Effective Bring Your Own Device Policy: 15 Steps to Success

Published August 10, 2017 by 7 min read

With employees continuously attached to their smartphones, you need to have an effective Bring Your Own Device policy. Increasingly, employees bring their own devices into the office whether or not you want them to use personal devices. Depending on your resources and desire for employee engagement, an effective Bring Your Own Device policy may be one of the most important procedures you create to protect your data environment.

1. Why You Should Set Up a Bring Your Own Device Team

Device use isn’t as easy as “use this” and “don’t use that.” In some cases, your organization may need employees to use their own devices, while in other cases they won’t need to do so.

Larger organizations may be able to offer devices to all of their employees for work-related use. Smaller organizations may need to rely on the use of personal smartphones. Similarly, larger organizations may need employees to take calls on their own smartphones, but restrict email and other work to non-personal devices.

Creating an effective Build Your Own Device policy requires getting finance, legal, and IT to work together. Collaboration amongst the different user groups organizes the various needs and limitations within your business. Doing this at the front end saves time and money on the back end.

2. How to Review Resources to Determine Need


Before implementing your policy, you need to review your resources and landscape. In some cases, an effective BYOD policy may be the most cost effective option to protect your company.

How an Effective Bring Your Own Device Policy Lowers Technology Costs

Purchasing technology for all of your employees may not be feasible. Useful laptops or desktops will cost several hundred dollars per employee at best, or several thousand dollars at worst. This means that if you’re purchasing the technology for your employees, you’ll need to make a significant up front capital investment. But you can save that cost by allowing employees to bring in their own technology.

How an Effective Bring Your Own Device Policy Keeps Your Business Up to Date

The length of the lines for the new iThings show how much people love new technology. Whether it’s an iThing or an Android, most employees will be sure to stay within a generation or two of the most current devices. If your organization purchases technology for its employees, take a look at what they’re using. Is that an outdated Blackberry they’re carrying? If so, look at how a BYOD policy lowers your technology costs.

Why Bring Your Own Device Policies Make Employees More Productive

No one likes to work after hours—it’s a general fact of human nature. Moreover, your employees are far less likely to want to work if forced to separate their leisure devices from their work devices. Also consider that providing hardware to your employees usually forces them to work with slower, outdated models. If you were your employee, would you be working during your leisure time if “work” meant switching from a fast device to a slow device, which then makes the work take longer? The answer is most likely “no.”

This means that creating an effective BYOD policy comes with some significant cost savings and returns on investment, offering your employees a more flexible work-outside-of-work arrangement.

3. Who Can Use Their Own Devices

Truthfully, this one is going to be difficult. It’s hard to determine who needs to use their own devices and who doesn’t. You may have a  blanket policy that no one, or everyone, can. Then again, constant contact is necessary for some people. If your company works with people overseas, you may need some (but not all) employees to be available at nontraditional hours. To create an effective Bring Your Own Device policy, make sure to define what business areas or departments fall under its aegis.

4. What Devices Can Be Used

In the complicated world of the Internet of Things (IoT), different devices come with different risks. To create an effective BYOD policy, you need to define clearly the types of devices that are allowed.

You want to think about more than just the operating system. For the sake of a policy that can impact information security, you want to leave as little room for error as possible. You need to be clear about whether tablets and smartphones are the same, as well as your policy on things like e-readers that are not intended as laptop substitutes but often connect to wifi or collect information.

When you define devices for the sake of policy, state explicitly which devices your IT department will continue to support and which they won’t. If old school Blackberries are too “last century” but you have c-suite members who still love them, an effective Bring Your Own Device policy would consider the lifespan of technology that is supported.

5. How Devices Can Be Used

Banning personal devices from the office is going to be difficult. People need them for a host of different reasons, from emergency contact to health. Simultaneously, they pose a risk if used to transfer official company information or a distraction if used too often.

Within this section, the types of uses should be defined. For example, higher level executives may need to be on-call and take emails as well as phone calls. Lower level employees may only need to take phone calls. In addition, it’s important to define restrictions on video, camera, and live recording to protect data.

Also, you want to define how a personal device may be used for personal reasons during work hours. Texting, telephone calls, social media, and other personal uses can be distracting. It’s important to hold employees accountable for those uses to ensure an effective Bring Your Own Device policy.

6. How to Define Privacy

Employees may think that if they’re bringing a personal device to work, they are protected. However, when the employee is connected to your networks, you can retain the right to monitor and preserve any communications.

Most employees will understand that messages sent through the company’s email, for example, are monitored. However, many may not realize that if they are using your data networks or wifi on their personal devices, you can monitor that as well. This means that an integral part of the policy is ensuring that employees are notified of this.

7. What The Service Policy Will Be

It can be overwhelming for your IT team to support all devices that employees can purchase. This expectation is also impractical. This means that one of the most important parts of a Bring Your Own Device policy is defining clearly what kinds of support you will provide.

Company IT cannot be responsible for taking care of every device employees could purchase. However, employee devices are increasingly important to your business, soyour policy needs to define which end-user devices you are willing to support.

Your policy should specify the platforms that you agree to support as well as those you will not support. Employee devices can include platforms as diverse as Linux, macOS, iOS, Android, Blackberry, Chrome OS, and any other funky platforms on other devices. Clearly defining the types of platforms you support is important in managing your IT risk.

In addition, the policy should explain clearly the level of support you will provide. Employees need to understand that your IT department isn’t responsible for recovering personal photos when their smartphone falls in the toilet. They also need to understand that your IT department isn’t the Genius Bar at the local Apple Store. Clearly limiting the support available to services, like connecting to network or other business related services, is important to creating an effective Bring Your Own Device policy that protects you from legal liability.

8. Who Will Own Information

Encouraging or requiring employees to use personal devices for business purposes outside of regular operating hours means that you need to segregate or clearly define who owns the device’s data. You may need to wipe a device clean of all data in the event it is breached or lost.

Wiping the device means removing all data, including personal data such as pictures or music, so it is essential that your employees understand this in advance. They need to be informed of your right to wipe their device. Moreover, your policy should also reinforce the importance of backing up data.

9. What Apps/Data Are Allowed

Some apps inherently create security risks. Social media apps are the most prominent culprits. However, other apps such as replacement email applications, VPNs, or remote access software also pose a risk. For example, many employees may be using streaming services to listen to music at their desks. If Spotify or Pandora has a known security risk, then you have to make sure it doesn’t impact your organizational security.

You need to define clearly which applications employees are allowed to access at work. Moreover, you want to define clearly your IT department’s service support in terms of apps. Employees need to understand that your helpdesk isn’t there to make sure their Twitter app works right.

10. How Reimbursement Will Work

When employees regularly use their devices for work, they may be confused about compensation. This seems like part of defining the devices, but reimbursement policy is a distinct in a nuanced way. If employees are regularly taking off-hours phone calls or responding to emails outside of regular business hours, they may feel that you should be compensating them for purchases and upgrades. Your policy needs to define clearly what types of financial support you will provide. This can include corporate discounts through specific vendors, stipends, or nothing. However, an effective Bring Your Own Device policy defines this clearly.

11. What Data Can Be Accessed

This is another area where your different business needs may lead to a spectrum of policy requirements. Some employees won’t need to access data on their devices. For example, a CEO may need constant access to secured data so they can get information even while traveling. Meanwhile, the average employee may not need to access the databases at home.

In addition, it may be meaningful for some employees to access data on their personal devices, while other employees might use corporate devices for this reason.

12. Where Data Resides

Device partitioning can offer an additional protection for your business. As more devices offer multiple users, your Bring Your Own Device policy may require employees to partition their access. In this manner, they can have different passwords for different users on the same device. This offers a level of protection for your data and applications.

13. How to Protect the Network

While this seems obvious, your Bring Your Own Device policy needs to address employee access to your network, including your decision to offer Wi-Fi that supplements broadband access. If you do offer Wi-Fi, then your policy needs to explain clearly how you protect the access and what levels of support you plan to offer.

14. How to Ensure Training and Enforcement of Bring Your Own Device Requirements

Your policy cannot be effective unless there are repercussions attached to violating it. However, prior to enforcing a policy, you need to make sure that your employees know it exists. This is another area of your policy that requires multiple departments to work together.

Get your human resources department on board with both training on and enforcement of your policy. Training ensures that employees are aware of the restrictions. Penalties such as disciplinary action or termination of employment ensure that employees know these restrictions are important.

15. How to Prepare for Employee Offboarding

Employees are not permanent. Whether by choice or requirement, attrition is inevitable. This means that your policy needs to include a plan for handling devices upon termination or resignation. To avoid legal complications when employees don’t want to surrender devices, you need to state clearly in your policy how you plan to handle all sensitive data. This can include wiping devices or requiring employees to submit their device for review prior to leaving your employment.

As business needs and your company expand, employees increasingly will need to access their personal devices after traditional hours. With that in mind, you need to determine how best to protect your information assets. This means adding another policy and, therefore, another internal audit to ensure compliance to your organization.

To learn more about the way GRC automation can help you organize your compliance needs, download our ebook “Compliance Management Best Practices: When Will Excel Crush You?”

Learn how we can fit into your business.

Schedule a demo to learn how we can help guide your organization to confidence in infosec risk and compliance.

Help us get to know you.

Get a demo