BYOD AND OTHER CONSUMER TECHNOLOGIES POLICY CONSIDERATIONS

Bring your own device, BYOD, has been promoted to offer a number of benefits for both employers and end-users.  We’re all drawn to mobile devices because of the convenience, portability and the ability to access information from just about anywhere at any time.

IT professionals who are responsible for infrastructure support and information security have cautioned against wholesale BYOD adoption because of the security risks that result from allowing an employee to use their own device(s).

Since they are ultimately responsible for system integrity, their concerns should be carefully considered.  If BYOD (or for that matter, any mobile device or personal technology) is allowed, it’s important to account for them in your technology policies.  For example, consider these issues.

• Can you adequately protect business data from loss or theft in our mobile world?
• Can you protect an infrastructure from virus or malware infections introduced by mobile or personally owned devices?
• Will it be necessary to install corporate security tools or apps on mobile or personally owned devices that access company systems, and if so, how will they affect device performance?
• Will the IT staff be required to support mobile or personally owned devices? If so,
• Will they be required to staff a help desk 24/7 that’s knowledgeable about every possible device that accesses business systems?
• What is the plan of action in the event a mobile or personally owned device is lost, stolen replaced or otherwise compromised?

Regardless of where you fall on the BYOD issue, the introduction of mobile devices and other consumer technologies (social media, Bring your own Apps, BYOA, etc) are here to stay and warrants a review of internal technology policies and practices.

Here are some issues to think about.

1. Technology Use Policy

Is there a Technology Use Policy in place?  If so, is it clear what the expectations are about the appropriate use of personal e-mail accounts, social media and retaining/storing company information?

For example, if and when an employee posts on social media and they’ve associated themselves with the company, their posts are linked (either directly or indirectly) to the company.  Your TUP should address the appropriate use of social media.    On the off chance that the company gets involved in litigation, an employee’s social media information could be subject to discovery.

2. Data could be discoverable

Regardless of who owns the device, if it’s used for business purposes and the company is involved in litigation, everything on that device and everything the employee has done on it may be discoverable.    If BYOD is allowed, the employee concedes their right to privacy over the device.

3. Reserve the right to wipe a device

If a device is lost, stolen, compromised or retired, the company needs the ability to remotely wipe the device to protect their information.  If BYOD is allowed, an employee must be aware that if they have any personal information on the device, it could be erased as well.

4. Data segregation

It’s in everybody’s best interest to keep company and personal information completely separate.  Data segregation should be a fundamental practice across the business.

5. Who is responsible if…?

If an employee shares their mobile device with anybody, their spouse, a child or a friend and it results in data loss or a security breach, who should bear responsibility?

6. If BYOD is allowed, what’s the process for retiring a device?

If an employee chooses to upgrade or retire their device what is the notification process and security practice to assure that company information is protected?  How do you intend to handle a termination if that person uses their own device for company purposes?

7. Employee Education

Don’t assume that your staff understands your policies.  Schedule and implement periodic training so that they have a chance to review the appropriate use of their devices.  Issues that should be covered include password policies, privacy settings, securing personally identifiable information and social media usage.

8. How can you be certain your IT staff is complying with your policies?

We all depend on our IT staff to keep our systems and information safe and secure.  Are you certain they’re complying with the Technology Use Policies?  A regular 3^rd party audit may be in order to assure compliance throughout the organization and review your policies and practices for weaknesses.

9. Special regulatory requirements

Certain industries (healthcare, financial services, etc.) may involve sensitive or confidential data that may not be appropriate, or even legal, for storage or display on a mobile or personally owned device.

##