BYOD Mobile Policies

Data breach response has become a regular feature of the modern workplace, thanks in part to the popularity of bring your own device (BYOD) mobile policies.

Believe it or not, one in three organizations suffered a security compromise due to a mobile device last year, according to this Verizon study

The majority of respondents to a recent Bitglass survey said they were concerned about data leakage, insecure app downloads or unsafe content. Yet, Microsoft estimates that only 60 percent of organizations have a formal BYOD program in place. 

Developing a robust BYOD mobile policy ensures better data protection, helps guide employee behavior and keep your enterprise compliant with privacy regulations.

What is BYOD?

IBM defines BYOD as “an IT policy that allows, and sometimes encourages, employees to access enterprise data and systems using personal mobile devices, such as smartphones, tablets and laptops.” The company identifies four common BYOD access levels: 

  • Unlimited access

  • Non-sensitive systems and data access

  • Access restricted by IT control over personal devices, apps and stored data

  • Access without the ability to locally store data on personal devices

IBM security expert Jeff Crume says companies have two choices:

  1. “Letting employees who may know little about threats or mitigation strategies sort out what the most appropriate defenses are, install the proper tools, configure them for optimal usability/security and maintain all this in the face of an ever-changing backdrop of newly discovered vulnerabilities and attack types.”

  2. “Letting subject-matter experts chart the course and enable members of the user community to focus on their daily jobs.”

 Leaving employees to figure security out on their own is bound to lead to increased network vulnerability.

An employee looks at this smartphone at his desk.

BYOD pros and cons

Formalizing BYOD may be the better option for most enterprises, but it’s still important to do your due diligence. 

On the plus side, BYOD formalizes the usage of devices your employees are likely to use no matter what. Workers will bring their personal devices in and out of company buildings and connect them to perform various remote work duties. 

BYOD represents potential manpower benefits. Recent studies indicate that BYOD generates $350 of value and a hundred extra hours of work each year, per employee. 

On the other hand, BYOD devices are at-risk endpoints. Considering some 70 million cell phones are lost each year, enterprises are placing quite a bit of trust in employees when they leave the office. Depending on access level, when a connected smartphone is lost, the network itself can become open to data theft and malicious attacks. 

To mitigate some of the security concerns, many companies are opting for COBO (company owned, business only) and COPE (company owned, personally enabled) mobile device policies in place of BYOD. These policies give companies much more oversight and control over devices, helping to fend off attacks from the start. 

Human resources considerations 

The main HR issue for BYOD policies is how to untangle the mixing of personal and work-related data. Enterprises may run the risk of violating regulations aimed at protecting sensitive employee data while extracting or monitoring work-related data.  

Another HR concern relates to employee perception. Many employees fear workplace monitoring of their personal devices. Further, these arrangements can erode work-life balance, because employees may feel they are always on call. 

BYOD should be an important aspect of onboarding new employees and a key part of training across all departments. HR can help ensure training is uniform company-wide and consistent with the latest BYOD policy.

Legal considerations

In addition to regulatory violations related to employee privacy, enterprises face the risk of fines and liability should they inadvertently violate privacy regulations, such as GDPR and CCPA

These laws protect consumer data and how companies protect it, no matter where it is accessed. It’s relatively easy to safeguard consumer data at the network level, but when employees can access that information from a personal device, it is a much more challenging technical proposition. 

BYOD trends

Industry insiders predict the global BYOD market will exceed $350 billion by 2022, a $250 billion increase from $100 billion in 2014, according to Hexa Research. Partly, this figure is expanding because the devices employees use have become more expensive. This figure also accounts for adjacent costs such as enterprise mobility management (EMM) solutions that allow companies to outsource some of their BYOD oversight. 

Another trend affecting BYOD is the elimination of BYOD itself in favor of CYOD (choose your own device) policies. These programs restrict employees to using one of the devices carefully selected by the company. With CYOD, IT workers can more easily stay on top of security updates and patches that can be applied uniformly, versus trying to safeguard dozens of different device models. 

BYOD policy basics

BYOD policy specifics are unique to every enterprise, but there are several core features common to most:

  • Guidelines for acceptable and unacceptable mobile use

  • A responsive plan to handle the loss or theft of devices

  • Information about data usage: whether the enterprise will monitor employees when they are connected to the network and what data they may review

  • Best practices for mobile device usage that mesh with existing corporate policies related to mobile and remote work from other devices

You’ll need to update your BYOD policy alongside technology changes and emerging legal regulations. Always keep your workforce informed about these updates. 

Developing strong BYOD policies takes time and effort, but these policies are needed to address the concerns that come along with an increasingly mobile modern workforce. 

Related articles