Approximately 45% of the world’s population owns a smartphone; that translates to just over 3.5 billion devices worldwide. With this staggering number of active phones and the influx of the remote workforce it’s safe to assume most companies have end users ranging from executives to independent contractors accessing company data via a personal smart phone, tablet, or other smart device. Email accounts, task management systems, and third-party file storage providers are now only a 5 second app download away. More and more company and personal systems are being commingled. As ease of access to sensitive data increases, almost in tandem, the threat of unauthorized access to secured data continues to rise. As companies work to balance the optimization of operational efficiencies and the installation of risk mitigation controls there is no escaping the need for the adoption of a solid BYOD program. Serving as a compliance professional for over 15 years I have had the pleasure (or pain) of establishing BYOD programs, within various organizations from heavily regulated financial services institutions to posh LA boutiques. What I’ve learned, in part, is regardless of your industry there are three tips that I would recommend to anyone desiring to implement a BYOD program with their organization.
1. Find Your Champions
If you have been charged with the implementation of your company’s BYOD program or if you want to pitch a BYOD program to your company, be sure to drum up buy-in. Recruit internal champions that believe in the importance of the program. Internal champions are people in your organization with influence that will actively support your project and ensure successful adoption. Champions can be influential sales managers, IT directors, or even someone within the C-Suite. Be sure to keep your champions engaged with the development of the program, seek their opinion on program components, and provide timely updates on the program development. These actions will ensure your champions feel vested in the BYOD program and they will help to persuade other staff members to accept the program with little resistance when rolled out.
2. Proper Preparation Prevents Irritation
Be sure to understand the lay of the land; leverage your champions when possible. To design the optimal program conduct research on best practices and, find answers to the following questions:
- How is company data currently accessed on personal mobile devices?
- Which departments or roles need to access data remotely?
- What type of data is being accessed (i.e. sensitive, classified, etc.)?
- Which systems must remain accessible remotely?
- Are risk controls currently in place such as VPNs?
- Are users accessing systems that are not employees (i.e. contractors, vendors, etc.)?
- How will this impact their continued use of the systems?
Most importantly you should clearly know the specific risks you are attempting to mitigate. Understanding the complete lay of the land will aid you in the design of a BYOD program that fits your company.
3. Solutions that Empower
This may seem obvious, but the solution should feel like a solution and not like a problem to your end users. A difficult user experience can spell trouble for the success of your BYOD program. Find solutions that are transparent and as non-invasive as possible for the end-user. After all it’s difficult to get staff to buy into the thought of allowing the company to have control over their personal devices and data. From my experience end users advise it feels invasive and unfair. Segregation of data is possible and by doing so the company can protect its assets while respecting the personal property rights of its staff and contractors. To ensure users feel comfortable adopting features of the BYOD program that may require integrations or use of third-party service providers be sure to find vendors that offer user-friendly interfaces and clear easy-to-understand literature on features and functionalities. As a best practice pair program implementation with a written BYOD policy document and training materials. If your end users feel educated and have a firm grasp on the “why” behind the program they will feel empowered and more likely to themselves become cheerleaders for data security.