BYOD is by now a familiar topic with what seems like daily discussion. BYOD can be defined as “[t]he practice of allowing the employees of an organization to use their own computers, smartphones, or other devices for work purposes.” Many businesses have adopted a BYOD work environment. There are a number of reasons for this, but the reason most frequently cited is that a number of surveys have shown that the use of a device of personal choice often results in greater employee satisfaction and increased productivity. Acceptance has continued to grow as companies realize the opportunity to mobilize the workforce and cut costs while seeing increased productivity. In many companies, the driving force behind BYOD originated with the demands from the C-Suite who wanted to use their own devices while remaining fully connected.
Companies that do not establish a BYOD policy will find that employees will continue to use their personal devices for work-related activities. An effective BYOD policy must specifically identify the expectations for users of personally owned mobile devices to ensure the protection of corporate data and secure network access. The BYOD policy must tie directly into your Acceptable Use Policy.
Writing an Effective BYOD Policy
Before writing the BYOD policy, there are two basic elements you need to identify: what is happening now and what your plans are based on your organizational future mobility needs.
The most basic question to start with is who in your organization has the need and is authorized to use their own devices for work-related activities. Often, the decision comes down to whether the privilege is made available to all employees or only to a select group that has a demonstrable need. While security concerns might lead to a policy restricted to the latter group, many companies find that the other associated benefits are directing them to company-wide adoption.
Regardless of which direction you choose, at first you must document all the devices touching the company network. The BYOD policy must mandate a registration process for all personal devices that will be used in the work environment. This step should be accompanied by a BYOD agreement. Have employees review the BYOD policy and sign the BYOD agreement so they consent to the terms of the policy.
The list of acceptable devices can be either general or specific. It may be specific based on job function or as simple as a list of all the devices that a company can track and support. While specific models may be listed, it may make more sense to be general like the below list since the models change constantly.
Acceptable Applications and Uses
Also, be sure that the policy expresses zero tolerance for dangerous activities while driving, such as texting, emailing, or talking on the phone without a hands-free device.
Define Who Owns the Applications and Data
This is often one of the missed points when developing a BYOD policy. When company data and applications are stored on a device, this becomes a problem because the device is often viewed by the device owner as his or her property. The BYOD policy must clearly state that the company reserves the right to wipe a device if that device accesses the network or company data, including email, contacts, etc. This can often become a point of contention in the event of a lost or stolen device. Most of the time, when a device is wiped, all content, including any pictures, music, and personal files, are erased.
To help eliminate such contention in the event that a device wipe is mandated, it is advisable to provide a guide for employees on good practices related to both backing up and securing their own personal data on their device.
Service Policy for BYOD Devices
It is important for the policy to clearly state which types of support the company will provide for BYOD devices and what remains the owner’s responsibility. For example, the following should be addressed:
How to Handle when an Employee Leaves or is Terminated
The BYOD policy must specify the steps needed when an employee exits the company. This should be a mandatory item tied into the HR checklist for exiting employees.
The policy should be specific in how it will handle the removal of applications, email access, company data, and any access to VPN’s , LAN’s, and WAN’s. Employees are expected to deliver their device(s) to the company’s IT department to allow for an exit review of the devices upon termination of employment.
If the policy calls for a full wipe of the device, it is best to have provisions for working with employees in backing up personal data, pictures, and any applications purchased by the user. The policy should specify that the company reserves the right to issue a full wipe command if an exiting employee does not voluntarily work with IT to go through the designated cleaning or wipe process prior to exit time.
Educate, Maintain, and Enforce
While it is a great step forward to create the BYOD policy, it will provide the greatest value if you provide user education and regularly maintain and enforce the policy.
Periodic employee training of the latest safe practices and security pitfalls, along with a review of key points of the policy, is advisable. A policy is only good to the extent it is being followed and enforced. Using available tools, IT should develop a means to monitor BYOD activities on the network and related applications.
The outline of key points I have listed above are just the basics. By setting up a BYOD policy that covers these points, you will be well on your way to crafting a BYOD policy that meets the company’s needs, which are to protect the security and integrity of its network and data. Note that a more detailed policy may be required depending on the line of business. For example, healthcare and financial entities have a whole set of additional considerations on top of these basics which are beyond the scope of this article.