To maintain their network and information security, many companies are embracing a bring your own device — or BYOD —policy. The BYOD trend can help attract and retain talented team members, but it needs to be implemented with cybersecurity in mind.
What Is a BYOD Policy?
A bring your own device (BYOD) policy is becoming common for many companies because it’s not nearly as easy for businesses to keep pace with the rapid advances in technology as it is for individuals. That means employees often have more recently updated devices, and they would like to use them for work, as well as for personal reasons.
The arrival of white-collar millennial workers into the workforce is driving this change. Millennials are accustomed to using their own devices whether it is for work or play. To help recruit and retain millennials, companies are welcoming their employees to use their own tablets, laptops and smartphones, rather than devices purchased by the company.
But with this change, there are a multitude of legal, compliance and security issues to be considered. If you are asking yourself, do I need a BOYD policy? The answer is yes, you do. A well-designed BYOD policy can address the concerns of both the employer and employees.
Advantages of a BYOD Policy
Creating an effective BYOD policy takes effort and planning. But that should not be a deterrent, because there are many advantages to having one, not the least of which is saving a significant amount of money.
Computers and other devices are not cheap. Computers can range anywhere from a few hundred to a few thousand dollars. For instance, a company that outfits 30 employees with individual computers could spend $30,000 to $90,000 every few years upgrading to new equipment.
Allowing employees to use their own devices would help offset those costs, or even eliminate them completely. And most employees are happy to use their own equipment because it’s more convenient. A BYOD policy means they don’t have to worry about not having a work computer handy when it’s needed.
There are even more reasons for employers to embrace having a BYOD policy. These include:
- Increased productivity. When employees don’t have to keep switching between personal and professional equipment, they can be more productive with their time.
- Employee retention. So many employees these days are used to working for companies with BYOD policies, that it may be a deal breaker for businesses that don’t have one, not only with current employees but with prospective job candidates, as well.
- Proactive management. A study by the Pew Research Center showed that over 75 percent of Americans own smartphones. They are likely to use them for professional reasons, whether or not their employers have a BYOD policy, which could cause a world of trouble. By getting in front of potential problems with an airtight BYOD policy, a company can proactively set the rules and avoid major network and information security problems.
Critical Components in Creating a BYOD Policy
Bring-your-own-device guidelines can vary from company to company, but they generally have three critical components:
- There must be a clearly written policy that details all of the responsibilities of the company and the employees.
- All users must sign an agreement stating they have read the policy completely and thoroughly understand it.
- There has to be some type of software application to manage all devices that are capable of connecting to the company’s network.
While each organization can add further stipulations according to their needs, these three components should always be part of any BYOD policy.
Key Features in Creating a BYOD Policy
For network and information security, company management must plan ahead before allowing their employees free rein of the organization’s network with their own tablets and smartphones. Some of the questions to consider while a BYOD policy is still in the planning stages are:
- Should employees be restricted to certain apps or web browsers? If so, which ones?
- How much support should the IT department be expected to offer?
- What type of security tools are available to protect the wide variety of devices that will be connecting to the company’s network?
- Will the company contribute to the cost of devices or the device/data plan? If so, how much?
- Will the employer use location-based tracking, or any other type of monitoring? If so, the BYOD policy should clearly state when such monitoring will be employed and for what purpose.
To ensure that nothing falls through the cracks, input should be solicited company-wide, from all employees who will be affected by the policy. In addition to the C-suite, accounting, HR, legal and IT should all contribute to creating the policy.
When developing a BYOD policy, employers should try to anticipate any issues that might arise during implementation, and make sure that the policy is comprehensive enough to address them, while also ensuring network and information security.
BYOD Policy Samples
Your company must clearly define what it considers acceptable business use. These will be activities that support the business either directly or indirectly. Guidelines might include:
- Blocking access to particular websites during business hours and while employees are connected to the company’s network. The list of websites, or types of websites, should be provided to employees.
- Information on whether camera capabilities on employee devices, including video, must be disabled while on company premises.
- Restrictions on employees using their devices at any time to store or transmit proprietary information or illicit materials, or engaging in business activities other than their work tasks.
- A detailed list of which apps employees will be allowed to use while at work, such as productivity or weather apps, and if any are prohibited, such as Facebook or TikTok.
- Information on allowable access to company-owned resources such as calendars, email, documents, internal networks, etc.
- A policy of zero tolerance for emailing or texting while driving and that only hands-free talking is permitted while driving.
BYOD Security Policy Examples
It is crucial that devices be protected with the strongest passwords to prevent unauthorized access. For network and information security, it’s equally important that access to the company’s network also requires strong passwords.
Suggested password requirements are that they should be a minimum of six characters and contain uppercase and lowercase letters, symbols and numbers. They should be rotated at least every three months and none of the previous 15 passwords can be repeated.
Other options for maximum protection of the company’s interest would be:
- If the device is idle for five minutes, it must automatically lock itself and require a PIN or password to be unlocked.
- The device will lock automatically after five failed login attempts and IT must be contacted to regain access.
- iOS devices that are jailbroken and Android devices which have been rooted are denied access to the network. (Jailbreaking and rooting involve unlocking the security settings on a device to gain admin access, add unsafe software changes or disable key security features.)
- Any app that is not on the company’s list of approved apps will automatically be prevented from being downloaded or installed by employees.
- Any tablet or smartphone that is not listed by the company as a supported device will not be allowed to access the company’s network.
- An employee’s access to the company’s network and data will be limited according to user profiles that have been defined and automatically enforced by the IT department.
The company may wipe an employee’s device remotely if:
- It is lost or stolen.
- IT detects a policy or data breach virus or some other threat to the company’s network and information security or technology infrastructure.
- The user’s employment is terminated.
Samples of BYOD Policy Risks/Liabilities/Disclaimers
The company will ensure that the IT department will use the strongest precautions to avoid the necessity of wiping an employee’s device, and the resulting loss of personal data. Employees must still be responsible for utilizing measures of their own, such as backing up all of their data, email and contacts.
Employee responsibilities will include:
- Reporting lost or stolen devices immediately to the mobile carrier, and to the company within 24 hours.
- Strictly following the company’s policy regarding accepted use.
- Always using a device in an ethical manner.
- Assuming full liability for all risks, including (but not limited to) any loss of personal or corporate data due to malware, viruses, bugs, errors, operating system crashes or other hardware or software failures, including any programming errors that might render a device unstable or unusable.
Additionally, the company reserves the option to:
- Disable services or disconnect devices without advance notification.
- Take any disciplinary action it considers appropriate for noncompliance with its BYOD policy, up to and including employment termination.
Employee Concerns About BYOD Policies
The main concern for most employees is that a BYOD policy might lead to a loss of their privacy. Employees are often afraid that their employers will obtain inappropriate access to their health and financial data, as well as to their personal contacts, photos, videos and other types of information.
Another fear is losing all of their personal data in the event that the company deems it necessary to wipe their devices. Even if none of the previously mentioned circumstances occurs, their devices will almost certainly be wiped if their employment is terminated, even if voluntarily.
One possible solution for this is for the company to use mobile device management technology (MDM) to separate personal data from work data by creating a virtual partition. Not only will this limit an employer’s access to only the company’s data, it will also make it easier for the company to employ security measures.
Employer Concerns About BYOD Policies
Employers, on the other hand, have many thorny issues to contend with.
- Security issues. Unfortunately, employees can be the greatest security threat to a company’s long-term survival. That’s why the biggest concern around BYOD policies is security. Many people do not protect their smartphones, tablets or even their laptops with passwords. The devices that employees bring in may not have a timeout function or an automatic lock code. Another major security concern for employers is when employees lose their devices, share them with their children or connect their devices to the company’s database using unsecured Wi-Fi networks. Any of these will increase the risk that the firm’s business data will be vulnerable to unauthorized disclosure or deletion.
- Legal challenges. There are also a number of legal issues which could arise when employees are able to use their own devices. It can make it easier to defame the company, its vendors, customers, competitors or their own coworkers. It might also allow them to harass subordinates or their coworkers by phone, text or on social media. Another concern regarding a BYOD policy is whether business records that are stored on the personal devices of employees have been saved for a long enough time to meet the requirements of electronic discovery requests during litigation. Adverse consequences for the employer may also result during litigation if the company fails to produce required information because it was not retrieved from an employee’s personal device.
- Labor issues. A BYOD policy could open a business to labor issues, as well. The federal Fair Labor Standards Act, and state wage and overtime laws all contain provisions that might be triggered when non-exempt employees are requested to use their own devices for work purposes.
Another area of concern is that employees who are using their own devices will be able to engage in work activities such as responding to text and email messages outside of their normal working hours.
Need Help With BYOD and Network and Information Security?
If you need help navigating your company’s BYOD policy, contact the team at BrightFlow Technologies. We have helped dozens of companies manage the risks while aligning with zero trust architecture.
We typically provide step-by-step configuration guidance that your IT team can use to quickly set up and manage access to your data from personal devices. Having a strong BYOD policy aligned with zero trust improves barriers to work for your remote workforce. It also enables them to be able to work and meet online no matter where they are, while keeping network and information security top of mind.
Enable your company to better operate and compete in today’s business environment. To learn more, get in touch with us today.