What should you include in your BYOD policy?

Image credit: iStock/littlehenrabi

Allowing employees to bring their own devices for use at work is becoming a lot more commonplace throughout businesses and is likely to increase in popularity over the next few years. BYOD enables companies to benefit from technology already owned by employees, as well as make flexible working a lot easier.

However, BYOD also presents a number of complications and issues that you don't need to deal with if you don't provide this option. Having numerous types of devices in use cannot just mean programs and storage options aren't accessible for everyone, it also has an impact when it comes to the safety of company data.

These security concerns are the main reasons that companies should develop and employ a strict BYOD policy. This should outline what the devices are expected to be used for, how they should be protected, rules on storing data and liability. 

Failing to put a BYOD policy in place can mean that company data is left unsecured or is used improperly, which can cause larger problems. It can also leave you exposed to monetary claims from staff if a device breaks and you don't have clear guidance on whose responsibility this is.

With this in mind, here are the areas that should be covered in your BYOD policy to ensure your company and employees are fully protected:

What devices does BYOD include?

Companies cannot support every single device type, especially as new models are brought out all the time. This is why it is important to state which devices are options and to update this as and when it is required.

If you are allowing smartphones, tablets, and/or laptops, you will need to include the versions and levels that the company will support. This includes the level of operating system, as well as the model of the device. It is important that you keep this updated as advances are made to discourage the use of old devices that could pose greater security risks.

The apps that can be used

It isn't just the devices themselves that need to be covered, you should also include in your policy which apps are supported by the company. Once again, this should change alongside new versions or when new apps are developed so your policy is as up-to-date as possible.

Ensuring staff know what apps are approved will help tighten security and ensure that no unauthorised apps are being used to handle company data. You should also outline what the procedure is if this turns out to be the case.

How to secure passwords 

One of the most basic security measures for any device is a password and while employees will likely already have passwords set up to protect their devices, they may not meet the standards of those required by your business. 

You should be sure to include in your policy what a password should contain, such as a certain number of digits, special characters and numbers. It should also state how often passwords need to be changed or if they need to be set to rotate. 

Your policy should also state whether a device needs to lock after a certain number of incorrect password attempts in order to better secure data.

Security protection required

As well as passwords to protect data, you need to include rules regarding other forms of security that are required for devices, such as anti-malware software. Ideally, you should name which security programs employees can choose from to ensure they are on par with the protection found on company devices.

It is also a good idea to include information regarding any restrictions on downloading, such as what company documents they can download. In the instance that the company will provide any security features, this should be clearly stated. 

How is data accessed?

In order to keep data safe, ensure everyone is viewing it in the same way and allow for easy collaboration, your policy should outline how everyone accesses data. If employees can access a company DropBox account, keep information on the cloud or access data in other ways, this needs to be laid out. 

Failing to include this information can mean that data is created and used in a mix of ways, not all of which will be suitable for the company.

Who is liable for the device?

A device owned by an employee that is used for work is still the employee's property and they are therefore liable for any damage or loss of data that occurs. This means your policy needs to exempt the company from any liability for loss, damage or corruption so you are not expected to cover any costs.

You may also want to include policies on the use of apps or programs that are paid for by the company, especially when it comes to someone breaking the BYOD rules, which may mean you need to remove these. 

If an employee leaves

In the instance that an employee leaves the company, your policy needs to cover what happens to data owned by the business that is on their device. This should include the fact that data can be wiped from the device remotely in this instance, which is an ability the company needs to retain. 

This section of the policy should also cover what happens if a device gets lost, in which case it will also need to be wiped of company data.

Arrow has successfully deployed mobile device management solutions for companies in all sectors. Arrow provides cross platform Mobile Device Management (MDM) solutions allowing central management, easy integration with enterprise systems and pro-active security for all mobile devices.