Like it or not, the "bring your own device" (BYOD) trend is in full swing. According to Juniper Research, the number of employee-owned smartphones and tablets used in businesses will more than double by 2014, reaching 350 million compared with almost 150 million this year.
But if your company is like most, you may not have instituted a formal policy that safeguards against BYOD risks. A recent study by security awareness training company KnowBe4 and research firm ITIC found that 71% of businesses that allow BYOD have no specific policies or procedures in place to ensure security. "There needs to be some policy-based level of control, some sort of documentation or contract or rules," says Hyoun Park, principal analyst at Nucleus Research. A BYOD policy should be like any of the many documents that employees must sign to receive benefits, outlining their rights, responsibilities and rules they must comply with, he says.
A signed policy also gives companies the right to protect themselves in the event of device theft, loss or misuse. "Companies can't simply wipe information off lost devices -- that wouldn't be legal," Park says. "There has to be some sort of agreement in place between the individual and the company."
The issues that need to be considered are "like peeling back layers of an onion," says Paul DeBeasi, research vice president at Gartner. "Are you going to let people connect to [enterprise applications] via their personally owned device or store sensitive information? If so, how are you going to control that? What if someone gives their [older model iPhone] to their daughter, son or spouse or sells it on eBay -- how do you control that, and do you want to?"
All of these questions are why you need something in writing that defines what people can and cannot do and that employees sign off on. "That's the first step in making BYOD work, but few have done an adequate job of that," says Jack Gold, founder and principal analyst at J. Gold Associates.
Here are seven essential considerations for any BYOD policy.
1. Policy first, then tools: The biggest mistake companies make, DeBeasi says, is investing in a mobile device management (MDM) tool before hammering out a policy. "It's so much easier to go out and buy a tool, but the tool needs to enforce the policy," DeBeasi says.
For instance, not all MDM systems provide the same functionality for each type of device (Android, BlackBerry, iPhone, etc.). And MDM tools have their limits -- while they manage the devices, data and application access, they don't tend to cover network access or expense management, Park says.
2. Employer "right to wipe": Perhaps the biggest risk of BYOD is the exposure of sensitive data if the device is lost or stolen. That's why most policies require password control, device locking and encryption, as well as the right to remotely delete data from the device under certain conditions, including employee termination. Some companies choose management technologies that compartmentalize business data and apps on the device, enabling them to selectively wipe only what is necessary for corporate compliance. Others choose to wipe all data on the device, which will likely include personal data, as well. "If you delete 300 of my kids' pictures, there will be a lawsuit unless there's a policy that people have signed off on," Gold says. Some policies take this one step further, stipulating a remote data wipe if the mobile device is deemed to be violating policy rules.
Employee responsibilities: Employees need to understand what they are responsible for, DeBeasi says, such as maintaining minimum hardware or software requirements. Otherwise, if the company wants to roll out, for example, an iPhone app for corporate use, it may not run fast enough on an older hardware version. "You might want to make it the employee's responsibility to buy the iPhone 4, 4S or 5, and if they don't upgrade, they can't have the app," he says. Another reason for mandating minimum specifications is to keep security patches updated on all devices, says James Gordon, vice president of IT at Needham Bank in Massachusetts. Some policies warn that mobile access will be automatically disabled for people whose device versions are out of compliance.
4. Allowable activities: Policies will differ on what is allowed and forbidden on mobile devices. Common restrictions include rules against downloading company documents; limiting network or application access; using device features like cameras and USB ports; jailbreaking the device; and whitelisting and blacklisting of apps and websites. Common websites that are restricted include Dropbox and iCloud. While companies can also ban social networking sites, Park warns that taking away too much personal functionality can disincent employees from using the device -- and working -- off-hours.
Gordon's MDM tool alerts employees if they are outside of the policy's restrictions and blocks access until they take action. But MDM tools cannot enforce all restrictions, such as use of the device camera and network access. "That's actually been a focus for wireless LAN companies, which are increasingly branding around BYOD compliance," Park says. "They can control specific degrees of network access, based on actual device identity."
5. Allowable devices: Many policies do not limit allowable devices, but Gold suggests they should, in the interest of reducing support costs and applying security controls. At the very least he says, companies should consider tiering the policy by device type. For instance, he says, maybe BlackBerries can access enterprise applications; iPhones and iPads just email and the network; and Androids email only. "You should tell users why, so they can make an informed decision about the device they choose," Gold says.
6. Who provides support? Some companies decide that if employees own the device, they shoulder responsibility when it malfunctions. But time spent on support equals lost productivity, Park says. "So you take away a half-hour IT call, but the company may lose several hundred dollars as a result," he says.
DeBeasi suggests a division of responsibilities. "If it's an enterprise-developed app that's loaded onto the phone and it doesn't work properly, or it's a Cisco VPN client that enables network connection and is problematic, you probably should be able to call the help desk for that," he says. But for hardware-related issues or anything non-business-related, "call the Genius Bar," he says.
Either way, the policy needs to spell out these distinctions. Companies might want to consider self-support knowledge bases and forums, published on intranet portals or SharePoint sites, DeBeasi suggests. These can also serve to clarify what is and is not supported.
7. Who pays for what? When companies formalize BYOD, the question arises of who foots the bill for both the device and ongoing usage charges. "With 4G devices, it's easy to start downloading a lot of gigabytes -- who's paying for that?" DeBeasi says. If most of the downloads are business-oriented, employees might expect the business to pay for it, but some companies might want to set a cap. Either way, the details of payment need to be spelled out in the policy.
Park sees three common options: no reimbursement; expensing of a portion of monthly usage costs; and one-time or ongoing stipends. Companies may even offer different plans for different employee roles, with some getting full reimbursement, for instance, and others partial.
The sheer number of issues that BYOD raises can be paralyzing, but the important thing is to take action. "You need to get out in front of this and put some kind of simple policy in place -- even if it's an imperfect one," DeBeasi says. "More than anything, BYOD is an experiential thing and not something you can learn by analyzing every possible consideration."
