CAN YOUR COMPANY AFFORD NOT TO HAVE A BRING YOUR OWN DEVICE (BYOD) POLICY?
What is BYOD?
Bring Your Own Device or BYOD refers to a program of permitting employees to bring personally owned mobile devices, such as laptops, tablets and smart phones to the workplace and allowing employees to use those devices to access confidential company information and applications. With an estimate of 95% of employees using at least one personal device for work purposes, BYOD is a reality that you cannot ignore.
Advantages of Allowing Your Employees to Use Personal Electronic Devices
As I am sure you know, there are many advantages of allowing your employees to work on and access corporate data from their own personal devices. Some advantages are as follows:
1. Creates more flexibility for employees;
2. Results in cost savings to the company; and
3. Increases productivity since employees are happier, more comfortable and often work faster with their own devices.
Risks of Allowing Your Employees to Use Personal Electronic Devices
There are significant risks in allowing your corporate data to be accessed on your employee’s personal devices that you have no control over. Such use can result in data breaches which can occur in any number of circumstances, one of which is when an employee uses a personal device to access and save company information and then loses that device. Anyone who finds that device may be able to retrieve company trade secrets and other sensitive information relating to the company, its customers or its employees. A breach can also occur if an employee sells their device, trades it in for a newer version or passes it along to a friend or family member without removing the sensitive company information. It is imperative to put security measures in place to reduce the risk of company information being disclosed to unauthorized individuals.
BYOD Policies
If your company allows employees to use their own mobile devices at work, you should have a BYOD security policy that clearly outlines the company’s policies to manage these devices and insure that network security is not compromised by your employees. Some key points to consider when formulating such a policy are as follows:
1. Determining what data employees can have access to with their own device;
2. What security measures will be in place should an employee’s device be lost, stolen or compromised; and
3. Which applications will and will not be allowed to be downloaded onto such device, whether personal or business related.
Your Company’s BYOD policy should provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network. For example, your company should require devices to be configured with complicated alphanumeric passwords, prohibit specific types of applications from being installed on the device or require all data on the device to be encrypted. Other BYOD security policy terms may include limiting activities that employees are allowed to perform on these devices at work, such as only allowing email access for corporate email accounts and periodic audits by the company to ensure the device is in compliance with the BYOD policy. Another important point to address is what procedure will be taken with respect to personal devices which have, or have had, access to company information when an employee leaves the company. Many companies address an employee exit strategy with respect to such devices which requires a wipe of the device to be performed.
Employees’ use of personal devices to access your company’s data is increasing and so are the issues related to such usage. Because the use of personal devices in the workplace has its risks, it is imperative that if your company permits its employees to access corporate data on a personally owned device, you adopt a BYOD policy to minimize those risks.
We are happy to discuss the implementation of a BYOD policy for your company, and assist you in drafting a policy that fits your company’s needs.
Learn more about Business and Employment Law practices.