2022: the year BYOD policy finally became mainstream?
Towards the end of the 2010s, BYOD was considered on its way out. The balance between good data security and infringing on employees’ private lives was difficult to manage, and buy-in rates were low.
Now, however, employers are adopting BYOD in their droves.
Why?
If you’re thinking ‘COVID. Definitely COVID’, you’re about 90% of the way there.
Of course, the shift to remote and hybrid working has played a huge role in widespread BYOD adoption. With employees adept at managing workloads using personal devices, and 97% of workers looking to work remotely at least some of the time for the rest of their career, BYOD offers an IT policy that is flexible and easy to maintain.
Equally, it’s not the only factor that has contributed:
- The speed, resilience and availability of 5G make remote working significantly easier from a wider range of devices.
- Increasing usage of smart IoT to increase productivity, including smart speakers and enhanced wearables. With 1.3 billion projected subscriptions to IoT-related technologies in 2023, this is very much an emerging use case for BYOD.
With the increase in remote working since COVID and consumer tech evolving rapidly, now is the time to think about tightening up your BYOD policy, or creating one from scratch if you don’t have one already. Here’s what you need to know, with a bring your own device policy template included at the end of the article.
What is BYOD policy?
According to the UK’s National Cyber Security Centre:
“BYOD is the concept of employees using their personally owned device(s) for work purposes.
With BYOD, an organization has ownership of the corporate data and resources that may be accessed or stored on a device, but the device itself is the property of the user.”
Following on from this, a ‘bring your own device’ policy is the set of rules and regulations both employee and employer need to follow to make this work. Ultimately, it’s about maintaining a balance between your employees’ privacy and your IT security needs as an employer.
You might be partially BYOD without even realizing it! For most businesses, the big use case is smartphones. If you’ve ever asked employees to use their smartphones for any work-related purpose, that’s a BYOD policy. This could include:
- Running work social media accounts
- Installing employee apps, workplace instant messenger or any other internal comms tool
- Taking work-related calls
- Using it to track mileage, manage driving routes
- Expense filing (via uploading photos of receipts, for example)
In fact, you’re very much in the minority if your employees don’t use their personal phones for any business activity – 87% of companies depend on their employee’s ability to access mobile business apps from their personal smartphones.
What are the benefits of BYOD?
BYOD policies can:
- Save your business money on recurring hardware spend (bear in mind that most laptops will need to be replaced every few years, and that you’ll need to keep buying more as your business grows its headcount!)
- Help establish remote working as a viable option. New employees have everything they need to start immediately and aren’t held back by not having the right equipment.
- Increase employee productivity, as people can work with whichever device best fits their needs and preferences.
When managed well, BYOD is flexible, affordable, and accessible. Employees save time by working with the devices they like best, and you can implement a mobile-first approach without a huge expenditure on company smartphones.
What are the challenges and risks of BYOD?
The biggest issue BYOD workplaces face is data and device security. Whilst you can set up fair usage policies and train your employees in good security practices, you can’t completely dictate how they use their personal devices.
Let’s say you have a BYOD policy and you’d like your employees to install a mobile intranet app on their personal smartphones. After initial installation, you have no direct control over:
- How often each employee installs updates
- Where they take their smartphone
- Who uses the smartphone
- What else they install on their smartphone and how they use it
All of these are major security risks when it comes to corporate data. Whilst personal devices are increasingly a target for hackers, even the most mundane everyday accident can pose a threat.
Did your employee leave their phone unlocked on the bus?
Could children or other family members access work info by accident?
Instances like these can pose a huge risk. You’re also relying on employees to have access to devices that will support the software you want them to use. This might be a fair assumption for some workplace demographics (salaried, management level employees) but shouldn’t be taken as a given.
That’s why, if you’re serious about BYOD, you’ll need to give some serious thought to:
- Making your policy comply with a wide range of device types
- Providing adequate IT support for personal devices
- Creating a policy that is seen as fair by employees, and doesn’t infringe on their personal lives
Creating a bring your own device policy
Want to benefit from the flexibility and cost savings BYOD offers, without turning your workplace into your IT security team’s worst nightmare? A solid BYOD policy is the answer. Follow these steps for a safe and secure workplace.
Preparing for and creating a BYOD policy: 5 steps to success
Decide which apps employees should be able to access from personal devices
In terms of risk, there’s a difference between your employee’s personal calendar tool, a project management solution and your business’s accounting app. Consider which level of security you’re comfortable granting access to in a less-regulated environment – you might want to keep systems with particularly sensitive info away from BYOD policies.
Decide which personal devices your employees can use for a BYOD policy
Weigh up risk vs reward here. If you already have a policy for using company laptops and have an entire cupboard of them to distribute, you might be better off sticking with them. Be sure to consider the implications of smart speakers and IoT devices too.
You might also want to impose an age limit on devices your employees use. Older devices that don’t support the latest software and operating system versions are a huge risk as weak points become well documented by hackers.
Set up reasonable security controls
Again, this is a balancing act. Your employees are likely to be more than happy with some security protocols on their device – this helps protect their personal information too! Equally, they might become understandably bitter about completing a 15-factor authentication process every time they check their WhatsApp.
You could start with a requirement to password protect their device, with biometrics if available, and add two-factor authentication for each business app they need to login to. A screen that locks after a set period of inactivity is also useful.
Check your SSL certificates
An SSL certificate is a snippet of code on your web server that makes online communications more secure. If employees need to view confidential information such as financial accounts or sensitive personal info like payroll and benefits, an SSL certificate helps ensure they can do that safely.
Mostly, this is a job for your IT team – but it’s good to be aware of it whilst drawing up the rest of your policy.
Outline BYOD expectations for employees and provide training
Your employees know how to use their own devices – but don’t take it as a given that they’re completely up to speed on the latest IT security know-how.
That’s why regular IT security training is vital. Cyber threats are constantly evolving, and what was good practice 18 months ago might be out of date today. Make it part of your onboarding process, and ensure that you have e-learning top-ups every year for maximum impact.
BYOD Do’s and Don’ts
Looking for a quick guide to BYOD security? Share these do’s and don’ts with your employees as a handy reference!
DO
- Keep your passwords secure and change them regularly
- Use biometric features for device security if possible
- Download all updates as soon as you can – 40% of adults put this off, despite the fact out-of-date operating systems contributing to some of the biggest malware attacks in recent years
- Report any lost or stolen devices to IT within 24 hours
- Complete our refresher training regularly so you’re aware of the latest threats
DON’T
- Share your device passwords with anyone
- Screenshot or copy company data to other locations on your device
- Access systems that you don’t need to
- Access sensitive data in crowded areas without a screen protector
- Leave your device unattended for any length of time
BYOD policy examples
A basic, top-level BYOD template looks something like this:
Introduction
Lay out what the policy is for and why it’s needed
Acceptable use
Explain what employees can and can’t do with a device used for BYOD
Supported devices
List what devices your IT team can support for BYOD access to business systems
Security
Outline the security expectations for employees’ BYOD.
Risks/disclaimers
Explain the risks of BYOD policy, what to do if a device is compromised, and how the business deals with security breaches.
Want to see this BYOD template in action? Check out a real-world example here.
BYOD policy: final thoughts
Plenty of businesses use BYOD solutions successfully, 24/7. With the right foundations, bring your own device can be a safe, accessible and flexible way of managing remote, hybrid and mobile workforces in particular.
A solid BYOD policy is vital to unlocking these benefits. Too vague, and you risk security issues developing that you have no direct control over. Too overbearing, and your employees will start to resent it, disengage, and find workarounds.
Set clear expectations, provide regular security training and be open to discussion with employees for the best results. Offering to pay a percentage of the value of the device each employee uses for work isn’t necessary, but it’s a nice touch that says “We appreciate what you’re doing for us”. And, in the long run, that will pay off significantly.
