How to write a Bring Your Own Device (BYOD) policy for your company

Did you know letting your employees use their own phone for work leads to a happier workplace and measurably higher productivity? This page explains the different types of BYOD, why a robust BYOD policy is vital for security and how to write one.

With the rise of remote and hybrid working, businesses must have an effective, well-communicated, and periodically updated BYOD policy in place. Having a proper BYOD policy in place can help with security, improve productivity and – perhaps surprisingly – leads to a happier workforce and a smarter, more adaptable organisation.

What exactly is BYOD?

Bring Your Own Device (BYOD) was coined as a phrase in 2004. Employees that use BYOD can bring their own laptops, tablets, USB drives, and smartphones to work and use them for business-related tasks. So employees may, for instance, use their own phone or tablet to access workplace emails and information, connect to the company network and access company apps and data.

There are several kinds of practise that fall under the umbrella term of BYOD. Examples include:

• Corporately owned/Personally enabled (COPE)
• Choose your own (business) device (CYOD)
• Personally owned, partially enterprise managed
• Personally owned with managed container application

Why allow BYOD?

Smartphones are the most commonly used BYOD gadget. The idea is popular for employees who may not make mobile work phone calls often enough to justify the cost of issuing them a company mobile phone, but who like the convenience of checking messages easily on the occasional trip away from the office.

The many advantages of BYOD explain why it has grown in popularity.

Ease of use

We now have more personal gadgets, and these devices can perform many of the tasks that PCs would have performed. For example, most people now bring at least one smartphone to work. According to a LaptopsDirect survey, 84% of British employees currently use their own mobile phones at work. According to the same study, workers in the marketing, information and communications, creative and photographic professions (as well as professional services) are the most likely to use a smartphone. Furthermore, many firms, particularly smaller ones, have simply grown to rely on employees’ personal devices being available for work use.

Enhanced Productivity

Employees that use their own devices frequently work quicker (with less training required) and become more productive.

Cost savings

A widely cited Cisco analysis from 2016 projected that implementing a BYOD strategy saves businesses an average of US$ 350 per year.

Speed

Using portable devices for work is predicted to save employees 58 minutes each day, according to Samsung + Frost and Sullivan.

Other benefits include:

1. Leveraging the expertise of tech-savvy staff.
2. Innovating by discovering new, better, and faster ways to complete tasks.
3. Increased morale, employee satisfaction, and productivity. This partly stems from the fact users already know how to use their own devices, configure them to their own preferences and actually work better and feel less stressed when they’re trusted to keep track of their personal messages through the day.
4. Less reliance on IT BYOD often means less IT-related difficulties for the company to deal with, saving money on IT resources.

Why does your organisation need a Bring Your Own Device (BYOD) policy?

A BYOD policy is a document that specifies how employees are permitted to access corporate digital assets via personal devices, and which employees may do so. A good BYOD policy will ensure that your employees adopt proper, approved security practises when connecting to the company network. In an enforceable BYOD policy, employees must agree to comply with your organisation’s standards regarding authorised use of technology, how to operate it, and how to safeguard the company from cyber threats.

A good BYOD policy will:

1. Be structured to benefit both the employee and the company
2. Be backed up by appropriate and effective monitoring, feedback, and enforcement.
3. Protect the infrastructure and data of your organization from cyber threats such as ransomware, hacking, and data breaches.
4. Ensure legal compliance and contractual commitments are met.
5. Allow for the smooth operation of flexible, remote, and hybrid working.
6. Enable users to use IT with confidence and ease.

The fundamentals of a BYOD policy

A thorough examination of the risks, challenges, costs, and resource implications, as well as a knowledge of the policy’s aims and advantages, should be the beginning point for designing a BYOD strategy.

The following should be included in the essentials of a BYOD policy, as well as the development of that policy:

1. An audit of the current system to identify dangers, risks, and opportunities for BYOD.
2. Setting BYOD targets based on the audit.
3. Based on these two steps, a BYOD policy that benefits both the company and the employee can be formed, which may include:
4. A summary of the policy’s objectives to help employees comprehend its purpose and significance.
5. An outline of the policy’s scope. This will cover who it applies to among employees and third parties, and the systems it applies to.
6. A definition of what constitutes authorised personal device use for business purposes. This could include, for example, the sorts of allowed mobiles or devices and the approved security software – such as mobile device management tools or application management tools – that must be installed on the user’s device. Mobile device management tools allow you to keep track of activity and remotely wipe the hard drive of a device if the device is lost and there is a risk of a security breach. Application management tools make it easy to update apps remotely to ensure all security patches are up to date, for example.
7. Tasks that are and are not permitted.
8. Additional security measures that must be implemented, such as password restrictions, verification and encryption requirements, biometric security, and any time-out duration for locking.
9. User responsibilities for how their device is utilised when connecting to the company network. This could involve informing IT if they leave their job and adhering to relevant legislation, including not using BYOD while driving.
10. A statement of who is responsible for cost, such as the purchase, operation, repair, and replacement of personal devices used in BYOD, as well as the nature of any incentives or cost reimbursements offered to employees who use their personal data plans while using their device for business operations.
11. The company’s stance on liability for personal device and data loss or damage caused by BYOD.
12. The method of monitoring, such as checking the brand and model of devices and whether operating systems are up to date, as well as any spot checks. This statement could also include information about what IT staff can access, such as information about how to use business programmes via BYOD, but not personal information.
13. Set device constraints, such as whether managers can access and wipe devices remotely.
14. Details on enforcement mechanisms, such as what happens if employees do not follow the policy, such as access to BYOD services being revoked.
15. A specification of the termination policy as well as an exit strategy for employees who no longer want to engage in BYOD.

Software for managing BYOD in your organisation

There are also numerous methods and software options available to facilitate BYOD management. They enable you to track every device and monitor usage. CrowdStrike Falcon for mobile, SolarWinds RMM, ManageEngine Mobile Device Manager Plus, AirWatch Workspace One, and others are among them.

Sources & further reading

Microsoft Office 365 ‘UK Blueprint: BYOD Access Patterns’.

Google: Six ways that G Suite helps IT admins safely use BYOD.

UK National Cyber Security Centre guide to BYOD.