8 tips to develop a BYOD policy that actually gets used

8 tips to develop a BYOD policy that actually gets used

As Bring-Your-Own-Device (BYOD) strategies become more prevalent among forward-thinking organisations, it is interesting to note that the strategy itself has been largely driven by users, rather than by IT. Frequently-travelling executive teams find mobile devices convenient, while users outside the executive team find it inconvenient to manage multiple devices, brands, operating systems, passwords, data profiles and so on. As a result, often, IT’s hand is being forced.

The benefits, however, are undeniable. Few business strategies enable a notable reduction of capital and operating expenditures, while simultaneously delivering an improved user experience. As some commentators are suggesting, if you’re not implementing this now, you soon will be.

The BYOD Policy

Possibly the reason for the reticence from IT comes from the knowledge that quite aside from finding the right softwares to connect devices, there is a significant amount of work to be done on a BYOD policy, not to mention legal review, education, and systems to support. Without these, companies will expose their networks to vulnerabilities and IT management nightmares.

This may leave you questioning how best to create and implement such rules for your business. Wonder no more. Here are the top 8 directives for creating a truly effective BYOD Policy.

1) Decide on your devices

Enabling a range of the most popular platforms like Android, iPhone and Blackberry is good practice. It caters to the largest population without attempting the impossible. What’s really important here is employee communication. Make it clear which devices you will support, as well as which corporate devices you’ll continue to deploy (and, of course, which you won’t).

Additionally, you’ll need to ensure that employees are clear on what to do about connectivity issues or hardware failures. For example, what level of support will be provided for initial connections to your network from personally-owned devices? What about for broken devices?

2) Define terms for acceptable use

Terms for acceptable use simply define the kinds of user behaviours that are acceptable and which are not. You should already have some policy material for this section if you’ve had corporate-issued mobile phones and laptops on your network.

However, now the question of what happens if employees access objectionable websites on the device’s VPN arises. The rules of conduct need to be clearly communicated in all such instances, making users fully aware of the boundaries.

3) Make a plan for which apps will be allowed, and which will not

In your policy, you can both approve and blacklist certain apps to help maintain the security of your network. However, your BYOD policy should contain more than a static list, it should contain information about IT’s authority to blacklist certain types of apps as they become more aware of what is out there.

Consulting business stakeholders is important during this phase of policy development to ensure no functional requirement is overlooked. From HR, to Finance, Legal, the executive team and users, it is useful to understand exactly the kinds of apps each department will need to perform their roles efficiently.

Naturally, you’ll want to implement a process whereby IT can configure all devices before they connect to your network.

4) Secure and protect your network

When employees attach personal smartphones or tablets to an organisation’s network, it is possible for malware to migrate from the personal device to company machines, and for sensitive or proprietary data to migrate from the network to the personal device.

Security policies should therefore categorise information into various classes of sensitivity, and define the circumstances under which approved users might access sensitive information as well as what to do in the event of a security breach.

In terms of everyday information-management, data needs to be purposefully governed to give users access to only the information they need to do their jobs, and the policy should be clear about the use of any antivirus apps and other security software and firewall settings.

Furthermore, your users should be kept aware of the moral imperative (and legal requirement) to safeguard data that the company entrusts to them.

5) Respect your employees’ privacy

While security is a concern of the organisation, privacy concerns are abundant for users in a BYOD arrangement. Mobile phones, for example, contain data that a user would assume is private, and that does not want accessed or used by the organisation.

The question you’ll need to answer is whether you will include a clause in your policy that declares your organisation not access, use or mine the personal data available on your employees’ personal devices.

These kinds of rules are essential so a BYOD policy provides a good excuse to review your overall security policy.

6) Decide on commercial terms

Some companies offer reimbursements to employees for a percentage of the cost of the device. Others agree to pay employees a small allowance. If you want to offer such reimbursements, you need to calculate the amount of the device or data plan you might pay. Such terms will ideally be included in your BYOD policy.

7) Document your users’ exit process

When employees leave your organisation, can you rely on disabling email or access as part of your HR exit process? Or would you prefer to make it a mandatory requirement that IT can wipe an employee’s personal device before exit? If such a strategy is going to be mandatory, it is good practice to offer users timely help to back up the personal data (e.g. photos or applications) prior to wiping the device. This process should be clearly outlined in your BYOD policy.

8) Gain agreement 

There is little point in having a comprehensive policy to protect you and your users if nobody reads it. It is therefore advisable to get all BYOD users to sign a document saying they have read and understood your BYOD policy, prior to getting them onto the network.

Do remember to consult stakeholders within your own organisation, as well as seek legal advice when producing such documents.

Having a BYOD strategy with no BYOD policy is just asking for a raft of IT management and security issues. These 8 directives should help you be clear about what users can and can’t do with devices on your network, to protect both you and the user. As all of your employee’s devices will be connected to the internet, it’s best to be up to date on the latest cyber security threats. You can learn from other’s mistakes in our ebook, Cautionary tales: Cyber security and the Internet of Things. Download it today.

New Call-to-action