Bring Your Own Device (BYOD) Policy Best Practices

Learn how User Migration with Okta reduced unexpected password resets and reduces helpdesk calls and support issues.

A bring your own device policy (BYOD) allows employees to use their own personal devices, such as smartphones, laptops, and tablets, for work-related activities.

The policy will need to define what acceptable use of personal devices for work activities looks like. For example, it’ll need to define which employees are allowed to access from a personal device.

Security measures will need to be strictly adhered to in order to keep both work assets and personal devices safe from cyberattack. A BYOD policy will also determine personal and employer privacy rights and who owns what.

A BYOD policy can offer convenience and be more cost-effective, but it can also raise security concerns. BYOD is a policy that can be adopted safely and embraced for a more mobile-friendly workplace.

Understanding bring your own device (BYOD) policy

A bring your own device (BYOD) policy involves setting the parameters for employees using personal devices for work. This can include sending emails, accessing applications, using software, and being on and in the company’s secure network to access data and information.

It is imperative then that the BYOD policy be clearly defined and understood by both parties. The policy should be formally written out.

A BYOD policy should include the following:

• Scope of the policy: This defines which devices are permitted and who is allowed to use them.
• Device protocols: This outlines if specific software needs to be installed onto the device and requires current and up-to-date anti-virus software. Mobile device management (MDM) software can be installed on personal devices to keep company-related information all in one secure space on the device, which is then password-protected. Devices under the BYOD should not be synchronized with other personal devices, access insecure internet sites, or be modified without approval from the IT department.
• Authorized use of device(s): This involves details on how, when, and where the device can be used and what uses are prohibited. This can include limiting personal use during work hours and requiring authorization for accessing work-related information outside of work hours.
• Employee and employer privacy rights: Devices are often monitored by employers, and the policy should explain what types of privacy an employee has rights to with a BYOD device. Company data belongs to the company; however, it is housed on a personal device. An explanation of liabilities for privacy leaks and protection both ways is essential.
• Safe and secure usage of mobile devices: Common sense practices should be outlined, which can include not using the mobile device while driving or operating heavy machinery, for example. Password protections are necessary as well. Strong passwords, or preferably multi-factor authentication (MFA), should be used to access sensitive data.
• Protocols for lost or stolen devices: The BYOD policy should outline what happens in the event of damage, loss, or theft of a personal device contained on the policy. This can include remote wiping of a device if it is lost or stolen.
• Removal from the BYOD policy: There needs to be a specific set of procedures in place for what happens when a person leaves the company either voluntarily or upon termination. Employees will need to remove company data from their personal device when they leave the company.

A strong BYOD policy can benefit both employees and employers alike.

The pros and cons of BYOD

BYOD can have many benefits and also some distinct downsides.

• Cost savings: It can be expensive to buy devices, such as computers and smartphones, for each employee. Allowing the use of personal devices can cut costs on new and additional devices. Employees are also more likely to take better care of personal devices than work-provided ones.
• Better efficiency: Employees already know how to use personal devices, so there will be no learning curve for managing new technology or devices. This can enhance productivity. Using a personal device can also minimize the need to use and keep track of two devices.
• Enhanced employee morale: Employees who are allowed to choose the device they are working from are likely to be happier as well as more productive. Around half of employees report that their personal electronic devices are better than those used in their work environment.
• Current technology: Updating devices and systems can take time and money for a company, but employees are more likely to do this on their own when using a personal device for work. This can mean that the devices being used for workflow purposes are more up-to-date than employer-provided ones would be.

• More security risks: Using personal devices increases the potential security risk for work-related data and information. Human error can be the top threat to a business’s cybersecurity. Users often do not apply updates or patches when needed and may have weak passwords and cyber hygiene. Additional devices and employees with less oversight can open a company’s network up to vulnerabilities.
• Additional complexity for IT network: When more devices are used on an employer’s network, this can create additional work for the IT department as they need to manage and maintain these devices. Often, software will need to be installed on each device. Updates to the network and software will also need to be managed. Some personal devices may be unfamiliar to IT personnel as well.
• Privacy concerns: Company data is proprietary and needs to be protected, but this is more difficult when it is contained on an employee’s personal device. There is also the human element when a person leaves the company. You can tell them to wipe company data, but it is difficult to enforce this.

Who uses BYOD?

BYOD policies are in place in numerous companies and organizations. With the move to mobile and remote working, and the surge in smartphone and mobile technology, it is no shock that employees are using personal devices in the workplace.

Over 90 million people in the United States are projected to be mobile workers by 2024, with more and more employees working from home. This means they often work in a mobile and not static environment. While companies often provide devices for employees to use for work, nearly 90 percent of global IT departments allow some form of BYOD.

When should you adopt BYOD?

When looking to adopt a BYOD policy, it is important to consider all of the factors. What types of devices, and how many, are you looking to add to the network?

Smaller companies in particular can often benefit from a BYOD policy. It can boost morale and productivity, and it can cut costs. It is easier to keep track of fewer people and devices.

Employees are likely already using personal devices at work and for work purposes despite whether or not the company has a specific BYOD policy. Adopting a policy that is formally written and agreed to can protect company data and the employer.

A clear and concise BYOD policy can be a positive tool within a company. When adopting one, be sure to educate employees on the policy itself along with security measures, and safe and secure online practices.

Key takeaways

BYOD is here to stay. Implementing a strict and formal policy can help to make it work best for everyone involved.

A BYOD policy, coupled with employee education, can lay out what is acceptable and what is not. The BYOD policy should state what an employee can and cannot do within the work environment with their personal device.

The BYOD policy also needs to address security and privacy matters, including potential liabilities for breaches. Bringing your own device (BYOD) to work can make your employees happier and more efficient while also saving you money. However, it can also present additional privacy and security risks that need to be managed and worked out ahead of time as much as possible.