In the last few years companies have been increasingly allowing employees to use their own devices to access the company’s email, calendar, employee directory, and other corporate data. This phenomenon is known as “Bring Your Own Device” (BYOD) programs or IT Consumerization. BYOD gives employees more flexibility and mobility, which in turns makes them happier and more productive... Employees are no longer imposed to use specific types and brands of devices. They can use their favorite gadgets and service plans, which are usually paid from their individual pockets, saving the company lots of money. Also, studies show that the help desk receives fewer calls when employees use their own devices than when they use company-provided equipment. These employees seem to be more technology-savvy and eager to solve most of their technical problems.
Employers used to be the driving force behind consumer technology innovations. However, since it is very costly to refresh equipment, companies tend to replace computers every three to four years, and smartphones every two to three years. On the other hand, employees often purchase more sophisticated devices than the ones offered by the employer. As a result, Gartner predicts that by 2018 there will be twice as many employee-owned devices in the workplace than enterprise-owned devices. This increase of personal devices in the workplace poses a significant threat to organizations, such as security, legal issues, and tech support. Thus, firms in highly regulated industries like banking and healthcare are pushing back on BYOD, but they are slowly realizing that, in this case, resistance is futile. The best way to embrace this program and diminish concerns is to implement a robust BYOD policy with clear and precise clauses. The following are some of the components that should be included in the policy.
Every employee who wants to participate in the BYOD program must read, agree with, and sign the BYOD policy. The employee should clearly understand that this privilege can be revoked from individual employees if they breach the agreement, and it can also be withdrawn from all staff at any time if the company deems it necessary.
Make sure the policy indicates which classes of employees qualify for this program. For instance, you may exclude non-exempt employees to avoid legal issues if these employees access company data off-the-clock.
Employees must attend and participate at least once a year on security guidelines, including risks with BYOD. The company should also post a resource page with frequently asked questions (FAQ) on the company’s intranet. Additionally, you should designate a point of contact for questions about the policy.
- Devices, Brands, and Models
In addition to indicating which type of devices are accepted, such as laptops, smartphones, and tablets, you need to specify the brands and models that the company can support. It is important to be very selective and only welcome devices that provide a good level of security, reliability, and flexibility. Otherwise, the security and technical support groups would be inundated with issues. It might be a good idea also to limit the number of devices each employee can bring to the workplace at a time. Indicate that each device must be approved by the company before connecting to the company’s network.
All the equipment in this program must be password-protected to prevent unauthorized access to the enterprise’s network and data. The passwords should adhere to a firm policy. For smartphones, the passwords should be at least eight characters long. For larger devices, such as tablets and laptops, the password should be complex, including letters, numbers, special characters, and upper and lower cases. The device should lock after a few failed login attempts. It should also automatically lock after 10 or 15 minutes of inactivity. Remark that the employee should refrain from accessing certain websites and sending inappropriate material over the company’s network.
Employees must agree to keep their devices in good standing by applying security and operating system updates on a timely basis. Also, the devices should have an approved app for virtual private network (VPN) that ensures secure connection on public Wi-Fi hotspots. Furthermore, employees should exercise caution and not lend their devices to other people. The company must install antivirus software on laptops, and it should also consider doing it on smartphones and tablets.
- Mobile Device Management Technology (MDM)
The company should use mobile device management technology (often referred to as MDM) to create a virtual partition on each device that separates business data from personal data. This software will facilitate security measures the employer wishes to impose and will limit employer access to only company data. One of the MDM options is AirWatch.
- Technical Support
Specify how much technical assistance the company will provide for personal devices and the software installed on them. For instance, the company will support connectivity issues to the company network.
- Approved Software
Specify the list of approved apps for work purposes, such as those for email, social networks, and productivity.
- Ownership of the Data
Stipulate that company data must be stored on the company servers and approved cloud services, versus saved on the devices. However, it is acceptable to cache certain amount of data on the devices. Clarify that any data, even personal data, stored on the company servers and cloud services belongs to the firm. As a result, the employee should have no expectation of privacy on the above data.
In the case of data or policy breach, or the loss of a device, the company has the right to delete the company’s data remotely. Although there are applications that partition the data into professional and personal, it is important to tell employees to back up their personal information on a regular basis, in case it is deleted by accident.
- Reporting Lost or Stolen Devices
Employees must report as quickly as possible any lost or stolen devices. This measure will allow the company to delete company data via remote access promptly.
Specify which costs the company will cover and which the employee will pay. Keep in mind that individual states may require the business to reimburse employees for business expenses, including costs related to personal devices and services used for work purposes.
- Working After Hours
If the company includes non-exempt employees in the BYOD program, it might be good to limit the times these employees may work to limit the company’s liability.
- Policy Updates
The policy should be reviewed and revised by the firm at least once a year. With constant changes in technology and the increase in security breaches, updating this policy on a regular basis is imperative. The plan should be aligned with security guidelines, flexibility balance, and the culture of the company. The BYOD policy should be developed in partnership with IT, HR, risk management, internal and external audit, and inside and outside legal counsel.
The concepts mentioned above will help you put together or enhance your BYOD policy. An effective strategy helps balance security, compliance, and privacy concerns. BYOD is growing and is hard to stop. Thus, companies have no alternative but to embrace it and take the opportunity to regulate it. Do you know other great concepts to include in this type of policy? Please write a comment below.