18/02/2015

By Charlie Goulding, Managing Director, Greencorn IT


Creating a BYOD policy for your organisation may seem like a daunting and complicated process, especially if you are unsure of where to begin or what exactly needs to be done. In the past two years it has risen to become one of the top areas of concern for many clients.

BYOD refers to the policy of letting employees to bring their personal mobile devices (laptops, tablets, and smart phones) in to the workplace, and to use these devices to access company information and applications.
To help you along, I have created a mini guide that will help you create and introduce a BYOD policy, including some essential steps and considerations to help get you started.

1. Talk to Your Clients — Understand Possible Legal Issues
Before you begin introducing a BYOD policy for your organisation it’s important to first consult with your existing clients about their stance on the switch. Because of security concerns, it’s possible that clients could have an existing position or agreement that restricts the use of business software or information on personal devices. Adopting BYOD in your organisation could then restrict the ability for your staff members to effectively open and complete work for your clients. Because of this, it is important to consult with clients before implementing a BYOD policy to ensure it will coincide with your client’s device policies to maintain your working relationship.

2. Outline Acceptable Use
The first and perhaps most important part of any BYOD policy should be the process of outlining acceptable use guidelines to ensure that staff are using their personal devices appropriately at both work and home. This process involves deciding how different personal devices can be used in the workplace, the allowances and restrictions, as well as the employees’ access to company resources outside of the office.

Phones
• Acceptable business activities
• App use — which are/are not allowed Personal texting/calls during work hours
• Internet use — which are/are not allowed
• Social media access during work hours
• Use of photo/video capabilities during work hours
• Use of company-owned resources outside of work hours
• Accessing company information and contacts outside of work hours

Computers
• Internet use — which are/are not allowed
• Which browsers and email programs will be used for business purposes
• Social media access during work hours
• Personal emails during work hours
• Use of company-owned resources outside of work hours
• Accessing company information and networks outside of work hours

Tablets
• Whether they are allowed at all
• How they should be used: ex. Personal activity allowed but not business, or vice versa

3. Prepare for Increased Device Support
When it comes to BYOD, it is likely that everyone in your organisation is going to be using different devices — different models, software, etc. It is important that you are prepared to offer IT support for an array of different devices and operating systems.

Moreover, it is essential to ensure that your IT specialists are capable of implementing your businesses information, software, and network onto all of these different devices, and that employees understand that downloading these programs onto their personal devices is essential to BYOD policies. While your IT department needs to be able to address concerns from across these different devices, it is important that you outline the specific issues that will and will not be supported by your IT team — this is to prevent staff members from flooding the IT department with questions and concerns that do not relate to the business use of the device and that should be dealt with personally.

4. Plan for Security Incidents
Personal devices get lost, stolen or broken all the time. It is important to plan ahead for this so that if it does happen you can be certain that business data on the device is safe. Part of this is ensuring that staff members are aware of security measures and company requirements for strong password protection, restricted use of business outlets and resources, etc.

Furthermore, it’s essential to detail security measures for when the device is to be locked (left to idle for x number of minutes, x number of failed login attempts) and when all data will be wiped (device is lost, stolen, employment is terminated). This is to ensure that all users understand the security measures in place and the course of action following a security incident.


5. Implement staff education and agreement
In order for your BYOD policy to be successful it is important to ensure that staff are properly trained and educated on your policy and that a mutual agreement has been established. This training should have three main purposes.

1. To outline both employee and company responsibilities,

2.To explain to liability for risks associated with data loss

3.To clearly state the company’s right to exercise disciplinary action if the policy is compromised. Mutual agreement and understanding are the key principles behind a successful BYOD policy. Without this there is the potential for major business information and data breaches which could have negatively impact all parties involved.

With the right BYOD policy in place, you can minimise risk to your organisation while also allowing your employees the freedom to work via the device of their choice, as well as the opportunity to use new technologies to communicate with each other. Good luck, and get policy making!