BYOD Policy Best Practices
How to craft a bring-your-own-device policy for your organization.
- What is a BYOD policy?
- BYOD policy best practices.
In today’s always-connected world, the line between business and personal technology can be blurry.
Organizations used to issue employees a company computer or phone to use solely for business purposes. But more and more, employees use their own smartphones to manage personal and business activities.
In the last few years, many companies have begun to officially let employees use their personal devices for work. This policy is often called a “bring your own devices” or BYOD policy.
What Is a BYOD Policy?
A bring your own device or BYOD policy lays some ground rules for how and when employees can use their own technology to conduct company business and access company information.
BYOD practices have become increasingly popular. In a survey by Tech Pro Research, 74% of respondents said their organization is currently using or planning to use BYOD.
However, companies often allow employees to use their own devices for work with little supervision. One survey found that 53% of businesses didn’t have a formal BYOD policy.
Officially adopting a BYOD policy can have many benefits.
For one, having employees provide their own devices can help cut costs. Cisco found that a BYOD policy can save an organization an average of $350 per year per employee.
Another study found that BYOD policies make employees more productive. Plus, employees are often happier using the devices they’re comfortable and familiar with instead of switching between company and personal devices.
On the other hand, BYOD practices come with significant risks. This is especially true for organizations that handle sensitive information.
Allowing employees to store and transmit company information on a personal device gives the organization less control over information security. It could result in leaked or compromised information.
A thorough BYOD policy is essential to help your organization manage these risks as much as possible.
A formal policy not only helps protect your organization, but it also alerts employees to their rights and responsibilities regarding company information on their devices.
Here are some BYOD policy best practices:
Determine the Scope of Your BYOD Policy
Your company’s BYOD policy doesn’t have to be overly complicated. Focus on the areas that pose the biggest potential risks to your organization.
As one expert told Tech Radar:
“The first step for IT managers is to truly understand the problem they are trying to solve and find the solution that matches. In addition to addressing immediate needs, the right solution will be scalable and manageable, and can grow with an organization as its mobility strategy evolves and changes.”
Use the same policy for all employees
The modern workplace is full of devices, so your organization needs to establish how employees should be using their personal devices at work and for work.
The BYOD policy should be broad enough to cover every employee – from temp staff to the C-suite.
Make the policy as clear as possible. If the policy is overly technical or specific to one department, it may cause confusion or make some employees think it doesn’t apply to them.
For example, it shouldn’t get into the complexities of user permissions, roles, or security controls.
The nature of your BYOD policy will depend on your organization’s needs. Some companies employ a blanket policy for anyone who uses personal devices to access company information. These are typically broader and included in a larger policy manual. Other companies require users to opt into a BYOD program and sign off on specific rules to connect their devices to the company network.
Again, this depends on the needs of your business. Do employees often need to access company information on the go? What protections and restrictions are already in place for sensitive information?
In any case, make sure the same policy applies to every employee, no matter their role or leadership level.
OS versions and device platforms
One of the challenges of BYOD can be all the different operating systems and types of devices. The BYOD policy must be very clear what kind of devices and systems are compatible with your company network.
The policy should lay out what devices employees can use for the program. It should outline any provisions for software or device set up.
This varies between companies. Some require the company IT department to configure any device used for BYOD.
Do your research.
Subscribe to Our Newsletter
Stay on top of the latest policy trends and resources.
You will receive our next newsletter in your inbox soon.
Some devices and software are more secure than others. Are there security concerns about specific operating systems or compatibility issues with your network or systems?
This is especially important to consider if you’re using a Mobile Device Management (MDM) tool.
IT support for personal devices
Technology glitches and problems are a reality of the modern workplace. With BYOD, employees may have a variety of devices and setups. So these issues can get complicated for IT staff.
Your BYOD policy should outline what level of IT support your organization will provide for personal devices.
Typically, employees are responsible for keeping their device updated. But who should employees contact if they have a connectivity issue or questions about a device? Will your company offer app support or help fix broken devices?
Including this in the policy will help avoid confusion.
Communicate the Employee’s Rights and Responsibilities
One of the challenges of a BYOD policy is balancing two competing interests.
On one hand, companies need to be able to control and protect information related to business operations. On the other hand, when an employee is using his or her own device, that device may contain private, personal information about that employee.
A BYOD policy won’t work unless employees know what they’re getting into. If your company has to seize or search and employee’s device for any reason, the employee needs to know what steps you will take to protect their privacy.
However, the policy also needs to clearly state the employee’s responsibilities in using their own device to access company information.
Acceptable use rules
Your company’s BYOD policy should outline exactly what employees are and aren’t allowed to do with their device while on company time or connected to the company network.
List any restricted websites, applications, or uses. Specify what company resources or networks employees may and may not access from their devices.
This section of your BYOD policy may dovetail with other computer usage or security policies.
The guidelines should line up with the rules about using company-owned technology. The BYOD policy may also include guidelines for acceptable personal use while on company time.
Passwords or biometric identification
People don’t always like having complex password protections on their personal devices. Pew Research Center found that 28% of smartphone owners don’t use a screen lock.
But if employees are going to be accessing and storing company information on a device, they need to make sure it’s protected.
Most BYOD policies have a requirement for locking devices with a PIN or biometric id (e.g. fingerprint). Some include periods of auto-locking.
Make sure your company’s BYOD policy outlines the requirements for device passwords and security.
With BYOD programs, employees are responsible for maintaining their own devices. This is part of the cost savings for you.
A BYOD policy should clearly state that employees are responsible for backing up their personal information and data. The policy may establish a time limit for employees to download software updates.
Keeping operating systems and other apps up to date can help protect against security vulnerabilities.
Reporting lost, stolen, or potentially compromised devices
BYOD practices leave more room for the risk of a device getting lost, stolen, or hacked. Take this into account when crafting your BYOD policy.
Create a clear procedure for employees to follow in the event of loss or theft. Who should the employee report to if their device goes missing or they suspect it may have a virus that could compromise security? In what event will the company remotely wipe the device?
The policy should protect employees from undue punishment for losing a device.
If employees fear getting reprimanded or punished, they may hesitate to report a lost device, which could cause bigger security issues.
Include Specific Security Procedures
Most companies restrict personal devices to guest networks with less access.
Your BYOD policy will need to include the requirements for connecting personal devices to your secure network. It should include step by step procedures to make sure employees can access the information they need.
The BYOD policy should tie in with your company’s confidentiality agreement. This should include how you expect to handle company information on their device. How should they copy, store, and back up sensitive information?
Of course, not all confidential information should be available on mobile devices.
Be sure that the BYOD policy clearly specifies any restricted files or applications.
Monitoring, tracking, and remote access
The policy should clearly communicate what access your organization will have to the device. How will you enforce compliance with the BYOD policy and other rules about internet and technology use?
Employees need to know what rights your organization has to the information on their device.
This may include passive monitoring, such as reviewing access logs or browsing history on the company network. Or it may include access to individual devices in cases of investigation or litigation.
The BYOD policy may even allow for remote wiping of data if the device is used inappropriately, lost, or compromised.
If a device is searched or wiped, employees may lose personal data. They need to be aware of that possibility.
Employee departure procedure
A BYOD policy needs to include a security process to remove company information and apps from a device when an employee leaves the company.
Heimdal Security reports that 59% of employees steal proprietary corporate data when they quit or get fired. So it’s important to make sure you protect company information when an employee leaves.
Some organizations make disabling corporate email and access part of the exit interview. Some even require that IT wipe the device when the employee leaves.
No matter how you set up your company’s BYOD policy, make sure you communicate expectations and responsibilities to all employees.
A BYOD policy can be a tremendous benefit, but it will only be successful if it clearly establishes the rights and responsibilities of both the company and the employees.
As you work to integrate technology into the workplace and protect your corporate data, make sure to regularly review, update, and train on BYOD policy.