Bring Your Own Device Policy Best Practices

Published January 18, 2021 by 6 min read

Employees have been bringing their own phones, tablets, and other personal computing devices into the workplace for more than a decade now; it’s an inevitable, and irrefutable part of life. Which means that every organization should have a Bring Your Own Device (BYOD) policy, to guide how employees can use their devices for work. Without one, you invite huge risk to your business. 

That said, the best BYOD policy isn’t one that forbids BYOD devices outright. Instead, your BYOD policy should make the best of an imperfect situation by setting boundaries for acceptable use, implementing enterprise mobility management (EMM) and mobile device management (MDM), and incorporating BYOD security into your overall security policy.

In the end, a strong BYOD program can go a long way toward protecting company data and sensitive information from data breaches. Here are best practices for your BYOD policy process:

Set Up a Bring Your Own Device Team

Device security isn’t as simple as “Do use this, don’t use that.” Every security plan should reflect the unique risks and resources a business has, and those will vary endlessly.

For example, larger organizations may be able to offer devices to their employees for work-related use. Smaller organizations may need to rely on employees using their personal smartphones. Likewise, larger organizations may need employees to take calls on their own phones, but restrict email and other work to corporate-only devices.

Creating an effective BYOD policy requires getting finance, legal, IT, and significant business operations departments to work together. Collaboration among the different user groups will illuminate the various needs and limitations within your business. Establishing a BYOD team now can save time and money later.

Review Your Resources

Before implementing your policy, you need to review your resources, business goals, and security risks. There are several goals you should strive to achieve here:

  • Reduce technology costs. Buying technology for all your employees may not be affordable for your company. But you might be able to save money by allowing employees to bring in their own technology.
  • Keep your business up-to-date. Consumers love new technology, which is why manufacturers issue gadgets with new features every year: because people buy them. If your organization buys technology for its employees, find out what tech they use—and keep in mind that legacy equipment can have mobile security issues. Letting workers use their own phones, tablets, and laptops could not only lower your technology costs, but also make your business more secure. Plenty of tech giants will manage some aspects of security better than you could yourself.
  • Improve productivity. Unless you’re willing and able to upgrade technology every year or two, providing devices to your employees may force them to work with slower, outdated models. An effective BYOD policy will let them upgrade their own technology, and can result in work getting done faster and at lower cost to your enterprise.

Define Who May Use Their Own Devices

You may have a  blanket policy that nobody can use their own devices for certain tasks, or allow everyone to do so. Most likely, your BYOD policy will fall somewhere in between, allowing employees who must be reachable at all hours to combine business with pleasure by using their own devices. 

For instance, if your company has IT employees who must be available for emergencies, or overseas employees who must be available at nontraditional hours, your policy should identify those groups. An effective Bring Your Own Device policy, define which business areas or departments fall into this category.

Define Which Devices May Be Used

Different devices come with different risks. So create an effective BYOD policy, you need to define which devices are allowed.

For a policy that improves information security, leave as little room for error as possible. Will your policy treat tablets and smartphones the same? What about devices such as e-readers that, while not laptop substitutes, can connect to wifi networks and collect information?

Your policy should also define which devices your IT department will or will not continue to support. If old-school Blackberries are too “last century” but you have C-suite members who love them, an effective Bring Your Own Device policy would clarify the lifespan of the technology you will support.

Define How Devices May Be Used

Keeping personal devices out of the workplace is difficult. People need their devices for a host of reasons, from childcare to personal scheduling. But those devices can pose a risk if they’re used to transfer official company information, and can be a distraction if used too often.

Your BYOD policy should define those uses? For example, higher level executives may need to be on call, and accept emails as well as phone calls. Lower-level employees may only need to take phone calls. 

Texting, telephone calls, social media, and other personal uses can be distracting. It’s important to hold employees accountable for those uses. It’s also important to define restrictions on video, camera, and live recording to protect data.

Define ‘Privacy’

Personal devices also raise questions around employee privacy. Even when an employee uses a personal device, when that employee is connected to your networks, you retain the right to monitor and preserve any communications.

Most employees will understand that messages they send using company email are monitored. They may not realize, however, that when they access a corporate wi-fi network on their personal devices, you can monitor all of that activity as well. Your policy should specify what employee activity will be private and unmonitored, and what won’t be. 

Define the Service Policy 

Supporting all the personal devices employees use at work can leave IT teams overwhelmed; it’s also impractical to expect that your corporate IT team provides support for every issue that an employee might encounter with his or her device. Your BYOD policy should state which end-user devices your company will support, and how; as well as those you won’t support.

Employee devices can include platforms as diverse as Linux, macOS, iOS, Android, Blackberry, Chrome OS, and other platforms on other devices. Defining the platforms you will support is important for managing your IT risk.

The policy should also explain the level of support you will provide. Employees need to understand that your IT department isn’t responsible for recovering personal photos when their smartphone falls in the toilet. They also need to understand that your IT department isn’t a substitute for the Genius Bar at their local Apple store. Clearly limit your support to business-related services for a Bring Your Own Device policy that protects you from legal liability.

Define Who Will Own Information

Encouraging or requiring employees to use personal devices for business purposes outside of regular operating hours means that you need to segregate or define who owns the device’s data. 

If the device gets breached or lost, you may need to erase all information from it, including personal data such as pictures or music. Inform employees of your right to wipe their devices and encourage them to back up their personal data.  

Define Which Apps/Data You Allow

Some apps inherently create security risks. Social media apps are the most prominent culprits, but other apps such as replacement email applications, VPNs, or remote access software may also pose a risk. 

For example, employees use streaming services to listen to music at their desks. If Spotify or Pandora has a known security risk, then you have to make sure that weakness doesn’t affect your organizational security.

Define which applications employees may access at work, as well as your IT department’s role in providing service support for apps. 

Define How Reimbursement Will Work

When employees regularly use their devices for work, they may be confused about compensation. 

If employees often take off-hours phone calls or respond to emails outside of regular business hours, they may feel that you should be compensating them for purchases and upgrades. Your policy needs to state which types of financial support you will provide. This can include corporate discounts through specific vendors, stipends, or nothing. 

Define Which Data Can Be Accessed

Employees will need different levels of access to corporate data from their own devices. Your CEO, for example, may need constant access to secured data so he or she can get information even while traveling. Meanwhile, the average employee may not need to access your databases from home—or perhaps they will. 

Your policy should state when employees can use personal devices to access company data and sites, and when employees should use corporate devices. 

Govern Where Data Resides

Device partitioning can offer added protection for your business. As more devices accommodate multiple users, your policy may require employees to partition their access, having different passwords for different users on the same device. (And remember, employees may need IT support to configure these partitions correctly.) 

Protect the Network

Your policy should address employee access to your network, including any decision to offer wi-fi that supplements broadband access. If you do offer wi-fi, then your policy needs to explain how you protect network access, and the levels of support you plan to offer.

Include BYOD Policy Training and Enforcement 

Alert your HR team that they may be called upon for BYDO training and enforcement. Training ensures that employees are aware of the policy and its restrictions, as well as penalties for non-compliance.

Plan for Employee Off-Boarding

Your policy needs to include a plan for handling workers’ devices when they leave the company. To avoid legal complications, state in your policy how you plan to handle all sensitive data, such as wiping devices or requiring employees to submit their devices for review before leaving your employment.

Manage Risks Worry-Free

BYOD can be nerve-wracking, but not if you use a good governance, risk management, and compliance solution to help you manage your security risks. ZenGRC helps you keep track of all the devices that connect to your network and establish controls to protect your corporate data. It can help keep you compliant with security regulations and standards, remind you of all your BYOD policy timelines and monitor workflows, and provide documentation for compliance audits from our “single source of truth” repository.

Worry-free risk management, including BYOD, is the Zen way. Contact us now for a free consultation.

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

See ZenGRC in action!

Get a demo