Before you consider allowing your staff to use their own devices for work purposes, you should have a BYOD policy in place.
There are several things to consider as you create one to protect your applications and data. Here are a few ideas, but by no means is this a comprehensive list.
- Build consensus – The technology team should drive the effort to develop a sound policy, but it should be an inclusive process. Technology, users, the line of business stakeholders, human resources and legal should all be involved in the process. A consensus is essential for having an enforceable policy across the enterprise.
- Address all features a device can offer – Mobile devices offer an array of technologies, (i.e. cameras and recorders), the policy should address the use of all of these features as they relate to work since your intellectual property is at risk from unplanned or thoughtless exposure.
- Eligibility – Since enterprise-wide applications may or may not run on some devices, the policy should be very clear about what devices are eligible.
- Apply it to everyone – The policy should be clearly stated and compliance enforced across the organization regardless of role or title. It should be clear what the employee responsibilities are for joining or leaving the program or changing devices. The policy must cover everyone, including top executives since they are most likely to have access to the most secure information.
- Wi-Fi – The policy should cover the usage of insecure Wi-Fi networks and limit access to sensitive corporate information through them.
- Loss, theft, exit – The policy should address any pertinent technical issues as well as the loss or theft of a device and the exit policy. In the event of a loss or theft, it should be very clear if the employee bears any responsibility. If a person leaves the company, what can they expect to happen to secure company information?
- Use strong passwords – Use credentials for your users (consider dual factor authentication) to access corporate information.
- Availability – Once the policy and oversight technologies are in place, consider offering it to everyone. Allowing a broader selection of devices and possibly even covering some of the cost increases participation and may reduce support costs over time.
- Employee/Employer relationship – Your policy should be very clear that BYOD may extend the employee/employer relationship in the eyes of the law. If the company becomes a party to a lawsuit, the BYOD device may be subject to discovery and possible seizure.