5 Considerations for Supporting BYOD

When was the last time you used your personal smartphone to check your work email? Odds are it wasn’t that long ago. As personal technology has matured, it has seeped into the professional world and it’s now common for employees to use their own devices for work purposes.

As early as 2013, more than 60% of workers admitted to using their own devices at work. Recognizing that this shift is going to happen whether or not it’s technically allowed by company policy, BYOD practices have been increasing, with Gartner predicting that 50% of employers will require employees to provide their own device by this year. Even hyper secure industries that are high cyber targets are embracing BYOD policies: 71% of hospitals have BYOD policies.

Now that this trend is seemingly unstoppable and already in practice (officially or unofficially) at many organizations, it’s up to companies to address the issue in practical ways. Organizations should ask these questions and put policies, procedures and solutions in place to help mitigate the risks of BYOD without trying to fight the tide.

1. How will you ensure data security?
2. Will critical applications work with BYOD?
3. What will IT be responsible for?
4. What happens if an employee’s device isn’t functioning?
5. How will your BOYD policy be updated?

1. How will you ensure data security?

One of the most common reasons organizations resist BYOD is because of security concerns. This is absolutely a valid concern.

WannaCry and other recent cyberattacks that took advantage of known vulnerabilities made it clear that individuals aren’t always great about installing updates and patches. Add keeping critical software like antivirus and antimalware updated to the list and the risk can grow to an alarming level for IT teams who don’t have control over employees’ personal devices.

Beyond keeping the endpoints themselves secure, you have to worry about how it’s being used. Are employees connecting to unsecure WiFi networks? Are they clicking on potentially malicious links on social media on their own time? Do their family members use the same device? All these actions can compromise your network or data if the proper precautions aren’t in place.

One of the easiest ways to increase BYOD security is to ensure all corporate data is stored in a secure datacenter rather than on individual endpoints and to keep data isolated from the endpoint when it’s being accessed locally.

2. Will your business critical apps work across devices?

BYOD can put a screeching halt to productivity if business critical applications won’t work on an employee’s chosen device. This can be as simple as an employee owning a Mac while the company uses only PC compatible applications.

It can get much deeper and complicated with OS versions though. If a legacy application isn’t compatible with the most recent OS update, your employees may suddenly be unable to access an application they were working on just the day before, all because of the installed OS updates recommended for their device.

Before you allow employees to opt into a BYOD program, make sure you have a documented list of applications and their device/OS requirements, or have a solution in place that negates traditional compatibility issues.

3. What responsibilities will IT have?

With company-issued devices, it’s clear who is responsible for trouble shooting: IT. With BYOD, this is more of a gray area. Is IT responsible for provisioning the desktop with required permissions and applications? How long will that take and when can they get access to the employee’s device? 

If an employee’s device isn’t working, they aren’t being productive. But since the device is personally owned, is it IT’s responsibility to fix the issue? What if the computer is running slow because the employee has a large personal program installed or not enough computing power? How should IT address these issues?

Will IT be responsible for issuing patches and updates to applications? What about the device? Do employees have to clear any updates or application downloads with IT before proceeding? Without a solution like virtual desktops in place, IT gives up a lot of control over the computing environment with BYOD.

A written policy that IT can refer to when faced with these questions is key. That policy should also make expectations clear to employees so they understand what IT can and will address and how much control the organization ultimately has over the employee’s personal device (such as making them uninstall unapproved or resource hungry software).

4. What happens if any employee’s device is out of commission?

Technology is technology, and it’s bound to face issues occasionally. When employees use company-issued devices, IT typically addresses a faulty computer by giving the worker a temporary (or permanent) replacement. (Depending on the type of work being done, this only works if data is backed up regularly so the employee can access their files on the new desktop.)

If the employee is supplying their own device, does the company have backup devices available? How quickly is the employee expected to replace a laptop that is no longer functional? What happens when the employee leaves the organization? Can they opt out of the BYOD program and get a company issued device quickly?

It’s important to not let a BYOD policy negative impact productivity.

5. How often will you review the policy for effectiveness?

Technology and its uses are moving at such a fast pace that it’s imperative for BYOD policies to be living documents that are regularly reviewed and updated. Create a policy that sets expectations and outlines how the above scenarios will be addressed, then incorporate a timeline for regular policy reviews to ensure it remains up to date and effective.

If BYOD is brand new to the organization, it’s best to begin with a limited pilot program before rolling the policy out to the company at large. This will give the organization time to trouble shoot issues, adjust the policy as needed and cement the best security solutions before a large amount of corporate data is put at risk.

Even after the policy is rolled out, be sure it is regularly reviewed with key stakeholders including line of business managers, executives and members of the company IT and security teams. This breadth of input will ensure the organization addresses any concerns from a holistic view point instead of solving one problem by creating another.

The BYOD trend isn’t likely to recede, and the range of devices employees use to access corporate data is only going to increase in the future. Be sure your organization is prepared for successful BYOD by having comprehensive solutions and policies in place and being prepared to tackle obstacles quickly along the way.

You may also like:

• Security Past the VPN 
• 6 Questions CIOs Should Ask About Patching
• Are You the Reason Employees Aren’t Productive?