Mobile devices leverages BYOD policy.

What to include in your BYOD policy: 3 key elements

Business mobility is improving, and companies everywhere are taking “on-the-go” work to new levels. However, this also means that companies are now having to confront the Bring Your Own Device (BYOD) monster.

As of 2016, almost 60% of companies in the US allowed employees to use their own devices for work purposes. Unfortunately, BYOD can be a double-edged sword.

On one hand, BYOD allows enterprises to build a more agile workforce that can work from anywhere, anytime. It can also lead to flexible working hours and more satisfied employees.

On the other hand, BYOD poses a serious threat to corporate security. Your sensitive data can be compromised, and if you’re working in industries such as healthcare or legal, it can lead to legal troubles.

A well thought-out BYOD policy, however, can help employers reduce the associated risk with mobile devices.

Before you create your BYOD policy

First and foremost, it’s important to receive explicit employee consent when it comes to BYOD practices.

Employers should explain (in simple language) BYOD practices and the employee-responsibilities that come with it.

3 key elements to include in your BYOD policy

A list of permissible devices and apps

Allowing only select models and brands can ensure smooth integration with a BYOD policy. However, it’s important to consider the brands and models most employees already use.

If a large majority of employees don’t have devices that are permitted and they are unwilling to buy a new device, it could become a challenge for HR. For instance, if the majority of your employees use Android phones, having an iOS-only BYOD policy can backfire. 

Restricting certain apps can also minimize the threat of security breaches and make it easier to manage your BYOD policy. However, to implement these restrictions, you might need to install information management software on employees’ personal devices.

Keep in mind, however, this should be explicitly stated in the BYOD policy (including the kind of information the company has access to).

It can also help if employees work with the IT department to minimize security risks. This includes regularly updating their software and providing remote access to devices.

Check It Out: 6 real-world examples of internal data breaches

Exit protocols

A good BYOD policy should include steps to follow when an employee leaves your organization.

Will the employee hand over their personal device, so your IT department can run checks and revoke access? Who is responsible for deleting sensitive data from a personal device that was used for work? What apps need to be deleted?

These are all pertinent questions that should be answered in your BYOD policy. Additionally, you should also outline steps in case a device is stolen, including consent for remote access to wipe the device clean.

Interesting & Relevant: Can you delete data? The answer isn’t so simple.

Reporting hours worked and other essentials

Your BYOD policy should clearly state which employees are allowed to use their own device for work. In addition, it should also state how hours-worked are calculated, given that there will be an overlap between personal and professional use. Installing enterprise software and counting logged-in hours is one way to do it.

Don’t Forget: 5 ways to train your employees on cybersecurity

Final thoughts

In addition to all of the above, it’s important to take into consideration any information privacy laws that your organization is bound by law to comply with. For instance, the healthcare industry is required to comply with HIPAA. Privacy restrictions will dictate levels of authorization and how cost-effective it will be to implement a BYOD policy.