BYOD Policy: Have You Adopted One Yet?


A bring your own device (BYOD) policy permits employees to use their personal devices (laptops, tablets, and smartphones) at work to access privileged company information and applications. This has many benefits (improved efficiency and morale, lower costs) but it also brings significant security and legal compliance risks to the workplace. Before your employees begin using their own smartphones and tablets on your organization’s network, you need to outline a strong, detailed BYOD policy to protect the security and integrity of your company’s data and technology infrastructure. This written policy should outline the responsibilities of both the employer and the users. Employees must then sign the agreement, acknowledging they have read and understood the policy.

I.T. Requirements vs. User Requirements
Employees are generally most concerned about their lack of privacy, such as inappropriate access or loss due to “wiping” of personal information (financial and health data, personal photographs, videos, contacts, etc.) on their device. Employers are primarily concerned with security. To minimize these risks, state that any devices employees wish to use must be presented to IT before they can access the network. IT can then ensure the configuration of standard apps, browsers, office productivity software, security tools, and mobile device management technology to create a virtual partition that separates work data from personal data. Consider requiring employees to enroll in a BYOD program through the IT department for continuous support.

What apps/activities are allowed and what resources can be accessed
Your BYOD policy should outline specific apps, activities, and resources that may be accessed when connected to the corporate network. You will want to allow activities that support your business a well as company-owned resources (email, calendars, contacts, documents) while also blocking sites like Facebook, YouTube, or Twitter. You will want to include a detailed list of apps, activities, and resources that are and are not permitted. Also, detail camera and/or video capabilities and state that devices cannot at any time be used to harass others, engage in outside business activities, or store/transmit illicit materials or proprietary information belonging to another company.

What happens when an employee quits? (who does the data belong to?)
Beyond disconnecting a terminated employee from the network, you will want to remove your company’s data from their personal device. It is vital that every mobile device can be remotely wiped to prevent former employees from accessing company content. However, corporate data may be stored on personally owned devices using non-approved approved applications, which IT often does not have the ability to remotely wipe. It is vital for employees to understand that they are legally required to delete company information from their device or bring it to the IT department to have it done for them upon their resignation or termination.

Basics: Remote Wipe, Locks, Password Requirements, Wi-Fi Access
To prevent unauthorized access, basic security measures should be outlined, such as each device must be password protected, must lock itself with a password or PIN if it’s idle for five minutes, and the device will lock after five failed login attempts. Your BYOD policy should also state that an employee’s device may be remotely wiped if the device is lost, the employee terminates his or her employment, or if IT detects a data or policy breach.

To make sure nothing is overlooked, get input from people across the company (HR, IT, accounting, legal) when outlining your company’s BYOD policy and be aware that, just like technology, your policy will need to be updated often.