Recent studies have indicated that the vast majority of workers today expect to be able to use their own mobile devices for work. The bring-your-own-device trend has several key benefits for organizations, including reduced costs and increased worker productivity. Still, it also creates security risks that many organizations have never faced.
When multiple employees are accessing sensitive company networks and data using multiple devices, it’s important to have a clear and comprehensive BYOD policy that explains any limitations on acceptable use and banned applications. In addition, what happens in the event the device is lost or stolen? Unfortunately, however, several surveys indicate that almost 50 percent of organizations that allow BYOD do not have formal policies.
If your organization does not have a policy regarding employees’ mobile devices, it’s important to implement one to protect your data. While there are many points that such a policy should cover, the following are the most important things to consider when developing your rules.
Specify the Types of Devices That Are Acceptable To Use For Work
The first step in any BYOD policy is determining which devices are okay. While Blackberry used to be the standard for workers on the go, today, there is a wide range of choices, from Android-powered devices to iPads and everything in between. Certain devices may need to be banned from your network depending on the security protocols you have in place. Some solutions allow you to secure access from devices across multiple platforms, but others do not. Next, inform employees which device types and operating systems are acceptable for use on the company networks.
Establish Minimum Security Requirements
When employees use their mobile devices to access corporate networks, sensitive data lands on them, your BYOD policy should outline the strict security protocols you expect from employees, including complex password-only access, firewalls, antivirus apps, and any other measures you deem necessary.
Employ Applications Management
While employees own the devices they use for work under a BYOD plan, they must understand that their owner does not guarantee total freedom to download any application they wish. The BYOD policy should outline which applications are permitted and which are banned. Some applications can freely access data on the phone, which could present security risks; other applications are either poorly written and create security loopholes or are dangerous malware that will jeopardize the network. Inform employees exactly which applications are okay to download – and when they need to seek approval.
Develop an Exit Strategy For Separation, Loss, or Theft
It can happen to anyone – they drop their phone in a parking lot, or their tablet is stolen from their bag or vehicle. While it’s inconvenient and problematic for anyone to lose their device, the stakes are even higher when it contains sensitive corporate data. Your BYOD policy needs to clearly outline what happens in the case of loss or theft – whether the phone will be locked or wiped – and what employees can do to protect their data. The policy should also cover what happens when an employee leaves the company and how you will handle the data on the personal device.
Establish Acceptable Use
Chances are the devices and equipment your company owns are governed by acceptable use policies. For example, employees may be unable to use Facebook from a company computer, and certain websites are banned. But how will those policies extend to personal devices? Your policy needs to outline what is allowed when using the device on company networks, how the activity will be monitored, and the consequences for violating the policy.
These are just a few important points that your organization’s BYOD policy needs to address. Other topics of concern include reimbursement, how much service the IT department will provide on devices, and who owns the apps and data on the phone. Starting with these five points, though, will get your policy on the right track and prevent BYOD from turning into a “Bring Your Own Disaster” at your company.