Best practices for BYOD policies

Steps organizations can take to help prevent sensitive data from falling into the wrong hands

Let’s face it: bring your own device (BYOD) situations are here to stay.  With the ubiquity of employees having and using smartphones and tablets – devices that have more capacity and processing power than desktop computers from not so long ago – it was inevitable that employees would eventually start to use their own devices in a work capacity.  This new reality presents benefits for employers, as their employees can now be productive away from the office and be responsive to work situations as they arise.  Additionally, there are cost savings that can be achieved when an employer is no longer responsible for supplying devices to its employees.

The situation also benefits employees, as they often derive personal satisfaction from being able to link up their own preferred devices to the work system, creating a little node of personalization in an environment that they do not otherwise control.  Surveys reflect that a significant percentage of job seekers will view a prospective employer more favorably if it has an IT system that supports the seekers’ personal devices. 

However, if employers do not manage BYOD scenarios proactively, then they present risks in addition to the aforementioned rewards.  To state the obvious, when an employer’s information is being sent, received and stored over a device that the employer does not own, then the specter of data loss is present.  This risk can come from an employee who intends to hurt the employer by taking information and either using it on behalf of a competitor or simply disclosing it to embarrass the employer.  It can also come from an employee who inadvertently retains or loses it. 

Either way, the employer that thinks through BYOD issues in advance and charts out rational, balanced policies before issues arise is going to place itself ahead of the game.  Here are some best practices for BYOD situations:

1. Have technology in place to protect your information.

Take the typical employee’s smartphone.  Some employers require that the employee use an employer-issued e-mail application like Good Technology.  Other employers require that their employees download an application that allows the employer to shut down or access a device in certain circumstances.  Some employers take the simple step of requiring that employees activate passcode protection on their devices, a policy that costs nothing because just about every device contains this option.  Regardless which of these options an employer chooses, it is the most basic step in dealing with BYOD situations.  An employer needs to acknowledge and deal with the fact that if its information is going to migrate to its employees’ personal devices, then those devices need protection measures in place to ensure that the information is not lost or stolen.

2. Think through your key information and take steps to protect it.

Some information is simply too important to permit it to migrate to an employee’s personal device.  Even with one of the aforementioned data security fixes in place to protect information on an employee’s smart phone or tablet, an employer might worry about information that remains on the device after the end of the employee’s employment or that an employee will leave the device unattended for a moment and allow a third-party to see sensitive information on the screen.  Thus, it is important for an employer to ask itself three questions.  First, what information would be most useful to its competitors if an employee left with it?  Second, what information would be most embarrassing if it were leaked to the general public?  Third, if asked on a witness stand by a judge (or by the employer’s attorney while drafting an affidavit) “how many measures do you take to ensure that the employer’s most valuable, sensitive information remains private?,” what could the employer’s personnel say in response?  It is generally valuable for an employer to put itself through this sort of self-critical analysis, but it is specifically important in addressing BYOD concerns.

This content continues onto the next page...