Bring Your Own Device (BYOD) as a corporate policy may save money by eliminating corporate purchasing of mobile devices, but there are risks associated with it.

Allowing employee-owned mobile devices in the workplace affords employees a great deal more freedom with their devices, and by extension, with critical company data and applications. When using a personal device, employees push back on the employer Mobile Device Management (MDM) systems that control access to their devices because they don’t want personal information shared with their employer or deleted. Even the Supreme Court recognizes that we all have a lot of personal information on our devices. In a recent case it was unanimously ruled that personal electronic devices require a warrant to be searched because they contain a digital record of nearly every aspect of their owner’s life. Even with an MDM system, your company may not be able to remotely wipe highly sensitive company data before it’s too late. For example, when the employee decides to upgrade, it is difficult, if not impossible, for you to control what happens to the used device. This can result in a significant risk if the device is not properly erased when it’s given to a child or friend, donated to a charity, or sold online by the employee.

With security and ease being called into question, both employers and employees have been re-thinking BYOD policies. In fact, even back in a 2012 study by Intel the majority of employees polled would prefer to pick from approved devices rather than bring their own personal one to work. This has resulted in an alternative to BYOD called CYOD, and has quickly been growing in popularity. CYOD, or Choose Your Own Device, is a policy that allows employees to pick from a list of approved, company-owned devices – a marriage between the freedom and comfort of BYOD and the security of devices controlled by the company itself.

While BYOD and CYOD are similar in some ways, the latter affords employers a number of important advantages. By reducing the number of supported devices to a short, approved list, a company’s IT department can specialize in those devices and their accompanying operating systems, allowing for more functional tech support and lower costs to maintain different platforms. This also allows the company to manage the OS version on each device. This is much more difficult to enforce with employee owned since users may not update their phone’s OS when prompted, or may update to unsupported versions.

Using only devices that are issued by the company also leads to better control of applications and corporate network access, which lessens the risk that data or network security can be compromised. Finally, since the device is not owned by the employee, CYOD allows companies to maintain control of their end-of-life practices and policies.

There is also additional savings to consider. Even company-owned devices are usually upgraded every 12 – 24 months, so recovering the residual value is a good strategy.  With a CYOD policy, the company controls the entire process and can ensure that all devices are completely erased or, if not salvageable, recycled properly.   From a security risk perspective, CYOD may be the best alternative for many companies.  Whether you manage BYOD or CYOD – so have a mix of both, IT managers need to ensure that when a device is being retired from corporate use, all corporate related data and applications are erased.