If you’re reading this, odds are that either your employees are requesting to use their personal devices for business purposes, or you’re looking for alternatives to purchasing company devices for your employees. Either way, things can become complicated if you do not have a solid BYOD Policy in place at your organization.
The best way to envision your BYOD policy is as an extension of your existing IT and Security Framework, as opposed to a stand-alone HR policy. While it’s important to outline who is paying for what, and what kind of usage behavior is acceptable when a personal device is being used for work, the security and data management of personal devices also need to be addressed.
1. Specify what devices are permitted.
Remember the days when your work phone had to be a Blackberry device? Well, these days Blackberry devices aren’t the only secure work-appropriate devices on the market. Considering the variety of makes and models currently available, organizations will need to decide what specifically will be permitted.
Different devices will have different capabilities, operating systems, and compatibility considerations. Make it clear to employees who are interested in BYOD which devices you support and those that are not permitted.
2. Establish a stringent security policy for all devices.
Passwords and lock screens are imperative and non-negotiable. As there is a considerable amount of sensitive information available on devices, employees who are using their own hardware must comply with data protection guidelines
A simple but often overlooked security requirement is password selection. Weak four-digit pins will do very little to protect lost or stolen devices. Complex, randomized alphanumeric passwords or fingerprint identification tools are your best options.
Never allow a jailbroken or rooted device to access your network. Use an MDM tool for monitoring to ensure that the device is compliant before accessing the network.
3. Define a clear service policy for employees using their own devices.
Are your users technically savvy enough for self-support? What degree of support should your IT team provide? It’s important to set the boundaries for what support services the organization is responsible for. Address these considerations in your BYOD policy:
- What level of support will be available for initial connections to your network from personally-owned devices?
- What kind of support will IT representatives provide for broken devices?
- What about support for applications installed on personal devices?
- Will you limit Help Desk to ticketing problems with email, calendaring, and other personal information management-type applications?
- What if a problem with a specific personal application is preventing access to the apps you have previously stated that you will support?
- Is your support basically a ‘wipe and reconfigure’ operation?
- Will you provide loaner devices for employees while their phone or tablet is being serviced?
4. Define segregation of personal and organizational data.
If you want to store data locally on the end point, use a mobile application or data management tool to securely segregate personal from business data. Where is the data going to sit – locally on the device, or in the cloud? These decisions will help you determine your data ownership strategy as well.
5. Who owns which apps and data?
While it may seem logical at first that your company owns the personal information stored on the servers that your employees access with their devices, things get hazy when you consider the problem of wiping the device in the event it is lost or stolen. Consider this: When the phone is wiped, all content is usually erased including personal pictures, music, and apps that the device owner has often paid for.
Does your BYOD policy make it clear that you assert the right to wipe devices brought onto the network under your plan? If so, do you provide guidance on how employees can secure their own content and back it up so they can restore personal information once the phone or device is replaced?
6. What’s your employee exit strategy?
When an employee departs your organization, what happens to their device and the data and applications on it? Will you retain the right to wipe the data, or will it be mandatory to have employee supervision for the removal of data? Can you afford to rely on good faith in these circumstances?
Once your BYOD Policy is complete, you can begin implementation with an eager group of technologically savvy employees who can self-service to some extent.
Need help building your BYOD Policy? Access our BYOD Policy Checklist below!