Bring your own device (BYOD) is becoming a standard practice in businesses of all sizes, especially small businesses that lack the resources to issue company-owned devices to all employees. In theory, it’s a great idea; companies save money. Employees have mobile access to important data and are able to communicate more effectively. However, without a strict BYOD policy in place, network security can be jeopardized.
Why It’s Risky
Allowing employees to use their own devices blurs the lines between the security needs of the employer and the personal preferences of the individual. The fact is, employees tend to be less aware of security on their own devices. For example, individuals are not likely to have a lengthy, more secure password on their phone or mobile device. Or, they may be sending e-mail from their device without additional security in place, such as encryption. Employees are also less conscious about possible opportunities for data breaches, such as accessing company data from a public Wi-Fi hot spot. Even allowing their children to use their device could result in a data breach.
While most breaches on personal devices are the result of employee behavior, employers are accountable as well. The biggest mistake is not having a BYOD policy in place and failing to educate employees about the possible dangers. Here’s a sampling of items you might consider including in your BYOD policy.
Set specific ground rules. If you do not want employees downloading apps, that should be in writing. Include specific rules about security measures, such as requiring employees to change their password every 60-90 days.
Determine data ownership. Who owns the data on the device? Is it the individual or the company? This is where the lines really get blurred. However, ownership needs to be addressed in your policy. What happens if the device is lost or stolen? It’s common practice for companies to automatically wipe a device that is stolen so the data is not compromised. However, on a personal device that might include erasing personal photos, videos and apps.
Limit access. All employees may not need access to all data. To reduce mobile access to sensitive data, employers should consider tiered security that only allows certain senior employees to access sensitive data remotely.
A BYOD policy must be a strategic document that provides a framework for employees. While it will differ based on the type of company, it’s often best to collaborate with both an IT professional and the HR department. Roland Technology Group has been providing expert IT services for over 25 years. Let us help you determine if BYOD is a realistic option for your business. Contact us to discuss your company’s policy.