Employee Personal Device Usage BYOD in the Workplace
Considerations for Implementation of BYOD Policies
If your organization’s employees are permitted to connect personal smartphones or tablets to the company network, implementing an effective Bring-Your-Own-Device (BYOD) policy is necessary to protect against malware, hackers, and data exfiltration. Users’ personal devices can facilitate the propagation of viruses and worms, expand the attack surface by increasing the number of potential entry points and allow their owners to download and leave with sensitive, proprietary company data.
Without a clearly defined BYOD policy, employees will not know the company’s expectations or what activities are prohibited. Employers also have some difficult decisions regarding exercising control over their employees’ personal devices and data.
Defining usage parameters
Before you can begin to develop a BYOD policy, you’ll need to determine the extent to which your employees will be permitted to use their devices while connected to the company network. Some organizations have a separation between the visitor and internal Wi-Fi networks. Suppose your employees will only be allowed to use a visitor Wi-Fi connection that provides Internet access but not internal company resources. In that case, your BYOD policy could consist of a simple statement in the HR manual limiting the connection of personal devices to visitor Wi-Fi. If, on the other hand, employees will be allowed, or perhaps encouraged, to use their devices for work-related tasks, you’ll need a much more comprehensive policy.
Which devices are allowed?
Depending on how employees will use their devices, your BYOD policy may need to include limitations on the types of authorized devices for connection to your network.
Will your employees be using their portable devices to access company applications? Might there be compatibility issues relating to mobile device operating systems? If so, are they optimized for use with mobile devices? Will your employees only use their devices to make and receive work-related phone calls and access company webmail? Given that different devices have different operating systems and capabilities answering questions like these may help you decide which devices should be allowed to connect and which should not.
Device security requirements
If you allow personal devices to access internal resources, you’ll want to ensure that those devices are not infected with malware that could propagate within your environment. The policy should require that employees using their personal devices at work install and maintain antivirus/anti-malware software.
Portable devices can be lost or stolen. Automatic screen lock functionality with a strong PIN or biometric authentication should be required, as should complex passwords and multifactor authentication for network access. Depending on your environment and the sensitivity of the data, there may be regulatory requirements to consider. You may also wish to consider other tools, such as VPN applications, to increase security.
Will you offer support for personal devices?
Another question to consider when developing your policy is whether and to what extent your organization’s IT team will support personal devices. The answer may lead you to limit the use of those devices depending on the added burden on your staff.
If you elect to provide support for these devices and their users, you’ll need to establish clear parameters. A best practice would be to exclude hardware support altogether. Hardware issues should be resolved by vendors and others authorized to support personal devices so that no warranties are voided, and your organization cannot be held responsible for any physical damage done.
Will your organization allow users to install proprietary software on their devices? If so, will you provide application support for those devices? What will you do if the user has installed other apps on the device that prevent the proprietary application from running? A recommended action would be to explain the problem and let the user know that it is up to them to uninstall the personal application to facilitate using their device to run the company app or use a different device. It is, after all, the user’s personal device. This fact can lead to a separate set of issues should a dispute arise.
Remote device wiping and termination of employment
As previously pointed out, these are personal devices paid for and maintained by their users. Perhaps the most critical consideration when determining the extent to which personal device usage will be permitted is whether you intend to require users to provide you with remote wipe capabilities. From the users’ perspective, those willing to pay for a device then use it for the company’s benefit may strenuously object to a policy that could seemingly punish them for doing so.
While the company webmail app may not store messages and attachments on the user’s device, other proprietary applications could download sensitive data onto these devices. Likewise, BYOD users may have the ability to download files from company servers. Your policy should spell out what data can be downloaded and stored.
There is always a possibility that a user will violate a policy concerning the storage of company data. Your BYOD policy should clearly state the potential consequences associated with such a violation. If applicable, this should include wiping the user’s device. This measure would clear the company data and wipe out all of the user’s personal information, possibly leading to heated disputes for reasons previously stated. There is another consideration as well. Many personal devices are set to run backups to the cloud automatically. Even if you could wipe the user’s device, what recourse would you have regarding the backed-up data?
Finally, you’ll need to develop a policy regarding employee termination, whether voluntary or involuntary. Will you wipe their personal device? Will the employee be present to oversee the activity? What if the employee refuses to allow wiping of the device?
Allowing your employees to connect personal devices to the company network could, depending on the level of access, require you to implement policies that may, under certain circumstances, result in the deletion of their personal data. The use of personal devices could also dramatically expand your company’s attack surface, increasing the chances of a breach. For these and other reasons outlined herein, decisions relating to personal device usage should only be made after careful consideration of the possible ramifications.