Guide to Creating a BYOD Policy for Small Business

BYOD (bring your own device) refers to the practice of employees using their personal devices—such as smartphones, laptops, PCs, tablets, and other gear—on the job for the sake of convenience and comfort. It can save a company money (no up-front equipment costs), as well as cause headaches (IT and security concerns), but the BYOD trend is quickly becoming an office staple on par with scooters and ping-pong tables (your office may vary).

Variations of BYOD include BYOT (bring your own technology), BYOP (bring your own phone), BYOC (bring your own computer), BYOL (bring your own laptop), BYOA (bring your own apps), and the truly awkward BYOPC (bring your own personal computer). We’ll be using BYOD here because, again, it sounds like a party.

The real question for small businesses is morphing from Should we allow BYOD? to How do we manage BYOD? It’s already here, and there are more than a few factors to familiarize yourself with.

Millennials—but you probably saw that one coming. They’re entering the workforce with years of built-in experience using their preferred smartphones, tablets, and laptops, and they’re not about to give them up.

• Lax protection: While individuals are quick to jump on new apps and updates, they’re not always diligent with antivirus software and firewalls. One overlooked crack in the system could cripple your network.
• Misplaced devices: A lost or stolen device is susceptible to third-party access to your company’s information, as strong passwords and passcodes also tend to be a shortcoming with individual users.
• Unsecured Wi-Fi: The Wi-Fi networks employees connect to outside of the workplace, either in public or even their own homes, won’t always be secure and could leave your business open to hackers.
• Employee separation: If your BYOD worker quits or is let go suddenly, your company’s information and passwords are still on their device, allowing them continued access for potential theft and sabotage.

If the disadvantages listed above caused you to sweat a little, your business should consider creating BYOD strategies and guidelines for employees. Or in a more positive light, if the advantages of allowing BYOD sound like a win for your employees and your business overall, having a policy in place to preserve its integrity and continuance should be a must. If you’re still on the fence about a BYOD policy, try to recall the last time you left a company issue alone to “work itself out.” Likely, it didn’t.

After opening with a paragraph or two about how your company is granting BYOD privileges for the convenience and productivity of employees, as well as a statement that the security of the business’s data and technology infrastructure is of the utmost importance, the sections of a boilerplate BYOD policy could include the following:

• Professional activity directly or indirectly related to the company
• Limited personal use during work hours (personal texts and calls, gaming, reading, etc.)
• Company-approved websites that can be browsed during work hours while on the business’s network
• Company resources employees are allowed to access (email, contacts, calendars, docs, etc.)
• The device’s camera operation during work hours (functional or disabled)
• Disallowed activities at any time (storage or transmission of illicit materials and other companies’ proprietary data, harassment, outside business dealings, etc.)
• Apps permitted on a device (such as productivity apps, social networking apps, etc.)
• Apps not permitted on a device (apps downloaded outside of iTunes and Google Play, etc.)

• Brands and operating systems allowed for smartphones (iPhone, Android, etc.), tablets (iPad, Galaxy, etc.), and laptops (Apple, PC, etc.)—can be detailed down to models and versions
• Connectivity issues that will, and won’t, be covered by company IT
• Who employees should contact for operating system or hardware issues (device manufacturer, their local carrier, or IT)
• Statement that company IT must set up and configure devices before they’re allowed to access the business’s network

• The company’s policy on whether it will or won’t reimburse the employee for a percentage of their device’s cost or contribute toward the purchase of a device
• The company’s policy on whether it will or won’t directly pay the employee an allowance to help cover data costs—or will or won’t pay a percentage, or the entirety, of data costs
• Charges the company will or won’t reimburse (roaming, data overages, etc.)

• Statement that devices, and company network access, must be password protected
• Company guideline for strong passwords (amount of characters, upper- and lowercase letters, numbers and symbols, frequency of password rotation, etc.)
• Advisory to have device lock itself with a password or PIN after several minutes idle; policy that after several failed attempts to unlock, IT will need to be contacted for access
• Warning against downloading apps or software from unauthorized sources
• Warning that unauthorized personal devices will not be allowed to connect to the company network
• Notice that the employees’ level of access to company data will be determined and automatically enforced by IT
• Statement that, upon being lost or stolen, employee termination, or detection of a security threat, IT may remotely wipe the device

• Notice that IT will take necessary steps to preserve employees’ personal data from being erased during the remote wipe of a device (though it is up to the employee to regularly back up their information)
• Warning that the company can disconnect or disable devices at any time
• Advisory that lost or stolen devices should be reported to the company within 24 hours
• Reminder of ethical device conduct guidelines
• Notice that employees are responsible for all device costs, unless otherwise noted
• Advisory that employees assume full liability for the partial or complete loss of personal and company data due to device failure, viruses, malware, and other software or hardware breakdowns
• Notice that the company reserves the right to take disciplinary action, including termination, for noncompliance with this policy

MDM (mobile device management) adds another layer of security to BYOD by separating your business’s data from the employee’s personal data during device usage. IT manages, encrypts, and monitors the company side of BYOD through EMM (enterprise mobility management), a set of tools and processes put in place by the company. Should a device be stolen or lost, or should the employee be terminated by the company, business data can be wiped without affecting personal data, as well as further protecting business data from third-party intrusion. As BYOD evolves and becomes more commonplace, MDM is becoming more essential to company, and employee, security.

BYOD is an excellent, if not inevitable, way to increase worker satisfaction and productivity and cut down on costs for businesses. But without carefully considered policies and security precautions in place, BYOD could become more of a nightmare than a dream for both the company and the employees.

Disclaimer

At Business.org, our research is meant to offer general product and service recommendations. We don't guarantee that our suggestions will work best for each individual or business, so consider your unique needs when choosing products and services.