BYOD: A Written Policy
On the surface, BYOD (or “Bring Your Own Device”) seems simple: let employees bring their own tablets and smartphones to work. Save a bundle on hardware. Keep your staff happy and more productive at the same time. But while it may have gone on “under the radar” for quite some time, BYOD is a trend in the modern business world that can no longer be ignored.
Here’s why BYOD is a major issue: mobile computing devices have significant computing power and often operate outside of network policy rules. These devices revolve in and out of networks every day. Devices can carry malicious apps, vulnerabilities, or malware. Mobile devices are insecure endpoints connected to the world. If an unprotected, unauthorized computer can do it, a mobile device can, too, and you’ll never know it.
Yes, BYOD offers many advantages to a business, but it is certainly no simple matter. A written policy is your first line of defense, and it’s absolutely essential in protecting both corporate and individual interests. It seems BYOD may be unavoidable, but you can minimize security risks (and your staff’s frustration) by clearly outlining the procedures the personnel will follow and by detailing which activities are acceptable and which are prohibited.
Tolar recommends the following 10 topics be covered in your company’s BYOD policy:
- Is there a subsidy for users who provide their own equipment? If so, what is the process for purchasing said equipment?
- Who is financially responsible for the data and voice plans? Is the cost entirely passed on to the employee? Are the costs shared? How?
- Which mobile platforms are recommended (or required) for connecting to company resources? Some businesses rely on applications or Mobile Device Management systems that may only be compatible with certain devices.
- What security measures need to be in place on the device? Are there password requirements? Are certain applications required or prohibited? Are there legal regulations with which users must comply? Should employees create separate business and personal profiles on their device?
- To what networks should the employees connect while using the device for business purposes? How will network password changes be shared? Do mobile devices access the network separately from desktop machines and servers?
- What constitutes acceptable use of the device? Are certain websites or applications off-limits during business hours? What are the consequences of violating the policy?
- Who is responsible for maintenance and upkeep of the technology? Is this primarily the employee’s responsibility? Or will the I.T. department play a role in managing the device?
- To what degree will the employee’s activity be monitored on the device? Will this take place through Mobile Application Management (MAM)? Are there circumstances under which the company would view Internet history or delete personal data?
- What steps will the company take if the user’s device is lost or stolen? Will the company lock the apparatus or erase the data, including personal files and photos?
- What measures will be taken if the employee resigns or is terminated? How will the business reclaim its data and restrict access to company files and applications?
When corporate security is your destination of choice, careful consideration of these questions is paramount. And while a written policy can’t guarantee absolute protection, it can certainly pave the way. After all, the train goes where you lay the tracks.