Skip Links

Seven BYOD policy essentials

By Mary Brandel, Network World
October 01, 2012 02:03 PM ET

Network World - Like it or not, the "bring your own device" (BYOD) trend is in full swing. According to Juniper Research, the number of employee-owned smartphones and tablets used in businesses will more than double by 2014, reaching 350 million compared with almost 150 million this year.

But if your company is like most, you may not have instituted a formal policy that safeguards against BYOD risks. A recent study by security awareness training company KnowBe4 and research firm ITIC found that 71% of businesses that allow BYOD have no specific policies or procedures in place to ensure security.

"There needs to be some policy-based level of control, some sort of documentation or contract or rules," says Hyoun Park, principal analyst at Nucleus Research. A BYOD policy should be like any of the many documents that employees must sign to receive benefits, outlining their rights, responsibilities and rules they must comply with, he says.

A signed policy also gives companies the right to protect themselves in the event of device theft, loss or misuse. "Companies can't simply wipe information off lost devices -- that wouldn't be legal," Park says. "There has to be some sort of agreement in place between the individual and the company."

The issues that need to be considered are "like peeling back layers of an onion," says Paul DeBeasi, research vice president at Gartner. "Are you going to let people connect to [enterprise applications] via their personally owned device or store sensitive information? If so, how are you going to control that? What if someone gives their [older model iPhone] to their daughter, son or spouse or sells it on eBay -- how do you control that, and do you want to?"

All of these questions are why you need something in writing that defines what people can and cannot do and that employees sign off on. "That's the first step in making BYOD work, but few have done an adequate job of that," says Jack Gold, founder and principal analyst at J. Gold Associates.

Here are seven essential considerations for any BYOD policy.

TECH DEBATE: Mobile security: In the device or in the network?

1. Policy first, then tools: The biggest mistake companies make, DeBeasi says, is investing in a mobile device management (MDM) tool before hammering out a policy. "It's so much easier to go out and buy a tool, but the tool needs to enforce the policy," DeBeasi says.

For instance, not all MDM systems provide the same functionality for each type of device (Android, BlackBerry, iPhone, etc.). And MDM tools have their limits -- while they manage the devices, data and application access, they don't tend to cover network access or expense management, Park says.

2. Employer "right to wipe": Perhaps the biggest risk of BYOD is the exposure of sensitive data if the device is lost or stolen. That's why most policies require password control, device locking and encryption, as well as the right to remotely delete data from the device under certain conditions, including employee termination. Some companies choose management technologies that compartmentalize business data and apps on the device, enabling them to selectively wipe only what is necessary for corporate compliance. Others choose to wipe all data on the device, which will likely include personal data, as well. "If you delete 300 of my kids' pictures, there will be a lawsuit unless there's a policy that people have signed off on," Gold says. Some policies take this one step further, stipulating a remote data wipe if the mobile device is deemed to be violating policy rules.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News