It increasingly appears that bring-your-own-device policies are the way of the future. As the pandemic continues, they’re moving from optional to a must-have, and employers think it may be time to make remote work and hybrid work situations permanent.
With these shifts in the work environment, a BYOD policy becomes a necessity.
With a BYOD policy, employees use their devices, including smartphones, tablets, and laptops, for work. Some companies may specify which devices an employee can use. For example, they might have a bring-your-own computer policy but not allow for mobile devices.
When an organization uses a BYOD policy, then the devices that employees ultimately own have to be part of an endpoint management strategy that’s more comprehensive and encompasses all potential endpoints.
Understanding the type of devices connected to the infrastructure is required to ensure cybersecurity is a top priority for an IT department.
While BYOD policies have benefits and may in some ways be unavoidable going forward, they also create legal and financial risks and liabilities. The more proactively you can address these potential risks in your policy, the better.
Why Do You Need an Official BYOD Policy?
There’s an issue currently where organizations might informally allow employees to use their own devices, but they don’t have a concrete policy governing it. If you’re a small business or startup, or a larger organization, it doesn’t matter.
You need a formalized approach because you’re putting your data and your business at serious risk of a cybersecurity breach without one.
Two data points that stand out?
Thirty-seven percent of employees who access work-related content on their mobile devices don’t use their security lock feature. Thirty-five percent of employees store their email passwords on their devices.
In a recent survey of the organizations with a BYOD policy already in place, only 37% of respondents said they felt it was working well.
When your employees use devices not known or visible to IT, they can’t be monitored or protected.
You should protect the data, as there is a possibility of device theft.
If you are a startup, here are some suggestions to build a BYOD policy:
Talk to Your Employees and Other Stakeholders
If you’re a small startup, it’s pretty easy to get a feel for what your employees and other key stakeholders want out of a BYOD policy and what their current pain points are. If you’re larger, still take the time to talk to the people most affected by the policy.
Figure out what they’d like to see in a policy and how you can solve challenges for them.
Too often, business owners and IT teams will come up with policies, hoping they meet the needs of employees, but they never go directly to them to ask for input as they’re creating those policies.
Specify Permitted Devices
There are many devices your employees might have, including phones and tablets, as well as computers. Some are iOS, and others are Android. What devices will you allow when you say you have a bring-your-own-device policy?
For example, will you allow an iPhone but not an Android? Maybe you’ll allow the tablets, but not phones.
A few other technicalities and logistics to integrate into your policy when considering permitted devices include:
- How will you share costs? Your employees may need more monthly data or upgraded software, so how will that be handled? For example, will you offer a stipend for the costs that your employees may have to shoulder as part of working from home?
- Are you going to offer tech support? Who’s responsible if something goes wrong with a device, and if it breaks or anybody steals, will you replace it?
- Can employees share a device with family and friends? If not, do you need to specify?
- How will you manage banned apps? Certain apps come at a high risk of introducing malware to the device.
- How should employees report a lost or stolen device? What are the timelines for this reporting?
- What happens to a device when an employee leaves the company? Data may have to be wiped, so make sure you let employees know this ahead of time.
Establish Security Policies
Again, the primary pitfall of BYOD policies, which are otherwise pretty beneficial for everyone involved, is cybersecurity.
There are a lot of elements of a security policy to consider, starting with acceptable use guidelines. Proper use guidelines detail the banned websites when an employee uses a device connected to your network and what types of data the company owns that employees can access.
Your acceptable use and security guidelines might also include disciplinary actions if there’s a policy violation.
Increasingly, employers are using mobile device management software to monitor and manage devices and then authorize security configurations and settings.
You’re probably going to use specific safety tools, like two-factor authentication, as part of your BYOD policy. Two-factor authentication prevents hackers from gaining access to accounts. Two-factor authentication requires users to go through extra steps for access.
Clarify Who Owns What
Your company owns the data that your employees access with their devices, but things can be more complex than that. For example, what if you wipe the device if it’s stolen or someone leaves your company?
When you wipe a device, typically, everything is erased. Does your BYOD policy dictate your right to wipe a device? What can employees do to back up their personal information if so?
Finally, once you’ve hammered out the specifics and logistics of your policy, ensure that you train employees on it. It’s a useless policy if your employees don’t know it and understand it.
Regularly revisit your policies to see if changes or updates are needed, particularly in the face of rapidly changing cybersecurity threats.