What is a BYOD policy and what can it do for your business?

The BYOD Policy (Bring your own device) is meant to provide workers with easier access to emails, information and work based services. With technology defining the way we now do business, it’s important to implement it to its maximum effect. However at what point does the use of personal technological devices prove a serious concern to your business?

In order to define what level of BYOD policy you should use, there are many considerations to take into account.

What Devices will you permit?

One of the first devices everyone will think of when referring to their own device they use at work would be the mobile phone. Both a positive and a detriment too many businesses, a personal mobile phone can give instant access to network and software services as well as provides a possible distraction. In addition to this there are tablets, smart watches and many more.

When considering what devices your BYOD policy will permit for your business, you have to consider what function these personal devices can have in the work place, as well as how much of a security concern it is out of the work place. For instance thanks to Cloud services, a laptop, mobile device or any smart device can access work emails, files and more as long as they have an internet connection. For businesses requiring people to work on the fly or work from multiple locations, it is an easy way of communicating and working. However what of the security risk? An example of a common security risk is that many people do not password protect their phones, as they consider it an inconvenience. Therefore should an item be lost, stolen or otherwise misappropriated, sensitive business data could be exploited or simply fall into the wrong hands. If you are a business with official sensitive data, this provides an unacceptable risk and could lead to dire consequences. With a successful BYOD policy that integrates with your security policies, you can ensure that these devices are a positive addition to your company.

What Security Policies should be implemented?

One of the basic security policies for all IT related devices in the workplace is to set a secure password for all devices. Therefore the same can be said of any personal device permitted for the workplace. Any unprotected device in the workplace that is connected to your network or web services can prove a real risk to your security. Therefore there should be a policy in place to ensure all personal devices accessing business apps or services are password protected. Under principle 7 of the data protection act, employees must be trained to understand what responsibilities they hold with regards to customer data. This means a clear policy must be in place for personal devices, and all employees should sign to say they understand what their responsibilities are if they use personal devices in the workplace.

However not all devices have to be smart devices. Simple devices such as USB’s can prove a major threat. As it is a device that cannot be monitored and can take valuable data offsite, it can present a security threat. It also can contain malware or unauthorised software capable of disrupting your IT services. Therefore your security policies must pro-actively tackle these issues by first identifying what can be used, and what exactly it can be used for. Ways of doing this would include adding administrative policies on work machines, which can refuse all data and use of these devices in USB ports.

What services are these devices allowed to use?

As all smart devices are capable of running advanced apps, you need to clarify what is acceptable in the workplace. The most obvious culprit to ban would be any sort of entertainment app such as games etc. but have you considered any streaming services? If you haven’t strictly banned streaming information or downloads, then a major event like the Olympics would bring your internet speeds to a crawl. Due to issues such as these you must make sure you set clear limitations as to what they devices can do, and what they can be used for. Once the boundaries have been set, and monitored via your IT department, you can ensure that the risk/distraction the devices can cause to your business are minimised.

Acceptable use policy

Once in the workplace, regardless of whether or not they are using a personal device, all actions over the network now constitute to an impact on the business. The reason for this is that most devices are going to be connected to your network via wireless or through a VPN connection. What does this mean for your company?

Any post mode to a social media site, every time a website deemed “non-acceptable for the workplace” is visited by devices on your network, it leaves a virtual footprint. Whilst it may be their device that visited it, it is your companies IP that is logged as the visitor. This can lead to dangerous connotations based on the content posted by your employee which your business could potentially be punished for if you have no policy in place to protect against such infringements.

The things to consider in your BYOD policy that integrate into your acceptable use policy are as follows. The first and most obvious solution to put in place is of course providing a works phone, which allows your employee to separate work from their everyday life. By only having their works phone connected to your network, you can better segregate the functions of their devices. Secondly is to set access privileges on your network to block certain websites, thus removing any risk of unacceptable content being posted. Thirdly is to monitor all activity on your network, and set a clear policy of what use of your network is acceptable and the steps you will take to enforce them. By setting out what is a violation and giving a clear acceptable use policy to your employees, you can avoid almost all complications of the use of personal devices.

Who owns what data?

Once you have your policies set out, your device privileges managed and your network secured with regards to personal devices, there are only a couple more hurdles to consider. One of these is setting up a clear policy to determine who owns what data, and what rights the employee has to the data secured on a personal device. The reason why this is important is that many employees may have access to sensitive business data as well as having their own personal data. However if a personal device with company information is lost, deemed to be compromised or you simply wish to have all external devices wiped of commercial information, you need a policy in place to cover this. Because of this it’s important to have your employees sign a contract that allows you to wipe any and all data on a personal device that has had access to your sensitive data or network, thus removing any potential risk of the data being passed on. Once this is in place you should have security and management of all personal devices that connect to your workplace.

Employee termination

One of the final processes to consider is the employee exit strategy for your BYOD policy. Your exit strategy will reflect the policies mentioned above, and as such you must take steps to make the transition smooth both for the company and the employee.

As mentioned in “What Security Policies should be implemented?” segment, if you have any sensitive data, business data or applications that need to be removed upon an employee exiting the company, you must have a contractual obligation in place for the employee to give you access. However to make the transition smooth for the employee as well as for the business, it is encouraged that you make them backup all personal files or agree a solution with your IT team to ensure an alternative arrangement is found or information is backed up. If you have cloud email or network services that your employee accesses, it is important to disable all functions that are no longer necessary and change all passwords that they would have had access too. The final issue to consider in your BYOD exit policy is the handing back of all devices supplied for work related work, which is by far the easiest and cleanest way of tying up any loose ends.

Conclusion

In Conclusion the BYOD policy is an essential part of the 21^st century for all businesses as it provides remote working capabilities, communication benefits and many more advantages to a company without any costs associated. Whilst there are of course many risks and factors to consider making sure you limit any potential side effects, the positives of a successful BYOD policy are too much to ignore and help form the backbone of most modern businesses.