Bring Your Own Device or in short, BYOD is the latest work trend that allows employees and employers alike to access company data and email through personal devices such as mobile, laptop and tablets.
BYOD is frequently engaged by small or big enterprises as a way to increase work efficiency and reduce business cost, for enterprise mobility. In fact, lately, it has even become a need to stay connected with work on a holiday. According to the Randstad Q2 2015 Workmonitor research, One in three (32 percent) find it hard to let go of work while on a holiday, while as many as 51 percent of those surveyed said their boss expects them to be contactable.
BYOD has made work inseparable from our personal lives, and in a way has blurred all lines between work and personal usage.
What Happens without a BYOD Policy
Without a BYOD policy in place, employees will think they have the right and freedom to access company data in whichever way they like, especially if needed to after office hours. This means the use of personal devices to send and retrieve emails, download company’s files and edit documents while accessing personal applications such as games or watch videos at the same time. Such practice could expose a company’s confidential data through several online access points, and can be detrimental to the business. Think of the Sony data breach in November 2014, where 100 terabytes of information containing emails between employees and personal data about employees and their families were publicly released in Wikileaks after a malware attacked several Sony employee’s computers.
Employees are ignorant when it comes to IT technology and it boils down to constant reminders and cyber security education to keep employees in check of what they are doing on their personal devices. To complicate things even further, every device has its own security settings and configurations. It is, therefore, important for owners and IT security managers to check on manufacturers’ device security as well as the environment and operating systems that are permitted for employees’ access.
Take iOS and android, for instance, both are unique operating systems (OS) yet each has its own vulnerabilities. In some companies, the use of a personal device is restricted to the use of only Apple or vice versa.
The debate on which OS is safer is still on-going, and ultimately policy-making lies in the hands of business owners and consensus within the IT department.
Crafting a BYOD Policy
It doesn’t take a rocket scientist to craft a BYOD policy. With some reference and modifications, this can be easily done by anyone. Templates are readily available and can be adjusted to suit a company’s preference. BYOD Policies often includes:
(1) Acceptable Use
This summarises what can and cannot be used when accessing company online access points as well as restrictions and limitations.
(2) Devices and Support
The device models that are permitted and have been checked by the IT department.
The full or percentage of cost that company will reimburse for purchasing a new device.
The environment in which the device can be used, which includes a strong password, and non-usage of rooted or jailbroken devices.
(5) Risks and Liabilities
To agree that using personal devices for work come with risk and that the employee recognises them and assumes full responsibility.
IT Manager Daily has come up with a neat template that is worth looking at, and if you are looking to get started on your first BYOD policy, this could be it.
No Escape for Small Businesses
While large organisations emphasize on BYOD policies more, this should apply similarly for small businesses, especially since policies and cyber security are likely to be neglected, and where BYOD is often used. As said, BYOD policy is not complex and can be crafted by almost anyone, so there shouldn’t be any excuse why small businesses cannot have it. For best practice, we recommend this policy to be integrated with the employees’ hiring manual from the start to avoid misuse and mishandling of company and customer’s data.
About Ashlee Ang
Ashlee is a content writer at Cyber Secure Asia where she writes about introductory topics on cyber security and cyber-related happenings in Singapore & South East Asia.