Bring Your Own Device (BYOD) policies vary across every organization, and the challenges that BYOD presents to enterprises requires nuanced conversations. At the heart of the issue is the constant balancing act that IT administrators face between allowing team members to access company data and resources from personal devices and securing the devices that access those resources. The question remains: What are key items that organizations must consider when developing BYOD policies, and how can they best implement them in their organizations?
These eight considerations aren’t meant to be a totally exhaustive list tailored to your exact environment, leadership team or corporate culture. However, these do’s and don’ts hopefully allow you to walk away with some simple, practical takeaways that should be considered when developing BYOD policies for your organization.
1. Do make formal BYOD policies
The first undertaking for BYOD management is creating a formalized BYOD policy. It’s likely that your organization already has several policies in place covering matters like compensation, vacation, security, along with IT policies, such as an acceptable use policy.
Policies are important for a few reasons. They help employees understand what they can and can’t do in unambiguous terms, and they outline the expectations for each employee, including repercussions if policies are not adhered to. While some organizations may operate without formal BYOD policies in place, a policy gives companies a framework for handling various situations and the knowledge of what recourse to take if an employee is not adhering to the established policy.
By defining the terms of BYOD in your environment early and thoroughly, you can save your employees and your team a lot of hassle, giving everyone clear guardrails and answering questions before they’re ever asked.
2. Do make security a key focus of your BYOD policy and management
Several aspects of the workplace have shifted over the years. Where people work, how people work and when people work is drastically different compared to previous time periods. This shifting workplace has led to a threat landscape that has also drastically shifted, informing the ways in which your BYOD policies and management must also change.
In years past, it may have been sufficient to rely on simple, traditional endpoint management solutions with patching and software deployment to one or two devices per employee. Today, IT environments are much more dynamic. It’s harder to predict when a user is bringing their own device, what’s on that device and if that device will connect to company resources. When it comes to patching, questions around who used a device last or who will use a device next go unanswered when organizations don’t have full, unmitigated control over their endpoints.
This is why a BYOD policy should center around the security posture of your IT environment and include guidelines for maintaining protection across all your devices.
3. Do enforce passcodes
It would be difficult to find any enrollment-based tool out there that doesn’t employ some kind of passcode enforcement. Enforcing passcode policy is comparable to Wi-Fi credential management in its simplicity. Effectively just a fill-in-the-blanks process to create the specific configuration for your needs.
Passcode enforcement is one of the easiest and lowest impact security remediations that an organization can take. Especially with modern management platforms, there’s just no reason to forego good passcode policy and hygiene.
4. Don’t assume users keep their devices up to date
We can’t expect users, who often don’t fully understand the ramifications of not updating their devices, to keep up with good patching practices.
Unpatched vulnerabilities are one of the biggest threats an organization can face. While there may be controversy around BYOD policies that are overly intrusive when it comes to personal property data, it’s perfectly reasonable for IT to require a device to be kept up to date according to business standards.
What’s important is to be very upfront and clear in BYOD policies and include thorough language about your patching practices. The policy should lay out what you do, when you do it and why you do it.
5. Don’t treat personal devices like corporate devices
Embracing intrusive control over BYOD devices is the quickest way to lose goodwill with your users. Your BYOD policy needs to be specific about what the organization is managing, what it’s not and why. As part of that, you should take a sort of “least-privilege” approach to your own management and only exercise control over what is necessary.
There are some things to keep in mind when establishing your BYOD policies around device monitoring. For instance, some platforms will let you do location tracking, which can be incredibly useful for company-owned devices, but it’s not necessary for personal devices—and depending on where you are, may not even be legal. Other things like factory resets and device wipes can negatively impact the user experience and—in some cases—can even open you up to legal action.
The main takeaway is to be attentive to your users’ concerns and how the actions you’re taking and the control you have over the environment impacts their experience.
6. Don’t overlook mobile application licensing
There’s no doubt your company takes great care in keeping up with typical enterprise licensing, but what about mobile application licensing? This tends to be a much smaller line item in the budget, but those costs can add up, especially if you’re a smaller entity.
If you have a network of user devices that contain purchased apps and a user leaves the organization, without proper mobile application licensing, you wouldn’t be able to recover licenses tied to the user’s account. However, with volume licensing managed through Google Play or Apple’s volume purchasing program, you can purchase apps on behalf of the company, deploy them from your management tools, and redistribute that license when an employee leaves or changes roles.
With a volume licensing process laid out in your BYOD policy, users don’t have to worry about expense reports or what happens when they leave the company. All that guesswork is taken out, and you save the money on having to repurchase apps you already own.
7. Don’t expect BYOD to save you money
Far too often, organizations jump into the BYOD journey with the wrong mindset and the wrong expectations. The reality is, there’s going to be a cost to implementing and maintaining a BYOD program.
Now, there might be a little bit of savings on the front end with a reduction in per device expense, but there are also the added costs of BYOD policy technical writers, legal review, and licensing for your management platform or platforms. Factor in the operational hours spent maintaining the policy and the platforms, and these things add up. Though usually, they add up to more savings than you might see by shifting that device cost to your users.
Bearing in mind the tangible costs of BYOD, it’s important to recognize the intangible factors as well. Some major elements to consider are employee satisfaction and productivity. When thinking about adding value to your business, a satisfied and productive employee is going to perform better and contribute more to your bottom line.
Patch, secure, and manage every endpoint
8. Don’t assume you don’t have a BYOD problem
There’s not an environment out there where users aren’t trying to connect to resources with their personal devices, and while you may have all kinds of policies and preventions in place to ensure that access is restricted, there is still an opportunity there to establish a solid BYOD policy.
82 percent of organizations use BYOD in some way, and 68 percent of organizations see an increase in productivity when enabling BYOD. If your company doesn’t have a BYOD program already in place, it’s only a matter of time before that conversation starts happening.
Leadership wants employees to be more accessible and have increased connectivity, and employees want to use what’s comfortable for them. With a well-defined BYOD program, you can enable team members to use what they have and what they know best, while also providing secure and effective access to company resources.
Conclusion
Navigating the ins and outs of what should be included in your organization’s BYOD policy requires an approach that balances access to company data while ensuring robust security measures. Following these BYOD dos and don’ts offers a solid foundation for developing an effective BYOD policy that aligns with the needs of your organization.
