BYOD policies: combining convenience with security
It's easy to understand why more and more businesses are taking a "bring your own device" (BYOD) approach to the smartphones, tablets, and laptops many employees rely on to do their jobs. BYOD can boost employee efficiency and satisfaction, often while reducing a company's IT costs. But the approach isn't without risk for both you and your staff. Therefore, a formal policy that combines convenience with security is highly advisable.
As an employer, the inevitable security risks that arise when your networks and data are accessible to personal devices which are easily lost, stolen, or hacked is no doubt your primary concern. But you must also think about various legal compliance issues, such as electronic document retention for litigation purposes, or even liability for overtime pay when nonexempt employees use their devices to work outside of normal hours.
Your employees may be more concerned about privacy. Will you, their employer, have access to personal information, photos, or other non-work-related data on the device? Could an employee lose all of that if you're forced to "wipe" the device because it's been lost or stolen, or when the employee leaves your company?
A BYOD policy must address these and other issues. Unique situations and circumstances will shape the final details of the policy, but every employer should require employees to sign an acknowledgement of their obligations to:
- Use strong passwords and automatic lock-outs after periods of inactivity,
- Immediately report lost or stolen devices,
- Install mandated antivirus software and other protective measures,
- Regularly backup their devices,
- Keep apps and operating systems up to date, and
- Encrypt their devices.
The policy should also prohibit the use of public wifi networks or require employees to log in through a secure virtual private network when connecting via public wifi. You may want to forbid certain apps, too.
In addition, you should clearly outline your right to access, monitor, and delete data on employees' devices - including identifying the types of data you can access and under which conditions. Specifically outline your wiping procedures and the steps employees can take to protect their personal information from permanent erasure.
Nearly everyone who works for a company likely has a smartphone at this point. As such devices integrate themselves ever more deeply into our daily lives, it's only natural that they'll affect our jobs. Establishing a BYOD policy now can help prevent costly mistakes and potential litigation down the road.