Best practices for implementing a successful BYOD programme
BYOD strategy is popular for many organisations, but if implemented incorrectly it can become a problem. Bring your own device or BYOD has numerous benefits for employees, from remote working to saving money. Yet, there are several challenges if a clear policy is not applied.
In addition, it can also make security risks if introduced carelessly. Following a set of best practices can ensure the implementation of BYOD in your office is productive and risk-free.
Here are some things to ensure you do:
Have a clear policy
It is vital to ensure that the policies around BYOD are clear so that employees understand what they can and cannot use their device for. This must also address possible security and privacy threats.
Policies must make clear how IT support can help in the case of any incidents, and employees should also be made aware of what devices are supported. Some devices are more likely to be vulnerable to security risks than others, so it is an idea to make staff aware of this.
Prepare an action plan
You should ensure that you have an action plan in the event of a data breach or attack. Although all devices should be protected against risks with security software or segmentation on the devices, it is important to prepare for the worst.
BYOD devices are often multi-purpose, for both work and leisure. Unfortunately, this means there is more chance of a device being open to risk.
An action plan should address how personal and business data can be protected, for example through the remote wiping of lost devices, as well as enforcing regular software and app updates.
Define the use
Your strategy for BYOD will depend on your organisational needs and personal ambitions.
Policies will vary depending on the company’s size, industry and data involved. Work alongside HR and your legal team to establish the risks and requirements and always prioritise security in any decisions.
Different stakeholders will have different needs and desires. Seek their input before defining your strategy. Their support will be crucial to achieve effective adoption and avoid shadow IT.
Create a mobile device management policy
A mobile device usage policy can limit organisational risk by defining responsibilities and helping IT manage use.
Consider your security needs, the applications and devices you want to permit and the support staff will require before writing up living document that is regularly updated as required and consistent with your organisation’s needs.
Passwords alone are insufficient to protect company data. Conduct a mobile risk assessment to identify any dangers. Ensure networks are secured, passwords routinely changed and backups made regularly, and monitor your networks constantly to detect potential threats.
Human error is the most common source of breaches, so decide on an appropriate level of access and keep staff informed of any risks to avoid potential disasters. When they leave the organisation, ensure procedures are in place to purge the company data.
Make sure staff are kept informed of any security risks. This should cover basic smartphone safety for downloads and passwords, but also the risks posed by inserting external devices and integration with the Internet of Things.
Using strong PINs, secure networks and data encryption, as well as making regular backups, are all aspects of security they should be aware of and practising.
Decide what devices are allowed
Businesses should decide what devices to allow in the organisation as some can be more secure than others. Perhaps it is worth purchasing your own company devices that can be monitored and securely maintained.
However, let's face it, most employees will use the work-allocated phones as their personal one, so systems could be left slightly vulnerable unless you put in the time educating your team on safety practices for work and personal information.
It will also set you back quite a lot of money.
Use an enterprise mobility management (EMM) system
EMM systems can be used to track who’s using their own devices. They simplify BYOD security by adding sensitive corporate data and approved applications to secure containers.
They provide an effective method of separating personal data from business information and can wipe the corporate data container remotely if a smartphone is lost or an employee leaves the company.
Support staff financially
Staff understandably expect their employer to pay for equipment used for work. If you’re reluctant to financially sustain a personal device, consider offering an interest-free loan to support staff expenditure.
Employees will be reluctant to exceed their data limits for professional purposes so ensure they’re reimbursed, or risk-reducing productivity by encouraging them to wait to find a Wi-Fi connection.
Ensure usage is consistent
Each department should follow the same best practice criteria, so make sure it’s consistent across the organisation to avoid any confusion.
This can only be sustained if the needs of staff are accounted for, so involve cross-functional teams in determining policy to fulfil everyone’s requirements as BYOD will create problems if they don’t want to support it.
The regular stream of upgrades and variety of mobile platforms available will make integration complex. Prepare to change alongside staff as technology develops and take their needs and preferences into account.
Replace legacy systems to support compatibility and re-evaluate your policies on a regular basis to ensure your organisation adapts quickly before it’s left behind.
Separate work and play
Separate business and personal apps and data as when they’re mixed it can be difficult to identify what’s relevant to the business. Consider creating a blacklist of banned apps or a whitelist of ones you’re happy to allow and restrict app usage to only approved staff members.
Never monitor personal use to protect staff privacy, and delay blocking access to social media and sites such as YouTube if staff are performing well.
Develop an exit strategy
Businesses should have a set plan for when employees leave the company. If they have borrowed a device or are using their own, removing their access to a network should be made almost instantly. This information should be sent to system administrators so they can ensure the network is up to date and secure.
By creating an exit checklist on the devices connected and security measures taken it can ensure company information is secure while also making employees aware of the security risks. Disabling company emails and accounts as well as wiping company-issued devices can remove ex-employees from having authorised access and keep current sensitive information protected.