When a good bring your own device (BYOD) policy is in place, organisations realise substantial cost savings, improved productivity and security, whilst an informal or poorly drafted policy can introduce considerable risks. Here, we outline eight crucial topics a BYOD policy should include.

 

With more people working from home or engaging in flexi-time arrangements, increasingly, employees are using their personal devices for work. For organisations, considerable savings can be realised when employees use their own computing devices, which has made that option very attractive, particularly in organisations that may not be able to afford to outfit all of their employees with smartphones, laptops or tablet computers, for example.

Having said this, it is ill-advised for organisations to require or expect employees to use their devices for extended periods without a framework being established. A framework that could be considered is a bring your own device (BYOD) policy, which generally sets out guidelines that define proper work and use of employee-owned devices, plus within the context of protecting an organisation’s networks, systems, and data, against cyber threats.

However, a BYOD policy ought to be unique to an organisation and responsive to its needs. Nevertheless, below are some key topics that tend to be common a BYOD.

 

Authorised devices

This section ought to clearly set out which devices employees can use to do the work of the organisation and connect to the organisation’s network. Depending on the organisation, it might be okay with any device being used, or it may wish to be specific, such as regarding the age of the device, devices using certain operating systems, etc.

 

Onboarding and offboarding employees

A process ought to be established for new employees to use their own devices for the organisation’s work. Additionally, when an employee is being separated from the organisation, there again ought to be a procedure, for example, to remove the organisation’s device and applications from devices, as well as access permissions to the network and applications.

 

Authorised use

This tends to be one of the more challenging provisions, as it set out what would acceptable use of a personal device that is also being used for work. So typically, it outlines the nature of the work that the device ought to be used for, and also whether there are any restrictions on the use of the same device by others, such as family members and friends.

 

Shared costs

For employees who are working from home, and so are using more of their resources, such as electricity and internet access for work purposes, an organisation may decide to offer a stipend to offset some of the added cost to employees.

 

Passwords

Organisations usually require employees to use strong passwords on their electronic devices and for all applications – even those that are not work-related.  They may also require heightened security, such as the use of multi-factor authentication, and specify the frequency with which passwords may need to be changed and log-in needs to be re-validated.

 

Privacy and data protection

Typically, two aspects need to be discussed under this subject: protecting the organisation’s data, whilst also maintaining employees’ privacy. In preparing the needed provisions, national laws and guidelines governing privacy and data protection ought to be considered.

 

Network security

The organisation should set out its requirements to maintain the security and integrity of its network and systems. Among other things, this section should set out the circumstances under which the organisation’s network should not be accessed, such as when devices are connected to public Wi-Fi.

 

Maintenance and updates

The policy ought to indicate expectations regarding the maintenance of devices, as well as updates and upgrades. This is also the section where the organisation ought to indicate whether IT support will be available, how that support can be accessed and whether there a maintenance/servicing schedule is necessary.

 

In summary, although BYOD can be beneficial to both employers and employees, it can be intrusive and restrictive to employees with respect to how they will be able to use their personal devices. It is thus recommended that there is consultation and collaboration between employers and employees and that the requisite expertise is also brought to bear on the process, such as from IT, human resources and legal.

Also, in anticipation of a BYOD policy being implemented, change management principles may need to be employed to get all areas of the organisation ready for the changes that will occur. Finally, it is emphasised that a BYOD policy is a living document that would need to evolve as the needs of the organisation or technology change, and new vulnerabilities emerge.

 

 

Image credit: Andrea Piacquadio (Pexels)