What Do You Need to Implement a BYOD Policy?
What is a bring your own device (BYOD) policy, and why should you consider it?
By: John Eatmon
A bring your own device (BYOD) policy is an increasingly popular business strategy. Not only does it save a business money, but it also improves productivity because people tend to be more comfortable working with their own devices. There’s no need to train them in using a new platform, and they can get straight to work without any convoluted onboarding processes. But to ensure your confidential business data doesn’t end up in the wrong hands, such as when a device is reported lost or stolen, you’ll need a clearly documented usage policy.
That’s broadly how a BYOD policy works. It’s a set of rules governing the level of support that business IT departments provide for employee-owned devices, as well as the obligations and limitations employees have to abide by when using personal devices for work. It’s an essential document to have for any business that wants to cut back on the expenses of purchasing and maintaining its own technology. To establish a successful BYOD policy, businesses must also have two vital elements:
Control of employee-owned devices
Perhaps the most obvious challenge that comes with allowing the use of personal devices in the workplace is that it means losing a degree of control. No employee will willingly enroll in a BYOD policy if they think it involves surrendering their privacy and having managers dictate how they use their own devices. Control is also difficult for practical reasons, since employees will likely be using a much wider range of operating systems than your in-house systems do. This makes it harder to implement uniform regulations.
For the sake of support, administrators should only allow platforms they have experience and knowledge in dealing with. If, for example, they’re only familiar with Windows, they probably won’t be very good at diagnosing problems and enforcing security standards on devices with iOS or macOS. Also, to protect privacy without compromising on data security, it’s advisable to keep all sensitive data stored remotely. If any business data must be stored on a mobile device, it should reside in its own partition that administrators have full control over.
Most importantly, a BYOD policy should set the standards for what sort of devices may be included. You should ban jailbroken smartphones and tablets since their modified firmware is less secure and unsupported by the manufacturer. You’ll also want to blacklist any apps with known vulnerabilities, particularly on devices running Android, as the Google Play Store regularly gets targeted by malicious software.
Ownership of apps and data
Many BYOD policies include a remote wiping clause that allows administrators to remotely delete all data stored on a device reported lost or stolen. While the policy should clearly state that the business will do everything it can to avoid harming employee-owned apps and data, there might be situations where it’s unavoidable. After all, normally when you wipe a device, it gets reset to factory settings and anything added by the owner since purchase is removed permanently.
It’s important that businesses retain full legal ownership and control of any data stored on an employee-owned device. For this, you’ll also need a clear exit strategy for when an employee leaves the company or no longer wishes to be enrolled in your BYOD policy. That’s why you need a way to revoke access rights to any accounts the employee has been using. It’s not as simple as returning a company-issued phone or laptop, and administrators need to offer clear ways of protecting and/or restoring a user’s personal data or purchased apps when necessary.