Key Considerations for Establishing a BYOD Policy

Mobile - Other
  • Smaller Small Medium Big Bigger
  • Default Helvetica Segoe Georgia Times

Bring Your Own Device is considered a lower-cost way to equip employees with mobile devices for business. Before you go that route, there are numerous issues of which to be aware.

The proliferation of mobile devices is transforming the way we live our lives and, similarly, the way we do business. Mobile devices can make employees more productive and more motivated, as well as help streamline many routine business operations.

It's generally accepted that there are three ways any enterprise can approach mobile devices: ignore them and endure the risks of employees using them clandestinely, bite the budgetary bullet and equip anyone who needs one as a means of controlling device use as much as possible, or the "compromise" position of adopting a Bring Your Own Device (BYOD) policy. Particularly for smaller companies, BYOD can reduce costs by letting each employee use their device of choice (although it's wise to limit the choice to a select list), and there are numerous other benefits.

However, rather than debating the pros and cons of each approach, let's assume your enterprise has decided on BYOD. To make the advantages outweigh the risks, the experience of early adopters of BYOD has shown it's best to establish a strong and comprehensive policy from the outset, train all staff in the policy's use and implications, and enforce the rules once you've formulated them.

Getting Ready for BYOD

Before you start that, you should first assess the size of the task. Is your corporate culture ready for using mobile devices and adapting to the blurring between work and home life that will inevitably follow? How open are your employees to a BYOD policy?

You should lay the groundwork for such a policy by being completely clear about its implications. Begin by deciding which employees really need mobile devices to better perform their jobs. Document the present workflow between those employees. Understand whether there are any regulatory rules for your kind of business (e.g., GLBA, HIPAA, PCI-DSS) or the corporate roles of those using the mobile devices (e.g., SEC). Think about what apps these employees will need to access, how well they follow rules right now, and how difficult it might be to support those who might frequently be on the road.

Be aware that the federal Fair Labor Standards Act, employment laws in your state, and other legal considerations might come into play. For example, non-exempt employees checking email after hours can qualify as overtime. Consider not letting exempt employees access company services after hours. Suppose your company is involved in litigation. If there are electronic discovery requests, that could affect files stored on employee devices.

Next, decide what your IT department policies about BYOD are going to be. How responsible for maintaining and supporting employee-owned devices is your IT department is going to be? When employees have a hardware or software problem at the office, it'll be the course of least resistance to turn to IT. If the answer is "not much," what's your official attitude going to be if an employee is gone for several business hours consulting with his or her personal provider? Will IT troubleshooting extend to personal apps if their malfunction is preventing use of the device for business purposes? Will you offer loaner devices if a BYOD is out of commission?

What BYOD devices will be allowed? What configurations will be permitted? Should certain corporate apps be placed out-of-bounds for remote device access because of potential (e.g., iOS) porting security or wireless downloading limitations?

It would be ideal to handle device or application connectivity through a VPN, which gives IT control over access. (The last thing anyone wants is a BYOD user accessing company files from an unsecured WiFi hot spot at an airport coffee shop.) Is that an option?

Decide how you will handle device OS upgrades, which can be frequent. (Ignoring them really isn't a good idea because updates include security patches and other improvements.) If you want to export specific enterprise apps to mobile devices, or update them, IT needs a way to do it that involves as little employee participation as possible to ensure that function actually takes place today (instead of falling victim to busy employee intentions to do it "tomorrow").

What About Security?

What security policies will you require? Antivirus software for each device, surely. Two-factor authentication? Strong passwords? Periodic password changes? Early BYOD adopters learned that complex passwords are trouble, so think about a four-digit PIN for accessing the device itself (requiring re-entry if the device is inactive for a set period, say five or ten minutes) and a more complex password for accessing data. Employees should also be required to encrypt company data stored on a device in case of unauthorized access. Prohibit offline access to highly sensitive or secure docs because downloading them to a device risks hacking or other intrusions. You'll also need a way to back up employee-generated files and data from remote devices.

Part of adopting a BYOD policy will include the need to reassure employees that the company won't somehow access their personal data, which could include personal emails and messages, photos, usernames and passwords for non-business activity, personal contacts, financial data, and medical information. But then, what happens if a device gets stolen or destroyed? The company will need a remote wipe or disable capability, but the downside of that is using it will wipe out employee personal data as well. Employees must understand this potential, and they should be trained in how to back up personal data and apps so they're not lost if the device has a catastrophic problem.

The most common answer to this particular difficulty is partitioning, sometimes also called containerization. The idea is to set up two partitions on the mobile device, one for business, another for personal. Then, if the need for deletion arises (the above situations, or the employee leaves the organization), just the business partition contents can be wiped out.

Speaking of departing employees, there should be a policy and operational checklist established for that eventuality. This should include removing network access, disabling email, and removing company files from a device.

There are software packages that can help with many of the challenges just outlined. Various flavors include enterprise mobility management (EMM), mobility device management (MDM), mobile application management (MAM), and mobile content management (MCM) software packages. EMM and MDM products generally offer the administrative tools like partitioning, remote wiping, encryption, and connectivity controls that deal with the challenges stated above, plus features like logging suspicious events. MAMs can encrypt apps and data before they're broadcast to devices and also let IT whitelist (i.e., make a list of the only approved URLs a device may access) or blacklist (i.e., make a list of forbidden URLs, but good luck thinking of them all). MCMs let the enterprise push apps and data to devices without employee participation and can let employees store data on their devices with authentication access. It's beyond the scope of this article to go into more detail, but there are numerous products in all these categories that can cure these and other administrative headaches. Individual products may include features from any of these categories. Other tools, like Google Apps, can control which devices can access email and limit what a particular device can do.

What you shouldn't do is install on employee devices an agent that monitors all communications because this is probably a violation of federal wiretapping laws. Found so last year by the U.S. Sixth Circuit Appeals Court, the present ruling says injured employees can sue both their employer and the maker of the software. While this may one day be overturned, do you really want to be the test case for your circuit? Don’t do this; instead, use agentless options for BYODs.

What about consultants? Intellectual property created by them doesn't belong to the employer the way work created by a direct employee traditionally does, so consultant contracts will need to address this issue if the consultants are going to be BYODing.

Will there be an employee reimbursement for BYOD devices to cover part of the device cost or monthly data charges? Industry practice varies widely—some companies offering this, some not, and some allowing those costs to be expensed rather than directly reimbursed.

Don't forget to include mobile devices in your periodic testing of business continuity plans.

And finally, it's a good idea to require periodic reauthorization of all mobile-device users.

Writing the Employee Rulebook

So now you're finally ready to write the formal rules for employees to follow. This will bring you up against a sticky paradox. On the one hand, the policies should address every point mentioned in this article that you feel is pertinent to your enterprise. On the other, experience with early BYOD adopters shows that policies need to be as simple as possible; otherwise, employees won't follow them. Worse yet, you have to try to anticipate as many scenarios as you can so you don't later have to take away what employees will have come to view as privileges.

Another important concept to understand is that it's going to be the employees themselves who will be the prime enforcers of BYOD policy, not the IT department or line managers. Therefore, the staff must understand the rules, specifically be trained in them, and sign a document that states that they acknowledge them. Maintaining a Q&A about policy on the company intranet is recommended as new situations arise that need clarification.

Enterprises should consider having the rules include acceptable-use policies, forbidden actions, and even some common-sense admonishments. Customized rogue devices can load malware and should be banned. Forbid texting while driving. Device losses must be reported as soon as possible. If you are using administrative software that includes a device locator, employees should be told that their whereabouts can be scoped.

How explicit do you want to be about accessing games, Facebook, and recreational websites? What if employees illegally download pirated music or movies? What if they transmit sensitive or inappropriate material, even inadvertently?

What are the consequences for violating these policies? Do there need to be different consequences for different types and levels of violations? These should be spelled out rather than left for judgement after the fact.

Early on, IT should audit mobile-device activity carefully to watch for non-compliance, and you should commit to re-evaluating procedures every 6-12 months. It's just a plain fact that with mobile technology morphing as fast as it is, and user savvy with it, a "set-it-and-forget-it" BYOD policy could become as obsolete as Barack Obama's Blackberry before you know it.

Moving Forward

While there appear to be many pitfalls, BYOD is a viable policy that can save enterprises significant money in the long run. It's just a matter of being smart about setting up policies and procedures in advance and sticking to them.

The following links offer a few templates for setting up policy rulebooks and similar documents, including one from IBM, which can give you some models for getting started.