What to consider in developing BYOD policy

Why Have a BYOD Policy?

In today’s work environment, employees are increasingly expected to be constantly available and communicating. Regardless of whether the company permits it, employees will use their personal devices for work. Instead of ignoring the inevitable, companies should develop and implement a BYOD policy that protects the company and balances productivity with security. Brandon N. Robinson Partner, Balch & Bingham LLP – Privacy and Data Security Practice, provides some tips.



Before developing a BYOD policy

Securing the mobile devices themselves, managing the mobile environment, and addressing application risk. Identify your primary goals. They could include securing company information, increasing usability/productivity, and reducing time-wasting (e.g., Facebook, Twitter, YouTube, etc.) and inappropriate web use.


Assess regulatory risk

Talk to the legal and human resources departments in your geographic footprint to understand the state/local/foreign data privacy and security laws. If varying laws differ, consider sub-policies or procedures that may expand on the general BYOD policy as needed. Include various stakeholders, including human resources, IT, management, and legal, when developing the policy to ensure that the policy is developed in a way that can be implemented.


Privacy governance

Reserve the right to audit, access information. Make sure employees are aware to prevent hiccups in time-critical situations.


Payment structure

Does your organization pay the phone bill or give stipends for monthly use? How are data overages addressed?



Stringent security policy for all devices

Use strong, alphanumeric passwords, not four-pin passcodes. Include rules surrounding which devices are permitted access to the internal network. Define how long a device should be inactive before it locks.


Data ownership and recovery

Who owns what data and apps? What happens when a device is lost or stolen – can the company wipe it (which wipes personal photos, apps that employee personally paid for, etc.)? BYOD policies should make clear that you assert the right to wipe devices brought onto the network under the company plan. Who owns the phone number, which can be valuable in sales roles?

What devices are allowed: iPhone? Androids? Tablets?


What sites can you visit?

Applications. What apps will be allowed or banned? What websites will be blocked? This should include social media, VPNs, remote-access software, etc.

Integration with Acceptable Use Policy. Your work place may not allow social media, objectionable website, or conducting side business. What if an employee is connected through VPN and posts to Facebook, or transmits inappropriate material via personal device over company network? How will you monitor and enforce these policies with respect to personal devices? What rules may you set up?


Specify level of tech support for BYOD devices

Will IT help with connection issues, broken devices, or apps installed on personal devices? Will there be a help desk? Will support be “wipe and reconfigure”? How will you deal with loaner devices?


Address employee exits

When an employee leaves the company, how will you enforce removal of access, data, email, and proprietary data?

  • Disable email remotely?
  • Disable synchronization access?
  • Wipe the device completely?
  • Wipe the device, but back up personal photos and personally-purchased applications?
  • Work with the employee, but reserve the right to wipe completely as an option if necessary.


Review, monitor, revise

Periodically check to see what is working, what needs to be scrapped, if there is a need for better monitoring or enforcement, etc. Train, train, train. The more aware employees are of their company policies, the safer the company and the better environment of trust is created.


Be proactive in securing devices

Be proactive in securing devices.

  • Install mobile updates (or include a requirement of timely updates in BYOD policy). Mobile updates are constantly fixing vulnerabilities.
  • Don’t permit jailbroken devices. Unregulated apps can often contain malware.
  • Use mobile device management. These services can secure smart phones and tablets over-the-air, define security settings, manage work content, and enable wireless pushing of updates or apps.
  • Enforce passwords and password requirements. This is crucial for lost or stolen devices.




Ryan Francis — Managing Editor

Ryan Francis is managing editor for Network World and CSO. He can be reached at rfrancis@idgenterprise.com.