Photo Credit: anyaberkut on iStockPhoto

Does Your Business Need a Bring-Your-Own-Device Policy?

By Dave Warner, Systems Engineer at Cenetric

Long gone are the days when we left our personal devices at home when we went to work. Since we tote them just about everywhere we go now, it makes sense that your business could have a lot of extra devices using your network. But with those devices comes more bandwidth usage — and more potential risk.

That’s why every business should have a Bring-Your-Own-Device (BYOD) policy. With a solid one in place, you and your whole team can be clear on what’s required and what’s off-limits.

What’s a Bring-Your-Own-Device policy? 

A Bring-Your-Own-Device policy is a set of rules you lay out with your employees about their conduct with their personal devices in relation to your business. It should define how your team should (and shouldn’t) use their devices when they’re using your network or data. 

Why you need a BYOD policy

Unmanaged devices add a lot of uncertainty and potential dangers in your network. How do you know they don’t have malware that will spread to your other devices? What applications are running on them — and could they be a drag on productivity? How do you control what happens to company data once it’s downloaded to an unmanaged system?

A Bring-Your-Own-Device policy helps you control all this chaos. With clear guidelines and expectations, you can make sure your network is protected and your employees are productive. 

Photo Credit: Rawpixel on iStockPhoto

What goes in a Bring-Your-Own-Device policy?

A solid BYOD policy will cover both what outside devices can do on your network and the company data they have access to. Finding a way to safeguard your systems but also make it easy for employees to get work done can be a challenge, so make sure you’re setting balanced guidelines. 

Your Bring-Your-Own-Device policy should cover: 

Device types

Define what kind of devices are allowed and covered under the BYOD policy (such as laptops, smartphones or tablets).

Security measures

Lay out the minimum security expectations you have for an employee’s personal device. At the very least, you should require up-to-date antivirus protection and a strong password. We also highly recommend requiring that the device always have the latest operating system updates installed.

Data protection

Set out the rules for accessing company data. For instance, you might allow it only over VPN or when using multi-factor authentication (MFA). 

Clearly state that company data remains property of the company. If you’re dealing with highly sensitive data that’s covered by industry or government regulations, you should outright disallow storage of it on a personal device.

IT support 

Define the level of IT support for personal devices. Typically, this means your IT staff (or your MSP) will only support company applications and connections — not provide general help with the device.

Separation and loss guidelines

Detail what will happen if a device is lost or stolen — or the employee leaves or is terminated.  How will you protect your company’s information if the team member accidentally leaves their personal device behind somewhere? If someone quits in a huff, how will you ensure they can’t access or manipulate the data and harm your company with an outside device?

We recommend protecting data on unmanaged devices by using Microsoft 365 Mobile Application Management, which is included with Intune endpoint management licensing.

This mobile device management tool lets you require that data only be accessed through authorized applications. You can remotely sign out a user who’s left the company or remotely wipe company data from the device — without giving you total control over it. It’s a win-win for both sides.

Solutions like this also will let you set minimum requirements for connecting to your data like I mentioned above. You can require conditions such as “must have a PIN to open the lock screen” or “must run this specific anti-virus software.”

Photo Credit: Dilok Klaisataporn on iStockPhoto

How to share a BYOD policy with your team

Make sure everyone’s on the same page from the get-go by working with your HR team (if you have one) to make it part of the paperwork each employee signs and agrees to when they join. For existing employees, briefly explain what this new policy is, why you’re implementing it, and when you’ll roll it out. Have them sign a copy as well.

(If your company has a Society for Human Resource Management (SHRM) membership, they have a sample BYOD policy you can edit to suit your needs. Add in some of our suggestions to really cover all the bases.)

You might hear some grumbling about the extra step or two employees now have to take to get on your network or access company data with their personal device. But this policy is an important part of your network security best practices, and implementing it protects your team, your customers, and your business.  

Let an MSP be your guide

If this is all a bit too much for you to handle on your own, a managed services provider (MSP) can implement the tools and settings that are right for your business so you don’t have to worry about it at all. If you have an IT staff member or two, but they’re a little overloaded, co-managed services might be a better option.

Either way, don’t panic. If you need guidance in creating a Bring-Your-Own-Device policy (or anywhere else in your IT operations), Cenetric has the experience and availability you’re looking for. Tell us about your challenges and we’ll be in touch to get started right away.

Photo credits (in order): anyaberkut, Rawpixel, Dilok Klaisataporn (all on iStock).