How to implement an effective BYOD policy

Companies have accepted that BYOD is a reality. The challenge now is striking a balance between security and flexibility.

How to implement an effective BYOD policy
Bring your own device to work Credit: International Data Group

Concerns around BYOD once revolved around security with third-party services, but that's getting easier to manage, says Fred Ouawad, founder and CEO of TaskWorld, a company focused on employee performance and management. Now businesses are finding it more difficult to govern BYOD policies internally.

Businesses are more focused on internal security. For example, if an employee doesn't perform regular updates on their smartphone, it can pose a risk to the business says Mouawad.

"At the moment, pushback mostly comes from highly regulated industries like banking and government agencies. But even they are slowly realizing that BYOD is something that can't be resisted," he says.

But, according to Mouawad, even in the most regulated industries -- such as banking and government agencies -- they're faced with the inevitability of embracing BYOD. Implementing a BYOD policy doesn't have to be a headache no matter the industry, and most businesses can find a balance between keeping employees happy and alleviating any fears from IT.

The upside of BYOD

There are a lot of reasons to embrace BYOD in your company, with some recent data to back it up. In 2013, Cisco conducted a study that found employees typically prefer the familiarity and flexibility they have with their own devices. It allows them to feel more productive, because they aren't held back by learning a new OS or navigating unfamiliar apps. In fact, the study found that 92 percent of "BYODers" used their smartphone for work purposes at least once per week.

Employees should feel confident and comfortable with the devices they use at work. A survey from Software Advice found that BYOD could reduce help desk requests because employees are more likely to troubleshoot and fix issues on their own device, before reaching out to IT for help.

[ Related story: Businesses lack a streamlined approach to digital transformation ]

In fact, nearly 40 percent of respondents said they experienced far fewer technical problems with their own devices than company-issued hardware. Whether or not they truly experience fewer problems, or are better at solving technical issues on a familiar device, it still translates to less work for the help desk.

Developing a plan

While there are positives to BYOD, there are some negatives including the inability of IT to secure employee's personal devices or monitor them for potential security threats. A poor BYOD policy can often leave IT out of the loop as many of corporate data exchanges hands on mobile devices that don't fall under the umbrella of IT.

But BYOD is largely unavoidable at this point. Employees are going to bring in their devices, and it's likely you won't be able to stop them. Although embracing the use of personal devices in the enterprise might make some IT leaders cringe, as long as businesses go forth with a realistic plan that balances the needs of the employer with the employee, everyone will be happy, according to Mouawad.

+ ALSO ON NETWORK WORLD Managing BYOD expenses: How to get it right +

And, of course, the industry you're in will dictate how stringent or lax your BYOD policy can be. Companies working in industries like defense, Mouawad says, they will have far more restrictions than, say, a startup company working in the tech industry.

Going all in on BYOD

Tammy Moskites, CISO and CIO at Venafi, previously CISO at Time Warner Cable and The Home Depot says that at her current company, employees bring everything from personal smartphones, to tablets and notebooks to work with them, often choosing to forgo company-issued devices entirely. But the company doesn't just say "bring in your personal device and get to work," a lot goes into the drafted policies around BYOD. And, alternatively, she notes that if workers would rather have a separate laptop for work, the company is more than happy to provide one that can be fully supported by IT.

And that's a key point in developing a BYOD strategy. Some companies define BYOD as employees bringing personal devices into work along with their work-issued notebooks and smartphones. Other companies, like Venafi, for example, approach BYOD with an entrepreneurial mindset, by allowing every employee the option to use their personal devices full time for work.

One challenge with this open BYOD policy is that, with a personal device, the hardware isn't supported by IT, but the department does ensure the device is securely connected to the network. That's one issue that often arises, because, as Moskites puts it, it's "impossible to support every device in the world," so employees need to be clear from day one that repairs and troubleshooting will likely fall under their own umbrella.

Ultimately, Moskites says that the biggest struggle in defining a BYOD policy that leaves everyone satisfied has been balancing the risk with flexibility. Her company has given employees the choice to use their own devices, but at the same time, has drafted up contracts with language describing the terms and conditions of bringing your own device into work, including the ability to remove company data from the device if needed.

[ Related story: How ITSM laid the foundation for a cultural transformation ]

"For any company that embraces BYOD technology, the issues with IT are not the biggest challenge, I think, in a nutshell, the legal ownership of the data stored on these devices has been [the biggest] challenge and organizations have to prepare themselves to define the appropriate policies," she says.

Considering restrictions

Another popular route with BYOD policies is to restrict access to "time wasting" sites like Facebook, YouTube or Twitter. But Mouawad recommends having more faith in your workforce, "Instead of resorting to measures like blocking YouTube, Facebook and forbidding the use of mobile phones, companies should focus more on performance. As long as the employees are motivated and performing well, they shouldn't be subjected to needless restrictions," he says.

It's hard for IT departments to feel like they're giving up control of security and corporate data, but that doesn't have to be the case, Moskites says. Employees typically don't understand the implications of BYOD and what the real dangers are with lax attitudes towards security. It's not something they necessarily need to think about day in and day out -- but IT can work to educate employees.

It might simply mean a tradeoff. For example, for every device they bring into the office, they have to go through a training session on what the rules and regulations are, or you can walk through the key points in your BYOD strategy with them. Instead of making employees feel restricted -- bring them into the conversation, educate them on the realities of BYOD and give them the power to use their devices responsibly.

"The key is building an environment of trust in your company. As technology gets more mobile, it will become next to impossible for companies to restrict employees from using their own device," says Mouawad.

Related Video

This story, "How to implement an effective BYOD policy " was originally published by CIO.

To comment on this article and other Network World content, visit our Facebook page or our Twitter stream.
Must read: Hidden Cause of Slow Internet and how to fix it
Notice to our Readers
We're now using social media to take your comments and feedback. Learn more about this here.