Whether you’re a small startup or an established organization – if you support BYOD, it is absolutely essential to have a BYOD policy
. According to an article in the Wall Street Journal
, an alarming 60% of companies "have no policy governing [the] use of employee personal device", which leaves them susceptible to a range of liabilities.
BYOD is a breath of fresh air to the traditional work environment, but it can introduce risk without the right policy in place. Resist the temptation to employ cookie cutter policies – a one-size-fits-all solution is simply not capable of conforming to your organization’s specific needs and business objectives. Instead, take the time to construct a tailor-made BYOD policy that properly addresses your company’s specific legal, liability, security, and cost concerns.
To help get you on the right track, here is a framework for building a comprehensive BYOD policy:
Clearly state the financial responsibilities of your company and the BYOD owner in the event a device is lost, stolen, or damaged.
Outline the financial responsibilities of your organization and the BYOD owner in regards to monthly service fees such as data, text messages, and call time.
List the range of devices your BYOD policy supports. Consider several factors, including manufacturer (e.g. Apple, Samsung, Nokia), model (e.g. iPhone 6, HTC one M8, Galaxy V), and operating system (e.g. Android, iOS).
State your policy on rooted or jailbroken devices – many organizations choose not to support such devices, as they can introduce additional security concerns into the enterprise.
Institute an approval process for new or updated devices that enter the market.
Rights and Responsibilities
Employees should expect to retain ownership rights over their device. However, because of the storage of sensitive corporate data, it may be prudent to require them to install certain OS updates or updates for specific enterprise mobile apps
in order to retain a minimum level of security. Employees should also be responsible for informing the enterprise in the event their device is lost, stolen, or otherwise compromised. It is also worth addressing the corporate rights in the case of job abandonment, resignation, or separation.
No BYOD policy should have access to a device owner’s personal data (e.g. private contacts, text messages, photos), and this information should always remain private.
Corporate data that resides on an employee’s device should be managed at an app-level rather than at the device-level. This ensures that the employee’s rights as a device owner are not infringed upon. At the same time, it allows the enterprise to still manage sensitive information by updating, modifying, or even deleting corporate data from mobile enterprise applications through a console or interface lying outside of the device itself.
After developing a BYOD policy, ensure that all parties involved – BYOD employees and contractors, executive-level staff, IT – fully comprehend each component. Communication is key, so hold information and training sessions to explain and clarify your BYOD policy. Keep a forum open for BYOD employees to ask questions or raise concerns, and have them sign the policy once they’ve gone over it. In addition to addressing cost and liability concerns, having a meaningful BYOD policy in place means that all parties involved are on the same page, thus enabling your organization to gain more from its BYOD efforts.