In a world where personal devices and employees’ work can be hard to untangle, having a secure bring-your-own-device policy is more important than ever. So, what can companies do to make sure personal devices aren’t inviting data breaches and other security issues, while still allowing strong productivity?
If you don’t have a written bring-your-own-device policy, write one, Judy van Rhijn writes for Law Times. “Putting a policy together forces employers to address issues with respect to securing confidential information and also employee expectations of privacy,” she writes.
If you have one, think about revamping it. This could help with employee concerns about their personal privacy, Paul G. Lannon and Phillip M. Schreiber write for the Society for Human Resources Management. “Workers may worry that their company will have inappropriate access to their … information – and that they could lose all that information if the company attempts to wipe business information from the worker’s device, which typically happens after a person’s employment has concluded.”
Employers’ biggest concern is security, Sue Marquette Poremba writes for CSO Online, because employee devices provide seemingly unlimited potential for data breaches. Strong policies should be “relevant to the company’s needs…hold employees accountable, and are applicable to the technologies currently in use,” she writes.
Don’t forget to consider the risks. “You may be better off forbidding personal devices to connect to the network altogether, especially if your industry is highly regulated,” she writes. Instead, think about implementing a choose-your-own-device program that allows options for mobile devices the company owns. This can drastically improve security.
Make sure employees know about your expectations, especially if you’ve made big changes, Poremba writes. “The revamped policies should be clearly articulated to employees in non-technical terms.” Communicating your policy will allow your company to clearly designate things like authorizing work-related software, Lannon and Schreiber write.
Poremba suggests requiring employees to acknowledge your policies’ terms in order to connect personal devices to the company network.
Warning signs that you’re not enforcing your policy well enough (or that it’s not strong enough): data leaks on either the Dark Web or open Internet, and “an increase in malware or attacks from authorized personal devices.” “This may mean an employee is not holding up his end of the bargain by using security software or may not be keeping it up to date,” Poremba writes.
If that’s the case, make more changes. “A failing BYOD policy can be devastating to a business, risking the loss of intellectual property, personally identifiable information of customers,” she writes. “All it takes is for one device not be patched, not have standard anti-virus software or other security protections, be misconfigured but on your network, or to be lost or stolen for your company to be the latest victim of a major data breach.”