The requests for employees to use their own smartphones, tablets, and other devices for work is now about as inevitable as a quarterly P&L statement. The question for most organizations is, how well is your company aligning that employee urge with data protection strategies?
While it's common for businesses to invest in mobile device management and mobile application management tools, they frequently fail to apply those tools effectively to user-owned mobile devices. While 65% of businesses say they allow for bring-your-own-device programs, according to a recent report from analyst firm ITIC, 43% have no designated BYOD security policies.
Using even the best mobile device management and mobile tools without a BYOD policy document won't work. A BYOD policy document serves as the bedrock for solid security enforcement and a backstop for legal protection. Without the policies in place, IT is forced into an ad hoc approach to managing device activity and user access, which could keep the BYOD program from supporting business goals such as improving sales teams' efficiency.
Lack of a policy also may leave the business exposed to unnecessary legal risk, if the company isn't transparent with employees about how it's monitoring employee data and doesn't check for any conflicts with privacy laws.
What's more, establishing BYOD policies and educating employees on them is an effective way to make sure the company's leadership and rank and file all are clear on the company's position about access to corporate information on personal devices and what people can and can't access.
"The most important aspect of a policy is transparency," says Garrett Larsson, co-founder and CEO of Mojave Networks, a network-level mobile security company.
Ideally, a BYOD policy document provides a framework that lays out the responsibilities and rights of the company to manage its corporate data on employee-owned devices as well as the responsibility and rights of the employees when they're using personal devices for work. "If you don't lay those out, then there's a whole bunch of question marks hanging in the air," says Nicko van Someren, chief technology officer of mobile device management firm Good Technologies.
As your company sets out to develop realistic and enforceable policies, one of the first considerations is who will draft the document and which stakeholders will get a say about its contents. Without a well-rounded group participating in the process, the company risks committing to a set of measures not grounded in reality.
IT and legal departments should play a leading role in developing the policies, with guidance from the executive committee and human resources. Before they put pen to paper, though, these stakeholders need to build a consensus about their goals. Do that or you'll have a compliance document that looks good on paper, but "it will never get enforced because it's not built from the ground up," says Adam Ghetti, founder and CTO of Ionic Security, a unified data and mobility platform vendor. "Time and time again, we see top-down directives from compliance and legal with a little bit of IT involved."
Instead, it's important to have midlevel line-of-business managers at the table contributing, and to consider some sort of straw-poll input from employees who will feel the impact of new policies. "It's very easy to come up with a policy that satisfies legal and IT but makes employees very unhappy," says Good Technology's van Someren. "I think it's important to get feedback from all of the different constituencies who are subject to this policy."
Companies may find it hard to aggregate all those concerns into a single comprehensive policy statement, but that's OK. In fact, most companies should break up policies and practices along lines such as departments, types of data accessed, geographies, and user groups. The best BYOD policy documents don't force all-or-nothing regulations on a wide base of users.
"BYOD may only makes sense for a portion of your business or employees," says Marc Maiffret, CTO for BeyondTrust, an account management and vulnerability management firm. There will be certain employees who don't need the luxury of accessing corporate data via their personal devices, or executives who may need data that's too high risk to allow access via BYOD, says Maiffret. Adds van Someren: "What's appropriate to do with engineering data is different than what it's appropriate to do with sales data, which is different from legal data."