Why you need a BYOD policy – and how to draft one

Do your workers have access to company data on devices other than those in the office?

Do they make use of this access?

If the answer is ‘Yes’ then your employees are making use of a BYOD strategy with or without your direction. A lack of policy around BYOD can be a potentially dangerous and costly risk to take. Here we outline .

What is BYOD strategy?

Gartner defines a BYOD (Bring Your Own Device) strategy as one which allows employees to carry out business tasks and access company data, using a device they have purchased themselves. We’re typically talking about smartphones, tablets or laptops which the employee owns.

It seems wonderfully cost-effective and communication-enhancing until you ask – what happens if a phone is stolen? How do I know only my employee is accessing their emails and the company’s sensitive data?

Directors and IT managers must have a solid grasp of what BYOD is and what it means for their business.

The growth of BYOD

A survey by Gartner found that 38 per cent of companies globally, expect to stop providing devices to workers by 2016. BYOD, it appears is on the verge of becoming the norm for many across the world.

The biggest adopters of BYOD will be medium and large companies ($500 million to $5 billion in revenue, with 2,500 to 5,000 employees). However, a preference for BYOD is also evident among small start-up companies who view the cost savings of using smartphones and laptops over investing in a dedicated network.

While the U.S. is leading the way in terms of BYOD adoption, Europe has the lowest adoption of all regions. A 2014 report by IDC Europe highlighted cultural differences as one reason for this.

IDC Europe associate Vice President of mobility, John Delaney said, “There’s a cultural expectation here that your employer will provide you with the tools you need to do your job…You don’t expect to have to buy it yourself.”

Which industries are adopting BYOD?

A Tech Pro Research study found that the IT and technology and education industries are most likely to permit BYOD. We see weighty schoolbags in the morning rush hour, are increasingly being replaced by slimline tablet cases.

Government departments and regulated industries such as financial services tend to struggle most with the security risks that come with employees using their own devices.

BYOD in Ireland

About 66 per cent of Irish firms allow employees to access company data through their personal devices. However, the percentage of Irish firms which have a defined BYOD policy is thought to be much lower. For instance, in 2014, 36 per cent of European firms reported having a formal BYOD policy. This is where the danger lies. Drawn in by the attractive cost savings, increased productivity and further enabling the mobile workforce many business leaders are guilty of being blinded to the other side of BYOD, for instance, security responsibilities, data protection and loss of device standardisation.

Advantages of BYOD

The advantages of the BYOD strategy are convincing. They include;

  • Mobile workforce opportunities
  • The BYOD workforce is a more mobile, accessible and flexible workforce.
  • Increased productivity and innovation
  • Employee devices tend to be updated more often than company devices. This keeps the employee and the company productive.
  • Reduced costs

Cisco found that even companies with the most basic BYOD strategies in place generate $350 of value annually per mobile user. With a more comprehensive BYOD policy, companies can gain an additional $1,300 annually per mobile user.

Disadvantages of BYOD

  • Security issues

Security concerns are by far the most common reason for an organisation to rule out BYOD. Without a policy, BYOD becomes a major security concern, leaving the company vulnerable to viruses or loss or theft of the device and its data. If company data is lost it is the responsibility of the company, who could find themselves in breach of European data protection laws.

In 2014, it was reported that Aviva, a major insurance provider with significant interests in Ireland and the UK suffered a breach via executives’ smartphones. The reports suggest the company was a victim of the much-publicised Heartbleed Bug, which allows attackers to eavesdrop on communications, steal data and impersonate services and users.

  • Strain on IT support

Employees bringing their own devices to work can cause major headaches for IT support. Instead of providing IT support for a few thousand standard computers, they find themselves struggling to be able to support any kind of device, depending on the individual employee.

  • Lack of control over hardware

If the company does not own the device, their control over what it is used for is likely to be non-existent.


How to draft your own BYOD policy

Investing time and resources into a formal BYOD policy will not only help to protect your company from the disadvantages outlined previously, but will also help your company to extract the maximum value from this new way of working.

CIO highlights 7 features that a quality BYOD policy should cover.

  1. Specify permitted devices

The range of devices and operating systems that employees are using is a challenge for IT departments when implementing BYOD. Providing adequate support for every device and operating system is unlikely. Some analysts have suggested that the Android operating system is less secure than iOS and therefore not appropriate for use under BYOD. However, Google and Android have been working to combat this perception through the development of ‘Android for Work’. Stating which devices and operating systems will be permitted are the first, basic considerations for the BYOD policy.

  1. Establish a security policy

A U.S. nationwide survey found that 34 per cent of all smartphone owners do absolutely nothing to secure their device, ignoring advice to set a screen lock PIN, back up data or install antivirus or phone location software.

Another study by Bitdefender in 2014 found that 30 per cent of employees who were BYOD-enabled shared their device with family and friends. Companies must begin by enforcing the use of complex passwords on BYOD devices and prohibit them being shared with others.

  1. Define a clear service policy for devices under BYOD

IT departments can’t support every single query or problem an employee encounters with their device. Boundaries for IT support need to be set detailing exactly what kinds of queries should be brought to the IT department.

  1. Clarify who owns apps and data

The company of course owns the enterprise data and information that the employee accesses on the device. However, what about the employee’s personal data. Music? Personal contacts? Photos? Apps? If the device becomes compromised, e.g. lost, stolen or hacked, the company will likely want to have the right to completely wipe the device of all its data. The BYOD policy should make employees aware of this risk to their personal assets on the device.

  1. State which apps are permitted and those which aren’t

Companies may need to restrict what apps users can download and use on the device. Even IBM experienced teething problems in this area. When they loosened restrictions on which devices employees could use for work, they carried out a survey and found that hundreds of its employees were “blissfully unaware” of what popular apps posed potential security risks. Ultimately, IBM provided employees with a list of banned apps, including Dropbox. Fiberlink examined more than 2 million BYOD devices around the world and found the Top 10 Blacklisted Apps on iOS Devices. The list illustrates how the most common and seemingly harmless of apps could result in a serious compromise of company data.

  1. Dropbox
  2. SugarSync
  3. BoxNet
  4. Facebook
  5. Google Drive
  6. Pandora
  7. SkyDrive
  8. Angry Birds
  10. Netflix
  11. Integrate BYOD with acceptable use policy

Just as a company’s desktop devices will be covered under an Acceptable Use Policy, so too should devices under BYOD. After all, they are likely to be connected to the company VPN. Any websites or activities that are normally restricted under the Acceptable Use Policy should be extended to the BYOD policy.

  1. Set up an employee exit strategy

Protocols for keeping data secure must be laid out in the event of an employee leaving the company. This might involve performing an “exit wipe” on the device. In order to do this in the most ‘friendly’ way possible, employees might be encouraged to regularly back up their personal data on the device so that it can be recovered following an exit wipe.

Whatever the protocols that will allow your company benefit from BYOD, they must be established in a clear BYOD policy.

This should ensure that BYOD will never stand for Bring Your Own Disaster.