12 Jan The Essentials Of A ‘BYOD’ Policy
In this article, we look at what BYOD is, why a BYOD policy is important, and what elements form the essential blueprint of a BYOD policy.
What Is BYOD?
The term Bring Your Own Device (BYOD) has been around since 2004 when it was first coined as an expression. With BYOD, employees can bring and use their personally owned laptops, tablets, sometimes USB drives and smartphones to work and use them for work-related activities. The activities could be accessing company emails and information, connecting to the company network, and accessing company apps and data, and using their own device to solve work problems. Smartphones are the most popular BYOD device.
It should be noted that there are different types of BYOD. These include corporately owned/managed, personally enabled (COPE), choose your own (company) device (CYOD), personally owned, partially enterprise managed, or personally owned, with managed container application.
The benefits of BYOD underpin why it has become so popular. For example:
– Convenience. We now have more personal devices and that these devices have the capacity to do many of the things that work PCs would have done. Most people, for example, now bring at least their own smartphone to work. LaptopsDirect research found that 84 per cent of British employees now use their smartphones at work. The same research showed that those in the marketing, information and communications, creative and photographic industries (and within professional services) are the top smartphone users. Also, many businesses, particularly smaller ones, have simply come to rely on the fact that employees’ own devices are available for work use.
– Increased Productivity. Employees often work faster (with less training needed) using their own devices and, therefore, becoming more productive.
– Costs savings. For example, a much-quoted Cisco report from 2016 estimated that with a BYOD policy in place, companies save an average of $350 per year.
– Speed. It has been estimated that using portable devices for work can save employees 58 minutes per day (Samsung + Frost and Sullivan).
– Harnessing the skills of tech-savvy employees.
– Innovation by finding new, better, and faster ways of getting work done.
– Improved morale and employee satisfaction, and productivity gains.
– Reduced IT Dependence. BYOD typically means fewer IT-related issues for the business to deal with, therefore saving on IT resources.
Why Do You Need A BYOD Policy?
Having a BYOD policy is a way of ensuring that employees use the right, approved security practices when connecting to the company network. A BYOD is a document that outlines how employees (and who) are permitted to access corporate digital assets using their personal devices.
Setting out the company’s/organisation’s rules of acceptable use of the technology, how to operate it and how to protect the company from cyber threats in an enforceable BYOD policy, which employees must agree to comply with. For example:
– Protect the company/organisation’s infrastructure and data from cyber threats e.g., ransomware, hacking, data breaches.
– Ensure legal compliance and meeting contractual obligations.
– Enable the smooth running of flexible, remote and hybrid working.
– Give users the ability to use IT confidently and comfortably.
The essentials of a BYOD policy, and developing that policy, should broadly include the following:
– An audit of the existing system to establish threats, risks, and opportunities for using BYOD.
– Establishing goals for BYOD based on the audit.
Based on these two stages, a BYOD policy that works for both the business and the employee can be developed which could incorporate:
– A statement of the aims of the policy to help employees understand its purpose and importance.
– An outline of the scope of the policy i.e., who it applies to (which staff and/or third parties), and the systems it applies to.
– A definition of what constitutes the acceptable use of personal devices for business activities. This could include, for example, the types of supported mobiles/devices that have been approved by IT, and the approved security software that must be installed on the user’s device (mobile device/application management tools).
– Permitted and non-permitted tasks.
– Other security measures that must be taken e.g., password requirements, verification and encryption requirements, biometric security, and any time-out period to locking.
– User responsibilities relating to how their device is used when accessing the company’s/organisation’s network. This could include informing IT if they leave employment and compliance with relevant legislation (including not using BYOD while driving).
– A statement of who is responsible for cost, e.g. for the purchasing, running, repairing, and replacing of personal devices used in BYOD plus the nature of any incentives or cost reimbursements offered to employees who use their personal data plans in the course of using their device for work activities.
– The company’s/organisation’s position on liability for any loss or damage of personal devices and data used with BYOD.
– How monitoring will take place e.g., checking the make and model of devices and whether operating systems are up to date, and any spot checks. This statement could also include details of what IT personnel can access e.g., details on usage of corporate applications via the BYOD, not personal details.
– Control limits over devices e.g., whether they can be accessed and wiped remotely by managers.
– Details of enforcement measures, what happens if employees fail to comply with the policy e.g., access to BYOD services being withdrawn.
– A definition of the termination policy and an exit plan for employees who no longer wish to participate in BYOD.
There are many online resources providing guidance and help with BOYD and developing an effective policy. For example, both Microsoft and Google have provided online guidance for BYOD:
Also, there is the UK National Cyber Security Centre guide.
Solutions and Software
There are also many different solutions and software options to enable the management of BYOD. These include CrowdStrike Falcon for mobile, SolarWinds RMM, ManageEngine Mobile Device Manager Plus, AirWatch Workspace One, and more.
What Does This Mean For Your Business?
With remote working and hybrid working, having an effective, well-communicated and regularly updated BYOD policy in place has never been more important for businesses. It should be remembered that having a good BYOD in place doesn’t just help with security but can also facilitate improved productivity and can make for a smarter, more agile business. The starting point of developing a BYOD policy is a full assessment of the risks, challenges, costs, and resource implications, plus an understanding of its goals and benefits. An effective BYOD policy should be designed to work for both the employee and the business and be supported by appropriate and effective monitoring, feedback, and enforcement.