What does a bring your own device – BYOD – policy entail?
A BYOD policy helps businesses generate savings as they do not need to purchase a device for their staff. It also saves their IT teams time as they do not have to manage devices that would be owned by the company. The section below clearly defines what a BYOD policy is. It explains how it works as well as the benefits of having such a policy. Read on for a well-rounded view on BYOD policy.
What is a BYOD policy?
Bring your own device, commonly referred to as BYOD, is a policy that permits employees to use their personal devices for work activities. It often concerns smart-phones and the access to work emails and corporate network.
BYOD policies have boomed in the last decades due to the increase of connectivity. It brings benefits to both employees and employers. Generating savings for employers and using a single smartphone for employees. The practice needs strong security systems to ensure data protection.
How does a BYOD policy work?
To be effective and to ensure there are no data breach, it is essential that the organisation sets some rules and defines what is acceptable when it comes to BYOD. Cyber threats are common and need to be addressed when implementing such policies. Below are some tips to consider when implementing a BYOD policy in your business, thus shedding some light on how it works:
- Establish a security and data protection policy
- Implement security controls including data encryption and strength of passwords
- Define the type of accessibility permitted on personal devices
- Implement timeout controls or auto-lock features
- Identify which security apps should be installed on the personal device
- Evaluate if the organisation is allowed to remotely wipe the business information from the device in case of loss, theft or contract breach.
The benefits of BYOD policies
As briefly mentioned above, bring your own device policies have benefits for both employees and employers. For employers, the need to purchase devices for staff no longer exists. In addition, their IT teams does not need to spend time on the purchase and management of the devices, thus resulting in significant savings. For employees, on the other hand, the main benefit is convenience. Employees benefiting from BYOD policies do not need to carry two phones around, they have all the information they need on a single device.
The risks associated with BYOD policies
BYOD policies bring many benefits but are not without risks. It is important to be aware of these risks in order to anticipate them. With BYOD practice comes a lack of control from businesses. IT teams cannot fully access employees’ devices as this would be a data privacy breach. This is a pain point and leads to more opportunities for hackers who may be able to access company’s data through employees’ personal phones. With this in mind, it is essential that businesses implement the appropriate data protection policies, apps and provide guidance and training to their staff as well.
Another risk of BYOD policies is employees’ wellbeing. In the hyper connected world we evolve in, it is easy to get trapped by our phones and never stop answering emails. Employees who work with colleagues or clients from different time zones might see themselves answering emails early in the morning or late in the evening. In the long run, this can have a negative impact on their wellbeing and work-life balance. On this too, businesses can provide guidance to their staff.
Read more: Six simple steps to create your employee wellness programme
What are the best practices to implement when launching a BYOD policy?
If you are planning on implementing a BYOD policy within your organisation, here are some best practices to keep in mind. These best practices will ensure that both your business and your staff are protected as they address security and compliance challenges as well as wellbeing guidance. Check-out the recommendations below:
Have a formal written policy for BYOD practice
Having a formal policy for BYOD policy in place is a no brainer. It provides employees with a formal document and protects the business in the event of behavioural breach. The policy should be written and should be widely communicated to employees. Below are some examples of the content to add to your BYOD policy:
- A thorough list of devices permitted to use the policy
- The operating systems allowed
- The software that must be implemented under an approved BYOD programme
- Explanation on what employees are allowed to do when using their personal phones for business purpose
- The minimum security requirements
- Mandatory processes in the event of loss, theft or other event when the device might be compromised
- A statement highlighting that the organisation reserves the right to wipe the data and the circumstances in which this may apply
- Any consequences in the event of policy breach
- The signature of the employee testifying that they agree with the BYOD policy and its associated conditions
The above is not an exhaustive list of what your policy should include but forms the best practices to consider. Other content might relate to your organisation specific cyber security policies.
Educate and promote security behaviours
Organisation that have a BYOD policy should ensure that employees are regularly updated on the security elements of the policy and the behaviours expected from them. The security programme may include the following:
Standard device security
Remind employees what are the standard cyber security procedures to follow. This might be anti-malware software.
Physical security rules
Physical security is when the device is lost or stolen. Businesses should provide sufficient guidance to their employees on how to protect their cell-phones to reduce the risks. These protection mechanisms might relate to passcode security, fingerprint scans and much more.
Education and awareness around scams
Providing training to staff using their personal phones for business use is highly recommended. These training sessions should cover cybercriminal education such as how to identify scam emails, fraudulent links, and much more.
Best practices on password use
Passwords and their strength are highly important. Provide employees with the best practices in terms of password selection. These should be minimum 12 character long as, include letters and numbers as well as special characters. The chosen passwords should be unique as well.
The use of public networks
Educate your staff on the dangers of the use of public networks where they might be subject to more risks. The general rule is that employees should not connect to public networks. However, it is absolutely necessary for them to do so, they can encrypt their web activity using virtual private networks.
Ensure you incorporate these training or communications as part of new employees on-boarding process and that you deliver regular reminders to all employees using the BYOD policy.
Implement access restrictions
Access restriction means limiting what employees can do on their personal devices. The aim is to prevent the access to data that is irrelevant to their jobs to minimise data leaks. In the event of a cyberattack, the cybercriminals will only be able to access a part of the data, thus minimising the risks for the organisation.
Ensure you have a clear process to add and to remove devices
It is essential that there are procedures in place when an employee leaves the business. Having a BYOD exit plan ensures that the employee accounts are removed and that the company’s apps are deleted. Any data that relates to the company should be wiped out from the ex-employee’s phone. This process should leave the personal information of the employee untouched.
BYOD policies have proven to bring many benefits to both employees and employers. However, these policies should be used in a controlled environment with security procedures. They should also ensure that employees’ wellbeing and work-life balance is preserved.
Check more content on company policies with:
