The bring your own device (BYOD) trend has been gaining traction across the global workforce for around a decade now. More recently, the onslaught of the Covid-19 pandemic further cemented this trend into workers’ day-to-day lives.
With the prevalence of remote work, it’s more convenient than ever for employees to use their personal devices for various work purposes. This makes their lives easier, and it can save your organization money when implemented and managed correctly.
If you choose to allow BYOD and you want to empower your employees to use their personal devices for work as securely and efficiently as possible, you need to create a BYOD policy for your organization. The BYOD policy can be a sub-policy that fits into your overarching remote work policy, or it can exist as its own entity.
Once you have identified your business goals, analyzed existing policies, and taken some time to understand potential BYOD use cases, you’re ready to create the BYOD policy itself.
Get started by following these guidelines:
- Establish the scope of the policy.
- Dive into privacy protection.
- Outline security and compliance initiatives.
- Simplify the sign-up process.
- Establish reimbursement guidelines.
- Plan for ongoing maintenance.
- Write your policy down before implementing it.
1. Establish the Scope
Begin creating your BYOD policy by laying out the exact scope of what it covers. The scope needs to include the types of devices and operating systems allowed, as well as who owns the phone number associated with a mobile device used for work calls, how and when any necessary training will take place, and a list of permitted apps and software (or a list of any blacklisted tools).
These are just some of the items that need to be checked off in a BYOD policy — tailor your policy to your organization’s specific needs in whatever way makes sense to you.
When listing out the devices and operating systems that are allowed to be used in your BYOD program, consider your current technology and tools — can you only manage Windows devices with your current setup? If this is going to be a big issue, you might need to consider moving to a device management platform that supports a wider range of devices.
On top of that, find out what kind of devices employees already use, as well as their device preferences. You might not be able to support every single device, especially the more obscure ones, but asking these questions will help you determine your support capabilities and prioritize the most popular choices. All of this information will help you set the scope of your policy and troubleshoot any potential problems before they arise.
To effectively monitor personal devices, specify that jailbroken and rooted devices are prohibited. Add to the policy that a mobile device management (MDM) tool will be used to ensure that a device is compliant before the user is able to access your networks and resources from it. If that device proves to be non-compliant, outline what steps will be taken to solve the issue.
2. Protect Privacy: Separate Personal and Company Data
If your employees have any concerns about the BYOD policy, they’re likely going to revolve around privacy. To mitigate these concerns while protecting your organization, use the BYOD policy to explain what data will be monitored on different devices, and how you will segregate personal and organizational data.
Personal data should go into its own bucket and be left untouched and unmonitored by the company. Don’t forget to specify who owns the information on the device and exactly what counts as personal data and what counts as organization-owned data. Further, in the event that a device is lost or stolen and needs to be wiped, it’s important for employees to understand that their personal data would also be at risk.
Data storage is another item to add to your BYOD policy. Specify where data will be stored — either locally or in the cloud. If you choose locally, explain how data separation is ensured to protect privacy. This will likely include the use of an app or data management tool to properly and securely segregate personal and business data.
By showing employees exactly what you will and will not monitor as well as how you will monitor data, you will build an important layer of trust while keeping your organization safe and protecting user privacy.
3. Compliance and Security Initiatives
In terms of what employees need to know about other BYOD security and compliance initiatives, your policy should include a list of device policies you plan to use.
Some example policies include:
- Password complexity requirements.
- Password change interval.
- Session timeout/lockscreen.
- Multi-factor authentication (MFA).
- Single sign-on (SSO).
- Remote wipe.
- Least privilege access.
This section of your BYOD policy can include any device or access policies that users need to be aware of. If this is the case, be sure to explain that any unauthorized devices will be flagged and will not be allowed to connect to your networks or access organizational data, thus highlighting the importance of your BYOD sign-up process.
4. Simplify the Sign-Up Process
Making employees feel like they need to jump through hoops to get your approval for BYOD can cause your organization some unforeseen problems. This inevitably causes frustration for employees that might lead to them deciding to work from unauthorized personal devices without asking or even telling you.
If your organization doesn’t have the proper access policies in place, employees using unsanctioned devices can substantially increase risk and create new attack vectors. Simplifying the BYOD sign-up process gives employees much needed flexibility while allowing IT to remain proactive and avoid dealing with any unmanaged devices connecting to work resources.
To do this, eliminate any paper forms, and automate anything you can. Simply ask employees to submit a short BYOD request with critical information and make setup as efficient and painless as possible using a modern device management tool. Focus on creating a sign-up flow in a way that helps IT without hindering the user experience for other employees.
5. Establish Reimbursement Guidelines
Whether or not you choose to reimburse or pay for anything related to BYOD, it doesn’t hurt to outline your decision in the written policy. If your organization chooses not to reimburse for anything BYOD related, cover your bases by specifying this in the BYOD policy.
However, if your organization does decide to reimburse or purchase BYOD-related things for employees, specify exactly what will be reimbursed, the timeline for reimbursement, and how it will take place. Some organizations choose to pay employee internet bills for personal devices and/or the device itself if a user wants to purchase something new to use for work.
One thing to watch out for is unexpected expenses due to oversight in the policy itself or something like data overage charges that the organization may be liable for. To avoid these scenarios, be very specific with what you’ll pay for and what costs the employee is responsible for in your BYOD policy.
6. Plan for Ongoing Maintenance
A BYOD policy isn’t a “set it and forget it” type of thing. As time goes on, you will need to continue performing routine checks on how the policy is working, including security and compliance checks, tools checks, and more. As technology changes and new devices become commonplace, you might need to adjust what devices, operating systems, and tools you support in your BYOD policy.
To check the pulse on how employees feel about the policy, you can include BYOD-related questions in your organization’s employee user experience survey. The feedback here is invaluable for making improvements to your policy.
7. Write Your Policy Down Before Implementing
Lastly, prior to communicating anything BYOD-related to employees, write your proposed BYOD policy down first. This will help you catch any errors or omissions when you read it over, before it’s in the hands of users. You’ll need a written version that can be iterated on over time anyway, so take the extra time to write all of the details down before buying any new tools, telling employees to follow certain guidelines, or changing processes.
This strategy eliminates a lot of the potential for miscommunication, extra work, or wasted resources, especially if you make any substantial changes to the first draft before actually implementing the policy. Try to keep it as short and sweet as possible, around 1-2 pages, otherwise employees are unlikely to read the entire document.
Sharing Your BYOD Policy
After you’ve addressed these seven topics and anything else that comes to mind, you can have different stakeholders look over the policy for any final input or adjustments. Once you have gotten all of the feedback that you need and the policy is ready to go, you can hold a company meeting where you go over the policy and open the floor up for any relevant questions.
At this time, you can share the written policy with all employees and direct them to the first step of your sign-up process. During the meeting, it’s important to address any employee concerns, give them the “why” behind the policy, and explain that you want to give them the freedom of BYOD while protecting your organization’s data.
Gaining employee buy-in and maintaining employee trust during the BYOD implementation period is essential for a smooth transition.