With smartphones in nearly every home, businesses must decide how mobile devices fit into their company's security practices and work procedures. In addition, the 2020 pandemic introduced a new remote workforce, many of whom used personal home computers for work.
The rise of personal devices for professional use begs the question: can employees use their own devices and keep company data secure?
A Bring Your Own Device (BYOD) policy creates a baseline of acceptable use and acts as a safety net for the company, its information, and its employees.
For over 25 years, WEBIT Services has built effective cybersecurity procedures for hundreds of clients. It is passionate about using strategy and education to protect its clients.
By reading this article, you will learn what a BYOD policy addresses, why it matters, and seven questions that may help you understand, improve, or craft your own BYOD policy.
What is a BYOD policy?
A BYOD policy outlines company rules regarding employee-owned devices used to connect to company assets. Most often, the policy addresses mobile phones and laptops, but BYOD policies concern any device with memory and a hard drive.
Why do BYOD policies matter?
A BYOD policy seeks to protect company data, reduce risk, and address possible legal action regarding device misuse. It is included under the Data Protection section of the CIS security framework.
Personal devices are usually set up differently than corporate security standards. However, these devices connect to the business network under a BYOD policy. This could introduce new security risks.
Otherwise, a BYOD answers questions about how the device should be used and what corporate should do with the company information on the device if the employee leaves the company or loses the device.
For example, if your employee owns their mobile phone and adds their corporate email onto the phone. If the employee leaves the company, what happens to the business email and information on the phone? Can it be wiped? What happens if the company erases personal data, apps, or photos alongside the business files?
Situations like this could result in legal action if not outlined in the BYOD policy and procedures.
7 Questions to consider about your BYOD policy
As you reflect on your BYOD policy, here are seven questions to consider to help you better understand, update, or create your policy.
1. Do I have a BYOD policy?
Firstly, does your company have a BYOD policy? If it does, do your employees know about it? Is it enforced?
If you have a BYOD policy, it should be revisited annually and should be part of the onboarding process for all new employees.
Everyone should know how to use the device, what happens if it is lost or compromised, and what security practices they are expected to follow.
If you do not have a BYOD policy, how is your company currently handling personal device use? What are your current practices, and what would you like to formally change by implementing an official policy?
2. Who do I talk to about creating or changing a BYOD policy?
First, you must talk to your lawyer to see what policy guidelines they recommend to prevent legal action.
Afterward, talk to your human resources department for their expertise and input.
Finally, bring these recommendations to your IT provider or team and ask them what IT can do to bring this policy to life. Of course, if there are technical limitations, your IT team can let you know, and then the BYOD policy can be adjusted accordingly.
Your IT provider or team should be the final party to address the policy creation. It must work within the guidelines presented by legal and HR advisors.
Your lawyer will tell you the policy's legal ramifications. Your HR department will tell you how it fits into HR guidelines and other policies. And your IT provider or team will tell you what is technically possible.
3. What information is my company trying to protect?
Consider the information that will be accessed or saved on employee devices. The more confidential the data, the less it should be on personal devices.
Personal devices can be more challenging to protect and control because they may not be equipped with the same security tools and settings as business-owned and managed devices.
For example, an authorized employee can access the company's secret product designs or recipes. If the employee puts these secrets in his personal phone and the phone is stolen, the company may have no way to remotely wipe the data to keep it out of cybercriminal hands.
However, if this employee has a company-managed mobile phone, the information can be wiped remotely in an emergency, protecting the data. Additionally, this phone would have no personal files as the company owns everything on a company-issued device.
4. What happens if the employee leaves the company?
Your BYOD policy should also address what happens to company data on personal devices if the employee is fired or leaves.
Your lawyer can tell you what information must be removed from the device. Your IT provider or team can tell you what tools can be used and any limitations.
If the employee uses company-issued devices, then all the information on the device is owned by the company and can easily be wiped.
5. What devices are covered in the policy?
Your BYOD policy should cover any personal devices employees can use to access your company's network.
Some companies are comfortable with employees using personal phones and computers.
Others permit employees to use personal phones, but the employees must use a company-provided computer.
Lastly, some companies require employees only to use company-provided and managed devices.
6. How do I want employees to use their equipment?
Your BYOD policy should outline the appropriate use of personal devices when accessing company data.
What programs or applications should they use? Will they have access to the company VPN or files from that device?
For example, if employees use personal mobile phones, they may be required to download company-approved apps like messenger and email services.
7. How much cost and risk am I comfortable with?
Understandably, your IT budget can play a significant role in determining your BYOD policy.
For instance, allowing employees to use their own computers may be appealing if a company does not have an IT budget to supply the devices.
However, you must also consider factors beyond the price of investing in company devices. Security and legal risks must be examined.
How do you know that the personal device is secure? To what risks could they expose your company?
For example, is this computer only used for work tasks, or is it also the family computer? Do other users have access to the company data, or are they visiting potentially dangerous sites?
If an employee accidentally downloads malware on their personal computer and then connects to your business network, they potentially expose your entire company to the malware.
What legal risks are associated with using personal devices for work?
The legal ramifications of personal device use must be discussed with your lawyer.
For example, if an employee uses a personal mobile phone for work and then leaves the company. Are you able to wipe only the company data and apps? Or do you wipe the entire device? If you wipe the employee's phone, he could sue because you deleted his personal photos, emails, and more.
In the end, some companies may decide to budget for company-owned devices because they find the risk and risk-associated cost more expensive than the devices.
Next steps for understanding, improving, or creating your BYOD policy
A BYOD policy aims to protect your company and its data on employees' personal devices.
If your company does not have a BYOD policy, speak with your lawyer and human resources department before contacting your IT provider or team. Your IT provider or team will help determine practical technological tools and processes to fulfill policy goals outlined by your lawyer and HR department.
Together, you can create an effective policy that protects both your business and your employees.
The policy should be reviewed and adjusted annually to ensure that it covers relevant procedures, uses, and concerns.
In reviewing your BYOD policy, you may ask yourself:
- What information is my company trying to protect?
- What happens if the employee leaves the company?
- What devices are covered in the policy?
- How do I want employees to use their equipment?
- How much cost and risk am I comfortable with?
For over 25 years, WEBIT Services has helped hundreds of clients build successful IT strategies and processes while utilizing effective technology.
If you are looking for a new IT provider, schedule a free 30-minute consultation to see how WEBIT can help.
If you're not ready to talk to our team of experts but would like to learn more about IT strategies and services, we recommend the following articles:
