In a BYOD culture who pays for this protection?
The need for end-to-end organizational security is greater than ever. People throughout organizations are often working outside of the office, using personal mobile devices and home computers to access corporate apps, networks, and assets. Just head to a Starbucks or Coffee Shop during the week day and see the number of users working remotely. The challenge is that personal devices and home computers introduce security challenges that aren’t always easily resolved.
In fact, security is an ongoing issue for organizations that have a Bring Your Own Device (BYOD) policy.
Organizational Assets and Access
Not long ago, most companies provided mobile devices and laptops to their employees.
These devices were setup and configured by IT and outfitted with antivirus and security measures to ensure only secure, authorized access was granted to corporate networks and assets.
A lot has changed.
Companies with Bring Your Own Device (BYOD) policies are common, and most have some form of security management in place that allows them to easily manage the security of personal devices from a central location. BYOD has become so widespread that companies are now grappling with the question of who should bear the burden of cost for antivirus and security on personal devices used for work.
Should the company foot the bill, since personal devices are being used for work, or should the device owner pay for antivirus and security?
Yes! – Organizations Should Cover the Expense of Antivirus/Security on Home Computers/BYOD
If an IT manager were asked who should cover antivirus expense, they might be inclined to say the organization should.
As a practical matter, that IT manager is right. By purchasing the antivirus that has spam filter hosting, the IT department maintains control over a key part of BYOD security — preventing viruses and other malware from infecting personal devices used for work.
Other advantages include:
Centralized management of antivirus for all devices
When a company purchases antivirus for BYOD, IT is able to monitor each device from a central location. IT security professionals save time that would otherwise be spent physically managing different antivirus software on each device.
Configuration of the antivirus for optimal device security
Centralized management also allows IT to configure the antivirus for optimal security on each device type, brand, and operating system.
Reduces vulnerability of personal devices and home computers to cyber attacks
A surprising number of people have no antivirus on their smartphones and tablets. Home computers may have outdated or inadequate antivirus installed, leaving them vulnerable to attack.
When IT owns the antivirus, it can be easily deployed on an employee device or home computer.
Peace of mind
It may be cliche, but when the company pays for antivirus, IT has peace of mind — they know it’s installed and operating on all employee devices.
Disadvantages
Even though company-paid antivirus sounds like a great idea, it comes with some significant drawbacks. Some antivirus vendors have licensing terms that are fraught with pitfalls and hidden traps.
In some cases, installing antivirus on a personal device may violate the licensing terms, which could result in revocation of the vendor’s license and possible legal action.
The best way to prevent such a scenario is to have a clear understanding of the licensing terms and conditions before signing the contract.
Still, even after you sign a contract, how will you know if the antivirus was installed on the employee’s devices? Extra work may be required to create a means by which to verify that the employee downloaded and installed the antivirus on her devices.
Even so, at the end of the day, IT still has control of the antivirus on employee devices.
No! – Organizations Shouldn’t Have to Pay
Most companies are constantly on the lookout for ways to reduce expenses. Some executives may believe that, since the company allows its employees to use their own devices, they should pay for their antivirus, too.
The advantages of employees paying for their own antivirus:
Reduced IT security expenses
Antivirus licenses can be quite expensive and must be renewed periodically. Elimination of this expense can save IT a lot of money depending on the size of the company.
IT doesn’t have to manage antivirus
IT also saves the time that would otherwise be spent installing, configuring, and maintaining antivirus on hundreds, even thousands of employee-owned devices.
Employee is responsible for antivirus
The employee has to pay for antivirus and keep it up to date.
There are is a fundamental problem with the reasons above, namely that there is an assumption employee will buy, install, and maintain the antivirus. And how to you handle situations where the antivirus interferers with the device – who handles the support.
The truth: this is wishful thinking.
In this 2014 Consumer Reports report, only 14% of users installed an antivirus app on their phone. The same report also stated that only 36% of users secured their phones with a PIN.
“Most people don’t see the need for security on their mobile devices. This is very short-sighted considering the kinds of information people have on them and access with them.”
Timo Hirvonen, Senior Researcher at F-Secure, CNBC, “Most American don’t secure their smartphones“, April 2014
Disadvantages
The greatest disadvantage of leaving it up to employees to purchase and install antivirus is that most won’t do it. To be fair, the hardware and software architecture in mobile devices is substantially different from what’s used in PC and Mac computers.
Some IT departments have found that leaving antivirus up to employees has actually cost them more money. Devices that aren’t adequately secured become a liability that raises the chances of compromised proprietary information.
Antivirus is only one piece of the security puzzle, but it plays an important role.
Increased security breach risk quickly leads to violations of legal compliance, which can result in hefty legal expenses and fines.
Compromised business governance can be just as costly, with a negative impact on clients and business reputation.
The Verdict
To ensure the highest level of security for the BYOD workplace, the company should pay for antivirus. That way, IT can maintain optimal control over the security of each device, regardless of ownership and secure email providers for businesses.
Employees cannot be counted on to install and use antivirus, and may even resent being required to do so. Antivirus quality varies widely and, in some cases, may cause more problems than it solves.
Companies should pay the anti-virus expenses and the support required to maintain these products but also be aware that employees may not want corporate installed software on their BYOD. If as a company you can’t afford to provide devices, and an employee is not comfortable delegating access to a personal device there may need to be a Human Resources solution to this technical problem. Perhaps this will lead to a reduction in afterhours working from home and a better work life balance – who knows.