Do You BYOD? Make Sure You Have A Clear Policy

The rise of tablets and smartphones within the world of business has led to improved productivity and efficiency. Allowing employees to use their own devices offers a cost-effective way of providing flexibility and mobility.

BYOD (Bring Your Own Device) is the practice of allowing employees to use their own devices (smartphones, tablets, laptops) for work purposes. This may mean they literally bring their own devices into the workplace, or use their own equipment while working from home.

While there are obvious benefits to this – cost and convenience – there are also various potential issues that need to be addressed in advance in order to ensure everyone is protected, in terms of privacy, security and legality.

Create a BYOD policy

First things first, make sure you have a BYOD policy. A dedicated policy governing this area of your company is prudent and important, as it creates a set of rules that you and your employees need to stick to. Identify the risks between the organisation, employees and third parties, and create your policy document accordingly.

Set out the terms of use and best practice for personal devices within the workplace. Even if a device is only used for personal purposes, if it connects to the company network it potentially makes the entire network vulnerable.

The types of devices that may or may not be used for work purposes should be included in the policy, as well as the rights to access these gadgets, arrangements for support and maintenance, tracking, monitoring and the potential for remote wiping.

Responsibility and data ownership

BYOD is often seen as a big cost saver, as employees will generally be using their own smartphones and tablets for work purposes. However, it can cause problems if a device is compromised or stolen, or if a dispute arises over who owns the contents of the device and who is responsible for it.

Make sure your policy is crystal clear regarding who is responsible for lost or stolen devices and the data contained on those devices. What would be the procedure if an employee device was hacked resulting in the theft of company data – or worse, a hacked employee-owned device being used as an entry point for all the computers on your company network?

Are employees responsible for their own support and maintenance, or will your IT department handle this for personal devices if they are used for work purposes?

The answers won’t be the same for every business, but clarifying them in your policy means there is no ambiguity should the unthinkable happen. Although it’s an additional cost to you, it may be prudent to be involved in the protection of employee-owned devices, particularly if your company deals with sensitive information or customer details, as you will be able to add encryption and other security measures.

Data security and confidentiality

These are two major problems when it comes to bringing personal devices into an organisation, as SMEs understandably fear the issues that can be created by data being leaked or stolen and the fact that personal devices may be used by others outside of the organisation, breaching confidentiality.

Losing a device that holds sensitive information presents a major risk for businesses and it is the responsibility of the firm to protect this information. There have been numerous news stories in the last few years about laptops and USB thumb drives containing sensitive data being lost or stolen. How can you avoid this happening in your company?

A lost storage device, smartphone or tablet may expose your sensitive information and breach confidentiality obligations you have with third parties, which can have a dramatic impact on contracts and future business relationships, let alone the possibility of legal issues.

Mobile device management (MDM) software allows companies to manage an entire fleet of mobile devices from one place, with many of the solutions providing ways and means of removing corporate data from devices remotely.

This has proved to be a sticking point in many organisations as members of staff are often unwilling to allow their company to remove data from their smartphones or tablets, but if you make it clear from day one that this is crucial to allowing the use of mobile devices, then it should smooth the process and add an extra layer of security to your operation.

 

Implementing BYOD within your organisation can be a minefield, but it’s worth seeking technical and legal advice in advance so that you avoid much bigger problems down the road.