5 steps to a solid BYOD policy
It’s increasingly common for employees to have their own devices – laptops, tablets, phones – at work; devices that they’re comfortable and familiar with. Often, they’d prefer to use these devices rather than company issued ones. From a training perspective, this makes sense. Employees achieve the ability to work remotely while using devices they already know well. It’s also beneficial from a cost perspective. A company might maintain a handful of “loaner” laptops, for example, but not need to supply one to every executive.
But BYOD or bring your own device policies can create some potentially dangerous situations for employers, mostly through company and IT security. Take these steps when creating your BYOD policy.
1. Determine who can use their devices for work
Two important questions are who can use their devices for work, and how much access can they have? Accessing Outlook on a phone is reasonably secure and may make sense for many employees. Communication tools like Slack or productivity apps like OneNote can also make sense for most of your staff. But higher level security access must be carefully managed and assessed.
What jobs does each employer need to do? What tools and data do they need to access to do these jobs? You may decide that some levels of access require on-site clearance, and so own-device usage may not be suitable.
2. Decide what security is necessary on those devices
Some businesses opt to enable virtual machines on laptops, with security features built in. For other businesses, the migration to cloud computing is complete, and a user can access cloud functions safely from their laptop. These organizations should ensure that company-issued antivirus program installed, and is then run and updated on a particular schedule.
3. Give options to remote workers if BYOD isn’t allowed
If BYOD is impossible but remote work is necessary for business operation, how can that be handled? Will companies maintain a bank of laptops or tablets that can be signed over for personal use? Or will the company adjust its function so that remote work isn’t necessary? Decide on the best option for your means.
4. Determine policy for data retention
Retaining sensitive data is one of the most concerning issues regarding employee-owned devices. For some functions, such as Office 365, not all tasks can be completed in the cloud apps; files must be downloaded, modified, and then re-uploaded. What then happens to this file?
Some businesses require that all files be stored in a company owned shared directory, but this doesn’t prevent employees from saving files. And not all employees realize that putting something in the “trash” folder doesn’t delete it immediately.
Setting up robust protections in this area is crucial, including providing tools for secure file deletion, and educating team members on the importance of good data retention/disposal practice.
5. Respond to use of unverified apps
On cell phones especially, employees love to download apps that they think will enhance productivity or improve their work ethic. While this is great for their personal data, company data cannot be allowed into these unsecured apps. Without IT verification, the risk of loss or breach is just too great. Employees have to understand this, and companies should monitor for signs of access from unauthorized applications.
The flip side of this is that IT must be responsive to employee needs. If everyone in the company is using an unsecured IM program, for example, IT should locate and implement a company-wide communication program that can be safely monitored. Recognize that employees aren’t looking to harm the company; they just want to be able to do their work efficiently.
BYOD is almost inevitable at this point, and it can save companies significant amounts of money. But businesses needed to create strong policies that protect the company without inconveniencing the user to the point of frustration.