5 Tips for implementing a secure BYOD policy

5 Tips for implementing a secure BYOD policy


BYOD (bring your own device) is quickly becoming the workplace standard. Today, 82 percent of companies allow employees to use personal devices for work, and that number will only grow.

But before you turn your employees loose with their smartphones and tablets, you have to lay some ground rules. Writing and enforcing a comprehensive BYOD policy is the best way to protect your organization.

The Benefits of BYOD

When executed correctly, embracing a corporate BYOD policy far outweighs the potential risks. Employees feel more comfortable and productive working on familiar devices, and BYOD cuts down on device and software costs.

According to a study by Sapho, using personal devices saves employees an average of 81 minutes per week, and 78 percent of employees feel BYOD supports better work-life balance.

But BYOD also raises concerns about data security. In fact, 50 percent of companies that allow BYOD experience breaches via employee-owned devices.

Most companies also lack the resources to effectively manage a BYOD policy. Allowing many different devices, operating systems and software versions in the same corporate environment can quickly stretch your IT resources too thin.

You don’t need a large IT staff to succeed with a BYOD policy. Here are five tips any organization can use to implement a secure BYOD policy.

1. Establish Security Policies for All Devices

Before you give employees the freedom to access company resources from anywhere, set stringent security guidelines.

Users tend to resist complicated passwords and lock screens because they’re inconvenient. But unsecured devices can expose your sensitive data to malicious attacks.

Your BYOD policy should include these security guidelines:

  • What are the minimum required security controls for devices, including data encryption and password requirements?
  • Strong, alphanumeric passwords should be used for all smartphones, laptops and tablets.
  • Where will data from BYOD devices be stored? What types of information can be stored locally, if any?
  • Will you enforce inactivity timeout controls so that devices are required to lock automatically after being idle for a defined period?
  • Will you require employees to install a specific mobile device security application, or will they be allowed to choose their own security solutions that meet your criteria?
  • Is your IT team permitted to remotely wipe the device if:
    • The device is lost?
    • The employee terminates his or her employment?
    • IT detects a data or policy breach, virus or similar threat to the company’s data/infrastructure?

The strictness of these guidelines will depend on your industry.

For example, established healthcare or finance companies that store sensitive data will have far more restrictions than a small startup. Build your security policies around the guidelines and compliance requirements for your industry and business size.

2. Define Acceptable Use Guidelines

Acceptable use policies help prevent viruses and malware from entering your system through unsecured websites and apps.

Discuss these questions with your IT leadership team or managed services provider to define acceptable use policies:

  • Which applications are employees permitted to access from their personal devices? Clearly outline what types of apps are allowed and restricted.
  • Which websites should be banned while a device is connected to the corporate network?
  • What company-owned assets can users access on personal devices? Emails, calendars, documents, contacts, etc.
  • What policies will you implement to ban employees from storing or transmitting illicit materials or engaging in outside business activities on their personal devices?

Tip: Blocking “time wasting” sites like Facebook and YouTube can appear overly controlling to your employees. As long as your employees are performing well, you don’t need to subject them to needless restrictions.

The key to getting your employees on board with BYOD policies is building a trusting environment. Too much restriction can make them feel like you’re infringing on their personal freedoms. Instead, educate them on the realities of BYOD and give them the power to use their devices responsibly.

3. Use a Mobile Device Management (MDM) Software

MDM software lets you monitor, manage and configure all BYOD devices from a central location. It allows your IT team to implement security settings and software configurations on all devices that connect to your network.

MDM software gives your IT team the power to:

  • Automatically back up intellectual property at a prescribed frequency via the cloud
  • Perform vulnerability scans and block mobile devices with potentially compromising apps from the network
  • Keep anti-malware applications updated
  • Perform updates and patches remotely
  • Wipe lost or stolen devices remotely
  • Enforce security policies

Mobile device management makes it easy to contain threats and minimize damage quickly in the event of a breach or attack.

4. Communicate BYOD Policies to All Parties

BYOD policies are only successful if the people using them understand the requirements. However, 77 percent of employees haven’t received any formal training on the risks of using personal devices at work.

A successful BYOD training curriculum can mean the difference between a more productive workforce and a disastrous data breach. The best way to clearly communicate your policies to all parties is by investing in ongoing employee security training.

Hold regular training seminars, create a detailed guidebook or schedule one-on-one IT training sessions with each employee. Training enables employees to use their devices safely and effectively and educates them about the individual and company-wide risks of not complying.

Tip: Make sure all users sign an agreement acknowledging that they have read and understand your BYOD policy. This will protect you from liabilities associated with employees who engage in illegal or inappropriate behavior on their BYOD devices.

5. Set Up an Employee Exit Plan

At some point, employees with devices on your BYOD platform will leave the company. Failure to remove their access to company networks and data can lead to security issues down the line.

Make a BYOD exit checklist part of your exit interview. The checklist should include:

  • Disabling company emails
  • Wiping company-issued devices
  • Changing the passwords to all their company accounts

BYOD is largely unavoidable for modern businesses. Your employees will use personal devices at work in one way or another, and you won’t be able to stop them.

But with a secure BYOD policy that covers all the bases, you can empower users to work more productively, increase employee satisfaction and prevent costly data breaches and malicious attacks from damaging your organization.

Despite an abundance of cybersecurity measures at their disposal, businesses continue to make cybersecurity mistakes, making it easier for cybercriminals to infiltrate networks and steal data. Read our comprehensive post below and learn how to prevent the most common mistakes that can jeopardize your business data.

Common cybersecurity mistakes businesses continue to make