5 Key Points to Consider in Establishing Your BYOD Policy
Bring Your Own Device, or BYOD, is the policy of allowing employees to use personal devices for work purposes; it’s rapidly replacing the old paradigm of company owned and issued devices. It used to be, if you wanted to connect to company networks or access company data you needed to use a company issued device to do it. But with the ubiquitous adoption of smartphones, tablets, and laptops, and the increasing role they play in the management of everyday life, for most workers being issued work specific hardware means the inconvenience of carrying and using redundant devices.
Leveraging the devices and related competencies employees already have means less overhead for the company and the opportunity for some employees to work remotely who might not otherwise receive a company issued device. But the chief concern from a business perspective is security. How do you maintain the integrity of your network, protect your data, and keep employees accountable in a BYOD workplace?
Despite these concerns, an increasing number of organizations are allowing BYOD, with 81% of business either currently allowing it or planning to in the coming year, according to Syntonic. What’s needed are rigorous and well-defined BYOD policies designed to address the legitimate security concerns while taking advantage of the benefits of BYOD—because holding back the tide in the face of such strong employee preference may be a losing battle.
Whether or not your company has a defined BYOD policy, in the absence of an explicit ban employees are using personal devices for work purposes anyway. More than half of employees (53% according to CITO Research) feel more productive using personal devices for work, a sentiment confirmed by a Frost & Sullivan study that found personal devices increased productivity by 34%, saving the average worker almost an hour a day.
The upside is too great to ignore. Employees prefer to use the devises with which they’re most familiar, saving them the time and energy required to tackle the learning curve of new hardware or a new operating system. Here are five elements of an effective BYOD policy that balances the need for security with the advantages of BYOD:
Password policy. Any device accessing or storing company data needs to adhere to your existing password policy. We strongly recommend using a business class password manager with enterprise functionality (such as LastPass). A password manager creates and stores strong passwords for all your accounts which are then accessed with a master password. Enterprise password managers allow you to give employees access to shared company password as well as the ability to create and maintain their own work-related passwords across all their devices—all while maintaining company oversite and access in the event of an employment dispute.
Endpoint security. Employees need to agree to install and maintain antivirus/antimalware software, like Sophos, on any devices used for work purposes. This software should be provided by the company in accordance with your cybersecurity policy, and your IT department needs to notify and assist staff with updates when necessary.
Remote data purge. Devices used under your BYOD policy and containing company data need to have the ability to be remotely wiped should they become lost or stolen. Employees should be required to notify management immediately in such an event and preform a remote data purge if directed to do so.
Compensation. Your BYOD policy should be clear when it comes to the expectation of compensation when using a personal device for work. How much if any of the cost of the device or ongoing data plan will be shared by company? We recommend a standard monthly stipend to off set the cost of the employee’s data plan for those explicitly required to use their device for work, and software or services required by the policy should be provided by the company.
Termination of employment. There should be an agreed upon process for the decoupling of employee deceives from company networks and services and the purging of company data in the event the employee leaves the company for whatever reason. This will necessarily involve the scheduled and temporary surrender of any devices used under the policy while your IT verifies the data has been purged and previous access to company resources has been rescinded.
To learn more about employee education and deploying advanced security protocols like biometrics and multi-factor authentication, download the free infographic on next generation security.