In a recent an article on CIO.com, Tom Kaneshige ponders the inevitability of class-action lawsuits by users whose companies cross the divide between the personal and the corporate in a BYOD environment. The blending of personal and company data and applications on user-owned devices becomes a potential minefield. What if company applications are collecting location data on employees after hours? What if IT accidentally does a remote wipe of users’ devices and erases their personal contacts, apps and data?
On the other hand, users expose the company system to potential compromise, too. Rogue apps, insecure Wi-Fi networks and generally poor security practices all pose an element of risk to the company network.
That’s why it’s critical to have a comprehensive BYOD policy up front — and equally critical that employees understand its implications. And defining a BYOD policy guides the technology decisions you’ll make further down the road.
So what goes into a good BYOD policy? Softchoice has had a BYOD policy in place now for about 12 months, and we’ve identified five things (the hard way) that need to be included in your BYOD usage policy from day one.
1. Who pays (and how). With employer-issued devices, the company shoulders a predictable cost. This is not the case for BYOD, since users can purchase from a wide selection of mobile devices. Put together a cost-neutral arrangement for device and data expense coverage and take into account a reasonable refresh rate.
2. Which devices and operating systems. Broadly speaking, there are two types of devices – laptops and mobile devices (including tablets). Policies may differ to reflect the device being used – for example, a 4G mobile connection has embedded security features that laptops connecting over WiFi don’t. Companies concerned about security and support costs might consider a “white list” of devices and operating systems that qualify for the BYOD program.
3. Who has access to what (aka Role-based access). Not everyone needs mobile access to every element of the company system, nor every company application. One common approach to this is role-based access is to assign each user a predefined profile that matches the needs of their corporate role. This also defines responsibility for management of the devices i.e. who’s responsible for installing or uninstalling corporate applications, pushing out updates, etc.
4. Clearly define company versus personal assets. What apps, data and features does the company have access to and control over? As an example, if corporate and personal contact information are stored in one place and a salesperson moves to a competitor, how does the company delete those sales prospects without wiping Mom’s phone number? Can the company use a device’s GPS capabilities to track employees? Here’s where a mobile device management (MDM) platform like Meraki can make a huge difference. But it’s still critical that the parameters between exactly what personal vs. business data is wiped need to be clearly defined and understood by the employee upfront.
5. Security requirements. For many employees, the definition of “workspace” is fluid — office, home, hotel, airport, coffee shop. It’s one of the attractions of mobility. But open environments can be insecure. That Wi-Fi hotspot in the cafe might not be secure, or worse, might actually be a rogue laptop collecting data. A BYOD policy has to define standards for public wireless use, like encryption types and virtual private network (VPN) access, when employees are connecting to the company network.
A BYOD policy also has to cover devices and data at rest. If the user’s device has sensitive data, particularly customers’ personal information, a BYOD policy should spell out encryption requirements and data loss prevention (DLP) protocols. Consider the number of headlines about personal data lost on USB sticks! Data leakage is a very real problem, and a potentially expensive one.
While a solid BYOD policy is complex, it’s critical to start from a policy and let that direct technology decisions, not the other way around. Retrofitting your solution to account for unforeseen issues is expensive and inefficient.
A good place to start is to evaluate where you stand now. Softchoice’s Mobile TechCheck service helps catalogue and identify mobile devices within the business and evaluate their impact.
What would you add (or remove) from this list? Let us know in the comments below and we’ll update the post.