6 Key Stages for Implementing a BYOD Policy

It's a fact of life in today's world that every business needs a bring your own device (BYOD) policy - and yours is no exception. Employees see the ability to access key files and applications at any time, from any device as an essential part of their job.

While you could react to the demand for mobile working by increasing the number of corporate-owned devices, this can be an expensive option, especially for larger enterprises. Therefore, allowing employees to use their personally-owned smartphones and tablets is a quick and cost-effective way of meeting expectations and maintaining high productivity levels.

But this can come with a range of issues - not least how you secure these devices. As a result, it's essential that you have a clear BYOD policy that spells out what’s allowed and what isn't when employees use their own devices for work.

So what does this involve? While there are many factors to take into account, there are a few key steps that no business can afford to overlook if it's to operate a successful BYOD scheme.

1. Identify what devices will be permitted

An important first step will be determining what devices will be allowed to access company materials, and this is less simple than it may appear. For instance, should you restrict BYOD policies only to Apple devices, which may be easier to closely control? If so, you could be disadvantaging those who use Android.

However, Android is a much more fragmented platform than iOS, with many devices still running outdated versions of the operating system. Therefore, simply allowing all Android smartphones as well could lead to more security risks, so it's important to define a cutoff point, where devices older than a certain Android version aren't permitted.

2. Establish strong authentication policies

It's important to ensure there are tough authentication measures for any devices that can access company material, and this starts with the device itself. Research by Kaspersky shows that more than half of consumers in the US (52%) don't password-protect their smartphone, and those that do are likely to use weak or repeated passwords that can be easily guessed.

However, convenience is no excuse for leaving sensitive corporate data unprotected, so insisting on a strong password is a must - not relying on short PINs or swipe patterns. Instead, you should insist on long, complex passwords, biometrics such as fingerprint scanners, or two-factor authentication before any corporate data can be viewed.

3. Define how apps will be restricted

Setting limits on which apps can be used is another vital step. Many popular apps can contain serious security vulnerabilities or require overly-broad permissions that can lead to data breaches. Indeed, one study by PT Security found 38% of iOS apps and 43% of Android apps have high-risk vulnerabilities, while the issue of malware is also a growing problem. Therefore, you must have a strategy for blocking unwanted apps.

Being able to blacklist apps that have proven vulnerabilities or malicious content is essential, but it's important to consider if you should go further - for example by restricting app downloads to only pre-approved, whitelisted apps. While this is more secure, it means users may not have the freedom to access other apps outside work, so it's a decision that needs to be balanced carefully against the frustration this may cause.

4. Set out how personal and corporate data will be managed

When you have both personal and corporate data on the same device, this can cause conflicts when it comes to policies such as remote wiping. Many workers won't be happy about the prospect of losing their own photos should the device be compromised, so if you're going to do this you need their express consent first.

Elsewhere, you also need to consider how you'll separate corporate data from personal files on the devices. Containerization splits a part of the device into its own bubble, protected by a separate password and governed by its own set of policies. This enables employees to use the device at their own time without worrying that their personal apps can access work data.

5. Have a clear acceptable use policy

Setting out what workers can and can't do on BYOD devices is a vital part of any policy. This is a fine line, as employees will still highly regard their phones and tablets as their personal property - but it must be made clear that if they want to use them for work, they’ll have to accept more responsibility. For instance, jailbreaking phones or using unsecured public WiFi hotspots should be viewed as unacceptable activity if employees want to access corporate networks via their personal devices.

Meanwhile, you should also make it clear what people can and can't do when connecting to the network via a VPN. For instance, if you ban the use of Facebook on corporate devices, or block access to certain types of websites, you'll need to decide if these rules still apply when using a BYOD device.

6. Have an employee exit strategy

It's important to have a clear plan set out in your BYOD policy for what to do when employees leave the company. They may well have a wide variety of corporate data on their device, including key access tokens, login details and other information, which will need to be fully removed before they leave the business.

Therefore, as a bare minimum, reviewing personally-owned devices for corporate content should be a part of the exit interview. For more certainty, insisting on a wipe of the device before they leave may also be considered - in which case it’ll be vital to have a process in place for backing up and restoring personal data and apps.