In today’s workplaces, it’s becoming increasingly common for employees to use their personal digital devices for work-related purposes. According to data from Tech Pro Research, as of 2016, 59 percent of US companies permitted the use of personal devices for and at work. A further 13 percent were planning to allow this practice in the near future.
In this context, a detailed, carefully-crafted Bring Your Own Device (BYOD) policy is essential for companies of all sizes to put in place. Implementing one of these policies is a vital step in ensuring the security of company networks and data, as well as the privacy of individual employees. A BYOD policy helps protect companies against risk by clearly outlining the rules, rights, and responsibilities associated with the use of personal devices for work.
There can be many different possibilities for a BYOD policy depending on the needs of the individual company. However, in general, all BYOD policies should include these eight important things:
1. A Clear Introduction
The success of a company’s BYOD program greatly depends on employee buy-in. As a result, it’s critical that employees understand the importance of the BYOD policy and the reasons why it is being implemented.
Beginning the BYOD policy with a clear introduction set out in straightforward, easy-to-understand language will help achieve this. The introduction should cover key points like intended use and important framework guidelines. It should also describe the context in which the BYOD policy is being developed (such as current threats to data security and risks to sensitive corporate information).
2. List of Permitted Devices and Firmware
Employees use a wide variety of mobile digital devices in their personal lives, but not all of them will be suitable for use at work. For example, older devices or devices with older firmware may be lacking critical security updates. As a result, their use could compromise the security of a company’s network.
To limit these risks, the BYOD policy should include a list of supported devices and firmware. Further, it should specifically prohibit the use of devices not on the list.
3. List of Permitted Apps
Malware-infected mobile apps are on the rise. This means that companies need to be vigilant not only about what devices are allowed in the workplace, but also about what apps those devices can run. Including a list of permitted, as well as prohibited, apps in the BYOD policy is therefore an important risk mitigation step.
In addition, companies may need employees to install some apps for use in the workplace that they don’t currently have on their devices. Examples include Slack or other team communication apps. These required apps should be included on this list as well.
4. BYOD Security Policy
Security is the main priority of a BYOD policy. This means that the policy should outline security measures in place and describe the security steps that employees must follow in order to use their devices in the workplace.
These steps may include registering devices on the company’s mobile device management platform; using a screen lock password; regularly updating device firmware; encrypting corporate data; and blocking offline access to sensitive corporate documents.
5. Data Ownership Policies
To avoid future disputes or legal issues, a BYOD policy should clearly state that any corporate data on a personal device is and remains the property of the company. This section will also typically include the proviso that the company has the right to wipe personal devices brought onto the corporate network.
However, it’s usually a good idea to provide guidance and support to employees on how to separate personal data from corporate data. Companies can also provide information regarding how employees can back up their personal data. An effective mobile device management platform is very helpful for this task.
6. Acceptable Use
This section of the BYOD policy governs how employees should and should not use their personal devices at work. For example, an acceptable use section would typically prohibit activities like accessing illegal online content or disseminating inappropriate material while using the corporate network. In order to enforce acceptable use, it’s also important for companies to consider what tools are in place to monitor device activity.
7. Device Decommissioning
An effective BYOD policy must include an exit strategy. This details what will happen to the device and the data on it when an employee leaves the company, or if a device is lost or stolen.
Points to consider include removing access to company e-mail as well as wiping data and other proprietary applications and information. It’s very important to outline these procedures clearly. That way, there is no guesswork involved when, for example, the difficult decision to remotely wipe a lost device must be taken.
8. Disclaimer with Signature Section
Don’t forget that a BYOD policy is only effective if employees acknowledge that they have read it and accept its terms! Before a device can be enrolled in a company’s BYOD program, employees must be required to read through the BYOD policy in full, and to sign indicating their acknowledgment.