Why Policies Are an Essential Part of Any BYOD Strategy

Most people think of cybersecurity as locking users out of particular systems or keeping them away from certain types of data. But truly good security is more about enabling users to work where and how they want, and accomplish tasks seamlessly and efficiently.

This typically involves allowing employees to bring their own devices into the workplace and use them while mobile or remote. The right security tools and processes help ensure that organizations maintain compliance and control over their data while giving users the freedom and flexibility that comes with BYOD.

However, an effective BYOD strategy requires more than security tools. Organizations need to establish policies and procedures to ensure that employees are using their devices effectively. The right policies address not only security and compliance but a number of legal and human resources issues.

Interested In Learning More?

Personal Mobile Devices Are Here to Stay

The term “bring your own device (BYOD)” entered the corporate lexicon around 2010 as organizations began to evaluate how to deal with growing employee use of personal mobile devices for work-related tasks. At the time, companies debated whether they should permit employees to use mobile devices at work. IT departments were ill-equipped to manage, secure and support the vast numbers of devices brought into their organizations.

Of course, there is no longer any debate. Mobile phones are now the preferred business communication tool, with studies finding that more than 90 percent of workers use one for work every day. In an Oxford Economics study, 80 percent of business leaders reported that employees can’t do their jobs effectively without a mobile device. Nevertheless, organizations need to exercise a certain degree of control over the BYOD environment.

Three Must-Have BYOD Policies

BYOD policies should be customized to address the organization’s business, legal and regulatory risks and the ways employees use their personal devices. That said, there are three essential policies for any BYOD program.

Appropriate use policies outline when and how employees can use their devices. The “when” is more important than it might seem at first glance, particularly with regard to hourly employees. Companies have been sued for unpaid wages because employees were checking their email after hours and there wasn’t a policy around this particular use case. Appropriate use policies should also discuss access to inappropriate content and unapproved applications.

Acceptable device policies detail the types of devices that are permitted in the workplace. While this policy should allow for as much flexibility as possible, it’s reasonable to exclude devices that are jailbroken or so hopelessly out of date that they cannot support security software and mobile device management agents. Don’t stop with mobile devices — equipment such as rogue Wi-Fi hotspots should be addressed.

Monitoring policies inform users of the types of monitoring that will be performed by IT and/or management. IT should monitor devices to ensure compliance with security and data use policies. Management may choose to implement monitoring tools to evaluate productivity and accountability. However, employee privacy should be carefully considered.

Ensuring Acceptance and Compliance

Draft policies should be circulated to key stakeholders to assess clarity and alignment with corporate governance. Once adopted, policies should be communicated across the organization, and procedures established to oversee implementation and compliance.

Mandatory training should also be implemented to ensure that users understand the importance of the policies and how to follow them. Effective training can go a long way toward preventing the kinds of misunderstandings that result in noncompliance and legal issues.

DeSeMa can help organizations define and assemble policies, coordinating the efforts of the HR, legal, compliance and IT teams. We can also help them utilize the right technology tools to enforce these policies across the extended enterprise. The right policies, combined with the right tools and processes, can enable greater flexibility and efficiency while boosting the organization’s security posture.