One of the challenges of a BYOD policy is balancing two competing interests.
On one hand, companies need to be able to control and protect information related to business operations. On the other hand, when an employee is using his or her own device, that device may contain private, personal information about that employee.
A BYOD policy won’t work unless employees know what they’re getting into. If your company has to seize or search and employee’s device for any reason, the employee needs to know what steps you will take to protect their privacy.
However, the policy also needs to clearly state the employee’s responsibilities in using their own device to access company information.
Acceptable use rules
Your company’s BYOD policy should outline exactly what employees are and aren’t allowed to do with their device while on company time or connected to the company network.
List any restricted websites, applications, or uses. Specify what company resources or networks employees may and may not access from their devices.
This section of your BYOD policy may dovetail with other computer usage or security policies.
The guidelines should line up with the rules about using company-owned technology. The BYOD policy may also include guidelines for acceptable personal use while on company time.
Passwords or biometric identification
People don’t always like having complex password protections on their personal devices. Pew Research Center found that 28% of smartphone owners don’t use a screen lock.
But if employees are going to be accessing and storing company information on a device, they need to make sure it’s protected.
Most BYOD policies have a requirement for locking devices with a PIN or biometric id (e.g. fingerprint). Some include periods of auto-locking.
Make sure your company’s BYOD policy outlines the requirements for device passwords and security.
Device maintenance
With BYOD programs, employees are responsible for maintaining their own devices. This is part of the cost savings for you.
A BYOD policy should clearly state that employees are responsible for backing up their personal information and data. The policy may establish a time limit for employees to download software updates.
Keeping operating systems and other apps up to date can help protect against security vulnerabilities.
Reporting lost, stolen, or potentially compromised devices
BYOD practices leave more room for the risk of a device getting lost, stolen, or hacked. Take this into account when crafting your BYOD policy.
Create a clear procedure for employees to follow in the event of loss or theft. Who should the employee report to if their device goes missing or they suspect it may have a virus that could compromise security? In what event will the company remotely wipe the device?
The policy should protect employees from undue punishment for losing a device.
If employees fear getting reprimanded or punished, they may hesitate to report a lost device, which could cause bigger security issues.