A key challenge for any organization is balancing the protection of institutional data, respecting privacy and enabling trust, when employees access institutional systems with personally owned devices. Any BYOD strategy should address this balance. Personally owned devices usually are not under the control of the institution, and verifying that the devices are securely configured can feel intrusive. Allowing personal devices that are not checked for secure configuration and vulnerabilities to log into protected systems creates potentially serious and unknown risks. Institutional attempts to influence or cause configuration changes on personally owned assets and scanning them for vulnerabilities raises questions about trust and liability.
Institutions that provide employees properly configured mobile devices help reduce the need of employees to access institutional systems with personally owned devices, but this approach does not work in all situations. While the potential cost of a security breach can easily exceed the cost of providing mobile devices to employees, the cost of providing the mobile devices also can exceed available funding. Institutionally issued mobile devices may not address all legitimate needs.