If you are here, reading this blog post, perhaps you have been charged with the implementation of your company’s bring-your-own-device (BYOD) program and need to brush up on core principles. Or, maybe you are brand new to the subject and are curious to simply understand what the program is all about.
Whatever the reason for stopping by, our hope after reading this post is that you walk away with a clear understanding of BYOD core principles and use this post as a resource to refresh your knowledge base and educate others.
BYOD Policy, Defined
Bring-your-own-device policies, commonly referred to as BYOD policies, can be summed up as a set of rules, notices, and agreements a company and its end-users must follow when the end-users are permitted to access company systems and data using personal mobile devices. It is important to remember personal mobile devices are non-company issued devices and these devices are the exclusive property of the end-user. When personal devices are introduced to the company’s network, the company’s network security responsibilities must expand to encompass the non-company issued endpoints controlled by staff.
At its core, the purpose of a BYOD policy is to establish a framework of clearly defined roles, rules, and responsibilities that ensure the protection of company data, reputation, and systems.
Development of a BYOD Program
A well-written BYOD policy establishes clarity and transparency, allowing the security needs of the company to be met while respecting the privacy rights of the end-user.
BYOD policies can range in complexity based upon industry, company maturity, and available resources. At the core, four main ideas should be addressed within the program to achieve a well-rounded BYOD risk management approach. The company should have clear guidance concerning:
- Devices and support
- Acceptable use
Devices and Support
In a commingled environment where personal devices are permitted to access sensitive data and systems, network security and data protection can be stretched beyond its limits. A sound BYOD policy should outline which devices are allowed to access the network. Security controls, such as anti-virus protection, VPN functionalities, and general device management, can become impossible to manage if devices that are non-compatible with the security controls in place on the network.
Acceptable Use Policy
After a concise list of devices has been established, there must be guidance provided to end-users on the proper use of these devices to maintain security. Acceptable use guidelines should include topics such as password minimum requirements, permitted browsing activity, social media posting, and data storage.
Security Escalation & Notification
Be sure to address worst-case scenarios. Who is responsible for monitoring and reporting threats? End-users need to know who to contact, when to make contact, and key information to communicate should a security threat occur to their personal device.
Disclaimers and Agreements
Be sure to include any rights the company wishes to exercise concerning the end user’s device using clear language in the policy. If the company wishes to exercise the right to remote wipe the device, then the company must advise the end-user of this fact.
If the end-user is responsible for backing up data in the event of a remote wipe, this should be communicated to the end-user via policy. Any other binding agreements the end-user is agreeing to by the use of their personal device should be conspicuously outlined within the BYOD policy.
Why Bring Your Own Device?
To be short and sweet, BYOD provides the benefits of reduced costs and increased convenience. A rhetorical question from operational leadership that I have often heard in my role as a compliance executive is, “Why budget for the purchase of devices when the devices have already been purchased by the end-users?”
Smartphones, tablets, and laptops help us to remain plugged-in and productive while on the go. Whether you are riding the train into the office or sitting at your dining room table working remotely, armed with a mobile device, and a decent Internet connection, you could successfully access company systems like email, file storage, and core operating programs. Those who work remotely can now work with the same productivity level as an employee sitting in the office working from a company-issued desktop computer.
A solid BYOD policy can allow an organization to reap the benefits of the BYOD model while mitigating security risks.
Truly Secure BYOD
Implementation of a solid BYOD policy in combination with a robust BYOD management solution places an organization in the best position to reap the benefits of the BYOD model while mitigating security risks. Virtual mobility solutions, such as Hypori, greatly reduce BYOD threats and potential complications by providing 100% separation of personal and corporate data on a personal mobile device. Hypori equips users with a powerful, centralized administration hub, allowing for easy management of authentication, provisioning, device hosting, and much more.
Learn more about Hypori for your industry.