Today’s world of mobile devices, tablets, and smartphones has introduced an interesting layer of complexity for IT departments in businesses everywhere. Employees often own and are familiar with their own technological devices, presenting both an opportunity and a challenge for employers—how can you control the use of these devices without eliminating them entirely?
The go-to solution is to create a custom bring-your-own-device (BYOD) policy, which outlines exactly how and why employees’ home devices may be used for work or for network applications.
While there’s no single “correct” way to design and implement a BYOD policy, there are some staple features you’ll need to include if you want to preserve your security and maximize your team’s efficiency.
Must-Haves for BYOD
These are some of the most important features of your BYOD policy:
1. Mobile device management (MDM) software. As System ID explains, MDM software “is an IT security application solution where the company can manage, monitor and secure devices that access the company’s network applications.” If you’re going to have multiple mobile devices on your network at any point in time, it’s good to know who’s using what—and how they’re using it. It’s a good way to enforce the policies you set and keep a closer eye on any unauthorized activity to prevent security breaches before they happen.
2. Device security. More than a third of all smartphone owners don’t use a password to secure their personal devices, a basic security step that should be necessary for any device that contains sensitive company information. At a minimum, your employees should be required to secure their devices when not in use. You may also require employees to change their passwords regularly, or protect those devices in other ways.
3. IT department role specifications. Are you going to be responsible for employees’ devices in any way? Some employers may partially or fully compensate employees for any home devices they use to accomplish their professional responsibilities. But what happens if an app can’t be installed on a device, or if something goes wrong with the device? Will your IT department be responsible for fixing it? Your BYOD policy needs to explain this.
4. Ownership of apps and data. Your employees’ devices are going to have both personal and professional apps and data on them. On a traditional work device, anything on the device is fully and exclusively owned by the company (in most cases), but this rule can’t apply to a device that’s also permissibly used for personal applications. How are you going to specify which apps and data are owned by the company? This is a tricky regulation to navigate, but it’s important to proactively specify these rules.
5. Apps to allow or disallow. Employees will be using your network on their personal devices, and for the most part, they’ll be using work apps while at work, but are there any apps that won’t be allowed? For example, if you’re using a VPN tunnel, would you allow an employee to post something to their personal Facebook (News - Alert) account? Be specific here to avoid any trouble.
6. Acceptable use ambiguities. Acceptable use policies will have a lot in common with BYOD policies, but there will still be some differences to iron out. According to the Infosec Institute, “Frequently, there will be a list with prohibited activities. It is important to remember that at the heart of the AUP as a regulatory document is the concept of respect and ethical use.” For example, your AUP may prohibit the exchange of personal messages or inappropriate material on company devices, but what if an employee uses an acceptable personal device and a corporate network to exchange private information? Does this constitute a violation of either policy, and if so, which one? Again, this is a tricky area to navigate, but the further ahead you think here, the better.
7. Basic security standards. You’ll also want to make sure all your employees are up-to-date with basic security standards—and that’s useful even if you don’t have a BYOD policy. For example, make sure your employees know how and when to connect to a network securely, how to set and maintain strong passwords, and how to avoid scams like phishing, which could instantly compromise your network.
Enforcing and Revising Your Policy
Because BYOD is still new, you’ll likely encounter some situations you weren’t fully prepared for. When they come up, take the opportunity to clarify new rules and regulations, and update your staff accordingly. Chances are, your BYOD policy will evolve significantly in its first few years, so remain flexible and be patient to find the best combination of rules to enforce. Eventually, you’ll be able to balance the advantages and disadvantages of BYOD so your employees remain productive and your network remains secure.