A sales manager walks out of a client meeting and wants to check company email on her own phone. The IT department pushes back: how secure is corporate data on a personal device? This tension is playing out with increasing frequency in mid-sized Turkish companies. As smartphone adoption accelerates, the demand from employees to use their own devices for work tasks is no longer easy to dismiss. But accepting that demand without a management framework carries real risks.
BYOD — Bring Your Own Device — does not describe a policy choice so much as an existing reality. Employees are already using their personal devices; the question is whether the company will put a formal structure around this or not. Without a policy, devices still connect to the corporate network and company files still get downloaded to personal phones. The difference is that without a policy, none of this is governed. Decision-makers face two broad options: issue standardized company devices, or allow employees to use their own devices within defined rules. Each path carries a distinct cost structure, security profile, and impact on employee experience.
The company-device model offers clear control. IT configures the hardware, manages software, and enforces security policies. When an employee leaves, the device is returned and wiped. But the total cost of ownership (TCO) is high. Hardware procurement, license management, maintenance, and helpdesk support all add up. There is also a behavioral problem: employees issued a standard corporate device often treat it as a burden. They do not want to carry two phones. The personal device gets used; the company device sits in a bag.
The BYOD model inverts the cost structure. Hardware investment drops close to zero — the employee already owns the device and handles its upkeep. There is a productivity argument too: people work faster and more comfortably on a device they chose themselves. But the security picture becomes more complex. Corporate data and personal data coexist on the same device. If the employee loses the phone, or resigns, how does the company cut off access to its data? Answering that question requires a policy decision before it requires a technical one. MDM — Mobile Device Management — software enters the picture here; rather than managing the whole device, it manages a separate corporate container on it. But MDM deployment requires IT capacity and budget that many companies have not yet allocated.
In practice, three decision points are critical: which applications and data will be accessible from mobile devices, what the procedure will be for remote data wipe in case of device loss or employee departure, and how the boundary between personal and corporate data will be drawn and enforced. Launching a BYOD program without clear answers to these three questions does not convert a security risk into an opportunity — it does the reverse. Companies that choose the corporate-device route face the same questions, because employees will install personal applications on those devices regardless, and the data leakage risk does not disappear.
Most small and mid-sized businesses in Turkey have not yet elevated this discussion to a formal policy level. The common picture is an IT manager handling things informally, senior management keeping the topic off the agenda, and employees acting on their own judgment. This ambiguity creates an unmanageable space both from a security standpoint and from the perspective of employee expectations. The absence of a written device policy does not mean the problem is solved — it means accountability has been made invisible.
For decision-makers, the practical criterion is straightforward: the more sensitive the data and applications that will be accessible from mobile devices, the stronger the case for centralized control. If employees need mobile access to customer databases, pricing data, or contract documents, either corporate devices or a tightly governed BYOD program backed by MDM is non-negotiable. If access is limited to email and calendar, BYOD is a lower-risk and lower-cost option. In either case, the policy needs to be written down, communicated to employees, and backed by technical controls. Without a policy, what looks like freedom is actually just unmanaged exposure.
This article was originally written in Turkish by Gökhan MERCANOĞLU on March 29, 2010 and has been automatically translated into English and other languages using machine translation.