If you are here, reading this blog post perhaps you have been charged with the implementation of your company’s BYOD program and need to brush up on BYOD core principles, or maybe you are brand new to the subject and are curious to simply understand what BYOD is all about. Whatever the reason for stopping by, our hope after reading this post is that you walk away with a clear understanding of BYOD core principles and use this post as a resource to refresh your knowledge base and educate others.
Bring-Your-Own-Device Policies commonly referred to as BYOD Policies can be summed up as a set of rules, notices, and agreements a company and its end-users must follow when the end-users are permitted to access company systems and data using personal mobile devices. It is important to remember personal mobile devices are non-company issued devices and these devices are the exclusive property of the end-user. When personal devices are introduced to the company’s network, the company’s network security responsibilities must expand to encompass the non-company issued endpoints controlled by staff.
At its core, the purpose of a BYOD Policy is to establish a framework of clearly defined roles, rules, and responsibilities that ensure the protection of company data, reputation, and systems.
Development of BYOD Program
A well written BYOD policy establishes clarity and transparency allowing the security needs of the company to be met while respecting the privacy rights of the end-user.
BYOD policies can range in complexity based upon industry, company maturity, and available resources but at the core, there are four main ideas that should be addressed within the program to achieve a well-rounded BYOD risk management approach. The Company should have clear guidance concerning (1) Devices and Support, (2) Acceptable Use, (3) Security, and (4) Disclaimers
Devices and Support
In a commingled environment where personal devices are permitted to access sensitive data and systems, network security and data protection can be stretched beyond its limits. A sound BYOD policy should outline which devices are permitted to access the network. Security controls such as anti-virus protections, VPN functionalities, and general device management can become impossible to manage if devices that are non-compatible with security controls are allowed on the network.
Acceptable Use Policy
After a concise list of devices has been established; there must be guidance provided to end-users on the proper use of these devices to maintain security. Acceptable use guidelines should include topics such as password minimum requirements, permitted browsing activity, social media posting, and data storage.
Security Escalation & Notification
Be sure to address worst case scenarios. Who is responsible for monitoring threats and who is responsible for reporting? End-users need to know who to contact, when to contact, and key information to communicate should a security threat occur to their personal device.
Disclaimers and Agreements
Include in the policy any rights the company wishes to exercise concerning the end user’s device. If the company wishes to exercise the right to remote wipe the device the company must advise the end-user of this fact prior to the end-user’s device being wiped. If the end-user is responsible for backing up their data in the event of a remote wipe this should be communicated to the end-user via policy. Any other binding agreements the end-user is agreeing to by the use of their personal device should be conspicuously outlined within the BYOD policy.
Why Bring Your Own Device?
To be short and sweet, BYOD provides the benefits of reduced costs and increased convenience. A rhetorical question from operational leadership that I have often hear in my role as a compliance executive is, “why budget for the purchase of devices when the devices have already been purchased by the end-users?”
Smartphones, tablets, and laptops help us to remain plugged-in and productive on-the-go. Whether you are riding the train into the office or sitting at your dining room table working remotely, armed with a mobile device and a decent internet connection one could successfully access company systems like email, file storage, and core operating programs from anywhere on the planet. Those who work remotely can now work with the same productivity level as an employee sitting in the office working from a company-issued desktop computer.
Implementation of a solid BYOD policy in combination with a robust BYOD management solution places an organization in the best position to reap the benefits of the BYOD model while mitigating security risks. BYOD Management Solutions can greatly reduce threats of non-compliance and provide an oversight mechanism that makes management of the company’s BYOD program easy to handle. When evaluating a technological partner be sure it is compatible with devices used by your stakeholders.
Need help designing your BYOD program? Feel free to contact us