Practical Advice on Developing a BYOD Policy: The Time to Act is Now!

Managed Services Management, Nally, Bob VCIO, Systems Division (2)By Bob Nally
Trivalent Group, Inc.

BYOD is by now a familiar topic with what seems like daily discussion. BYOD can be defined as “[t]he practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes.” Many businesses have adopted a BYOD work environment. There are a number of reasons for this, but the reason most frequently cited is that a number of surveys have shown that the use of a device of personal choice often results in greater employee satisfaction and increased productivity. Acceptance has continued to grow as companies realize the opportunity to mobilize the workforce and cut costs while seeing increased productivity. In many companies, the driving force behind BYOD originated with the demands from the C-Suite who wanted to use their own devices while remaining fully connected.

Companies that do not establish a BYOD policy will find that employees will continue to use their personal devices for work-related activities. An effective BYOD policy must specifically identify the expectations for users of personally owned mobile devices to ensure the protection of corporate data and secure network access. The BYOD policy must tie directly into your Acceptable Use Policy.

Writing an Effective BYOD Policy

Before writing the BYOD policy, there are two basic elements you need to identify: what is happening now and what your plans are based on your organizational future mobility needs.

Specify Who

The most basic question to start with is who in your organization has the need and is authorized to use their own devices for work-related activities. Often, the decision comes down to whether the privilege is made available to all employees or only to a select group that has a demonstrable need. While security concerns might lead to a policy restricted to the latter group, many companies find that the other associated benefits are directing them to company-wide adoption.

Regardless of which direction you choose, at first you must document all the devices touching the company network. The BYOD policy must mandate a registration process for all personal devices that will be used in the work environment. This step should be accompanied by a BYOD agreement. Have employees review the BYOD policy and sign the BYOD agreement so they consent to the terms of the policy.

Acceptable Devices

The list of acceptable devices can be either general or specific. It may be specific based on job function or as simple as a list of all the devices that a company can track and support. While specific models may be listed, it may make more sense to be general like the below list since the models change constantly.

  • Smartphones: Blackberry, Android, iPhone, and Windows phones
  • Tablets: iPad, Android, and Windows OS (Windows 7 or newer)
  • 2-in-1 Laptop/Tablet: Windows (Windows 7 or newer) and Apple Mac

Acceptable Applications and Uses

  • Require appropriate and up-to-date antivirus and malware protection
  • Specify which apps are allowed on a device that is touching your network. This may consist of a specific list or be more generalized, such as productivity, social media, and weather apps.
  • Provide a list of apps banned from download. This may include games, gambling apps, and iTunes and other music sharing apps.
  • Provide a specific list of which company resources can be accessed from a personal device (e.g., email, calendars, contacts, and specific types of documents, and address connections to VPN, LAN, or public network).
  • Specify if users are allowed to enable and use the camera and video capabilities of their devices. This may be restricted by location or user.
  • Specify any specific websites or category of websites that are banned during work hours, such as any sites that make use of streaming media for purposes other than company-authorized training.

Unacceptable Uses

  • Downloading, storing, or transmitting any proprietary information belonging to the company or any of its vendors or partners
  • Harassing other individuals or groups
  • Using, storing, or transmitting any illicit materials

Also, be sure that the policy expresses zero tolerance for dangerous activities while driving, such as texting, emailing, or talking on the phone without a hands-free device.

Security Requirements

  • All BYOD devices must be password-protected using the protection features built into the device. Users should consult IT if assistance is needed in establishing password protection. Ideally, the device password should be more complex than the common four-digit PIN.
  • A strong password policy with appropriate levels of complexity should already be in place. The same policy should be applied when network access is provided through a mobile device.
  • Passwords for access to company network applications should not be stored on a device.
  • The maximum length of idle time before the device locks itself should be specified. No longer than five minutes is recommended.
  • Immediate reporting of lost, misplaced, or stolen devices should be required.
  • Modifications of devices that are already accepted in the BYOD program should be prohibited as well. Examples of actions that are not acceptable and may compromise security are “jailbroken” iOS or “rooted” Android devices.
  • Devices may be wiped remotely by IT if the device is lost or suspected to be stolen or the devices appears to be the source of a threat, such as a virus, malware, or data breach.

Define Who Owns the Applications and Data

This is often one of the missed points when developing a BYOD policy. When company data and applications are stored on a device, this becomes a problem because the device is often viewed by the device owner as his or her property. The BYOD policy must clearly state that the company reserves the right to wipe a device if that device accesses the network or company data, including email, contacts, etc. This can often become a point of contention in the event of a lost or stolen device. Most of the time, when a device is wiped, all content, including any pictures, music, and personal files, are erased.

To help eliminate such contention in the event that a device wipe is mandated, it is advisable to provide a guide for employees on good practices related to both backing up and securing their own personal data on their device.

Service Policy for BYOD Devices

It is important for the policy to clearly state which types of support the company will provide for BYOD devices and what remains the owner’s responsibility. For example, the following should be addressed:

  • Which steps are needed and the support provided for the initial connections to the network using a personal device
  • Support level for applications installed on the device (support for work-related applications only)
  • Support expectations for broken or non-functioning devices
  • If the support is generally a wipe and reconfigure, the policy needs to define who is responsible for restoring personal data and applications purchased by the device owner.

How to Handle when an Employee Leaves or is Terminated

The BYOD policy must specify the steps needed when an employee exits the company. This should be a mandatory item tied into the HR checklist for exiting employees.

The policy should be specific in how it will handle the removal of applications, email access, company data, and any access to VPN’s , LAN’s, and WAN’s. Employees are expected to deliver their device(s) to the company’s IT department to allow for an exit review of the devices upon termination of employment.

If the policy calls for a full wipe of the device, it is best to have provisions for working with employees in backing up personal data, pictures, and any applications purchased by the user. The policy should specify that the company reserves the right to issue a full wipe command if an exiting employee does not voluntarily work with IT to go through the designated cleaning or wipe process prior to exit time.

Educate, Maintain, and Enforce

While it is a great step forward to create the BYOD policy, it will provide the greatest value if you provide user education and regularly maintain and enforce the policy.

Periodic employee training of the latest safe practices and security pitfalls, along with a review of key points of the policy, is advisable. A policy is only good to the extent it is being followed and enforced. Using available tools, IT should develop a means to monitor BYOD activities on the network and related applications.

The outline of key points I have listed above are just the basics. By setting up a BYOD policy that covers these points, you will be well on your way to crafting a BYOD policy that meets the company’s needs, which are to protect the security and integrity of its network and data. Note that a more detailed policy may be required depending on the line of business. For example, healthcare and financial entities have a whole set of additional considerations on top of these basics which are beyond the scope of this article.