Security · November 25, 2020

Creating a Bring-Your-Own-Device Policy That's Smart and Secure

From personal laptops to tablets to smartphones, consumer-facing technologies are increasingly integrated into the workplace. In response, many companies have implemented a bring-your-own-device policy. Also known as BYOD, this approach allows employees to use personal electronic devices at work to connect to business resources instead of company-issued devices.

While a BYOD policy can lower costs, increase productivity and boost employee morale, it can also raise some security and privacy concerns. Employees' personal devices aren't under the control of your business's system administrator, and they can't enforce business security policies on a user's personal devices.

That's why organizations need to have a comprehensive BYOD policy that will offer employees flexibility while keeping business systems secure.

Key elements of a BYOD policy

Business owners have many things to consider when investing in new technology or implementing new policies. While there's no one-size-fits-all approach to BYOD policies, there are certain aspects that most business owners will want to cover.

What devices your policy will support and how

Because one of the major benefits of a BYOD policy is that it allows employees to use the electronics they're most familiar with, a policy should cover as many devices—including models, operating systems and versions—as possible. That includes Apple, Windows and Android devices.

Business owners will also have to decide who will be responsible for tech support. Perhaps you want your own IT team to install and monitor apps, office productivity software or security tools before the employee can access the network. In addition, businesses will need to decide whether they want to use their own IT teams to fix issues or require the employee to contact the manufacturer or carrier.

You should also specify which employees the policy applies to. For example, maybe you want to extend the policy only to the design team, so they can do creative work on their personal Mac computers. It should also cover whether employees can opt out of BYOD if they choose.

What activities your policy covers

The policy should clearly state that the device will be used for acceptable business activities that directly or indirectly support the business of the company within the company's business hours. List any company-owned resources that the employee will be able to access using their device, including email, calendars, contacts and documents.

It should also list any websites or apps that are permitted such as weather apps and productivity apps, as well as those not allowed to be accessed during work hours, perhaps social media platforms.

Who will pay for what

Will the company reimburse the employee for the total cost of the device or just a percentage? How often can an employee get a new device? What about the cost of the data plan or any overages? Who pays for repairs if the device is damaged? All these financial considerations should be spelled out in your policy.

Security measures

This section will probably be the longest and most detailed. It should cover password policies and multi-factor authentication procedures. The policy should also cover network security—no public networks or unsecured WiFi hotspots—as well as what types of data that should not be stored. For example, company credit card information should not be stored on personal devices. Also, let employees know that the company reserves the right to access and remotely wipe the device if IT detects a breach, a virus or any other security threat, or if the device is lost or stolen. Clearly defining these policies and procedures can help protect your business from ransomware and prevent cyberattacks

Risks and liabilities

Because the device is personal, you want to assure the employee that your business will do everything possible to protect their personal data. Beyond that, the policy should lay out who is liable for costs associated with any risks such as loss of company data, viruses and malware. This should also cover procedures for dealing with lost or stolen devices or employee termination.

Is BYOD right for your business?

With all this in mind, a business owner might wonder if the benefits of a BYOD policy outweigh the potential hazards. For example, if you don't have an IT department to monitor your employees' devices or a legal counsel to enforce it, a BYOD policy could be risky.

In addition, it can sometimes be more cost-effective to supply employees with devices rather than having them use their own. This is particularly true when you factor in device upgrades or data overage costs for employees who travel frequently or work in places with limited network service.

However, business owners might not have much of a say as work life and personal life become increasingly blended and more employees bring their own devices into the work environment. Make your decision based on what's realistic for your business, balancing the level of risk you can tolerate and how much flexibility you want to give your employees.


Financial insights for your business

No results found

This information is provided for educational purposes only and should not be relied on or interpreted as accounting, financial planning, investment, legal or tax advice. First Citizens Bank (or its affiliates) neither endorses nor guarantees this information, and encourages you to consult a professional for advice applicable to your specific situation.

Links to third-party websites may have a privacy policy different from First Citizens Bank and may provide less security than this website. First Citizens Bank and its affiliates are not responsible for the products, services and content on any third-party website.