Applying the same security policies to employees' personal devices and company-issued devices alike may make sense on an intuitive level, but using device management software on gadgets you do not own involves risks. The trick, according to InformationWeek's Art Wittmann, is to not confuse device management with data security.

When a device is issued by an employer, the employee assumes the risk for putting personal data on it. But when employees put personal data on their own gadgets, they are unlikely to take it lightly if IT inadvertently wipes them clean via a software update or other management function, Wittmann cautions. 

"Do you really want responsibility for un-archived irreplaceable family pictures, or bank records, or the office fantasy football pool, or whatever?" he asks. "Telling the user he should have had a backup won't get you far. It certainly won't win you the admiration and respect of your coworkers, and inevitably, somewhere, sometime, lost personal data will lose someone a lawsuit."

Employees really do not want to carry around two phones, Wittmann writes. While they often are content to use their own devices for work and personal purposes, they won't take kindly to IT acting as though the company owns them. In other words, they don't want you using remote wipe on them or imposing complicated password policies.

The way to deal with this problem is to recognize that data security is a different function from device management, and the two should be approached separately, Wittmann recommends. Data security is always a primary responsibility of IT, but device management--delivering apps efficiently to users--need not be if the company doesn't own the device. IT should focus first and foremost on safeguarding the data, not worrying about the device.

"First, data should be protected at its native-use level," Wittmann urges. "Got a spreadsheet of employees and proposed raises? Put a password on it. Keeping lots of personally identifiable information for business purposes? Encrypt it, make it very hard for that data to walk out the door, and consider making anonymized versions easily available."

To truly protect data over employees' personal devices, however, IT must educate the users. "The biggest and most important thing that IT must do is to stop viewing its customers as the problem and start viewing them as the biggest part of the solution," he writes. "Well-meaning but uneducated users are your biggest risk. So teach them, and make them your biggest asset."

For more, see:
- Art Wittmann's post at InformationWeek

Related Articles:
Napa County employees to use iPhones and iPads
Does your workforce need an app store for personal devices?
Ready for self-service IT?
Study: Most IT shops ill-prepared to support personal devices
ISACA: Personal mobile devices are biggest security risk