the device that gives the corporation complete and total control of the device. Which in my view, changes the device from a personally owned and operated device and morphs the device to nothing different than any other corporate owned and maintained asset that the company can use without the financial responsibility of the company to have to purchase the device. Should this be the way of the future in that when you work for a company you should be expected to supply your own computers, phones and/or tablets that must be loaded with the company approved operating systems and applications, as well as adhering to corporate based usage policy? Where is the middle ground when it comes to BYOD before it turns into supply your own corporate device? That is the question I would really like to open for discussion. What are your expectations when it comes to the personal devices that you own, but utilize in both your personal and professional worlds?