How BYOD Policies Catch You Up to Reality
November 12, 2020
Infosec Policies
Does your company have BYOD policies? For those unfamiliar with the term, BYOD is "Bring Your Own Device" -- and BYOD policies relate to what the company does (and doesn't) allow in terms of handling company business from your own devices. When the term BYOD first entered the vernacular of IT and compliance teams, it often referred to employees using their own smartphone or tablet. However, more recently it's adopted a meaning that includes any personal device -- including laptops, tablets, smartphones, and anything else.
Questions to Ask Yourself
If you have not created BYOD policies for your company, here are some questions we would suggest you reflect on:
- Do you believe that employees ever handle work obligations from a personal device -- for example, responding to a work email, or reviewing a document?
- If a personal device containing company data was misplaced or stolen, would that expose the company to risk?
- If a personal device containing company data were used by someone other than your employee (perhaps a child, spouse, or friend) and the device accidentally became infected by malware or ransomware, would that expose the company to risk?
Almost every company that we talk with, would answer all three of the above questions with "Yes" -- and that's normal. If you answered "Yes" to any of these, what's next?
Using BYOD Policies to Catch Up
Implementing BYOD Policies helps you catch up with reality: your employees are almost certainly (whether you specifically know it or not) occasionally using personal devices to conduct company business. Surfacing that issue rather than pretending it doesn't exist, is almost always the right move. Implementing a BYOD policy does not need to mean using a "big brother" approach, though. It's all about setting reasonable expectations that protect the company's interests while enabling employees the flexibility they want.
Here are some of the topics you might consider covering in your BYOD Policies:
- Protection: a tradeoff that we're increasingly seeing companies make, is to empower employees to use their personal devices, subject to the condition that they install some acceptable endpoint security (e.g., a particular antivirus package - perhaps also including DNS filtering). When communicated with care, we see companies that present this as something that is both beneficial to the company and the individual -- by keeping them safe both on work matters and personal ones.
- Information Classification: are there certain types of information that are especially precious in your company? Like mock-ups of future products? Customer lists? SSH keys that provide direct/full access to production webservers? Correspondence about pending litigation? You might consider implementing a classification system where employees are allowed to interact with some types of information from their personal devices, but not the most sensitive information that could be catastrophic if it fell into the wrong hands.
- Revocability: does the company reserve the right to revoke the BYOD policy? This might come in handy if there turns out to be one or more security incidents that cause you to need to (temporarily or permanently) suspect the use of personal devices. In most cases, companies have the right to modify policies without specifically mentioning that right in their policy's text. However, it's a best practice to touch on this topic in the policy, so that everyone is aware that the policy could change in the future.
- Termination: please think through the ramifications of what you'd like to happen if an employee either leaves the company voluntarily, or is terminated by the company. What processes -- either semi-automated or manual -- do the company and the employee expect to follow if their employment ends for any reason? A good start on this topic is to set expectations about there being a need for timely deletion of information related to the company. More advanced solutions may involve the use of an MDM in a manner that provides a more technical / process-driven solution for removing company data from the device.
Do these topics sound nuanced? They are. But raising these issues to the surface so that employees understand the tradeoffs associated with BYOD is almost always better than leaving the topic unaddressed. BYOD policies set expectatoins for all involved, which we think is important.
Need a Hand?
If reading this article inspires you to work towards rolling out a BYOD policy, we're glad to have been helpful. May we suggest just one more thing? We highly recommend beginning your BYOD policy from a battle-tested template. No problem if you decide to further customize the policy, but it's a smart move to start from a policy template that covers the basics. Want to see our BYOD policy template? We're glad to share it.