No BYOD Policy? Time to grasp the nettle

Chris Gabriel considers why it is that so few organisations have a BYOD policy in place, despite allowing employees to use their own devices for corporate purposes – and highlights a series of issues that an effective BYOD policy must take into account.

A research whitepaper published in November by Ovum and commissioned by Logicalis, revealed a great many interesting BYOD trends – many of which were highlighted in a recent CXO post (BYOD Research) by Ian Cook.  Perhaps the most startling, however, was the very low proportion of ‘BYOD-ers’ who have signed corporate BYOD policies.

78% of firms have no BYOD Policy

The research found that, globally, almost 60% of full-time employees partake in some form of BYOD, but only 20% of them have signed a BYOD policy.  Is that a result of employees simply failing to sign a policy?  Apparently not.  A separate piece of research recently found that 78% of firms whose employees BYOD do not have a policy at all. If I might indulge in the art of understatement, that seems a bit of an oversight and something of a risk. Without a policy in place, how can an organisation exercise any control over the blurring of lines between personal and corporate, and protect both parties against the BYOD risks that are so well documented? Quite simply, they can’t.

Given that the number of consumer devices in the workplace is predicted to double by 2014, reaching 350 million, I’d suggest that correcting that oversight will, or should, be a priority for a great many.

However, and maybe this explains why so few firms have tackled the issue to date, putting together a BOYD policy is not necessarily straightforward. Indeed, the task almost certainly requires collaboration between a number of business functions – human resources, legal and, given the technical nature of the risks, IT.

In fact, I’d argue that IT has a key role to play, given that the way BYOD is enabled will shape the risks. That is, the starting point for any BYOD policy must be quantify what the organisation’s BYOD infrastructure enables employees to do with their own devices when and where, how information security is protected and what can be done if something goes wrong. That input will form a vital framework against which legal and HR teams can shape policies according to risks, regulations and corporate governance.

No small task, and the outcome will differ from firm to firm, industry to industry, region to region. There are, however, a few common themes that most policies will have in common. They include:

1. The ‘Right to Wipe’. What happens when a device is lost, stolen or misused, putting the security of sensitive data at risk? A policy may stipulate that devices must be password protected, encrypted and locked, but may also give the employer the to remotely delete data when a device is compromised. Any policy setting out a ‘right to wipe’ should be very clear as to how much data can be wiped from the device and, depending on the specific BYOD approach, makes employees aware that personal data may be lost.
2. Employee Responsibilities. There cannot be any wriggle room when it comes to employee responsibilities, for instance making sure devices are compliant and security software is kept up-to-date. Depending on the exact approach to BYOD enablement, it may also be necessary to restrict BYOD access to a pre-defined set of smartphones or tablets  - for instance those supporting corporate access apps or specific security protocols.
3. Employer Responsibilities. Any effective policy must also make clear where the employer’s responsibilities begin and end. If an employee owned device malfunctions, who covers the cost of support or repair? Does the company wash its hands of support, or could that compromise security? Alternatively, some policies set out a sliding scale of support depending on job function – for instance, it makes sense to offer support where the helpdesk cost is outweighed by the potential for lost productivity.
4. What’s allowed? This is really the crux of the matter and where the company can limit that blurring between ‘consumer’ device behaviour and BYOD. The starting point is to work out what employees should be allowed to do with their won devices, what data they can access, and what they cannot do – within the limits set out by BYOD infrastructure and security. Obvious limits will be on ‘jail-breaking’ devices, downloading corporate data and accessing certain websites, or types of websites. But there is a balance to strike, because setting too many limits risks putting employees off, which means missing out on the productivity and collaboration benefits that BYOD can deliver.

There are, of course, a whole host of other considerations. Who pays for any additional data allowance that might be needed, and who covers device insurance? What does the ability to access and store corporate email, files and data on personal devices mean for processes like eDiscovery, Legal Hold and Purge? The point is, an effective BYOD policy must be comprehensive in protecting businesses and employees, but no so restrictive as to make BYOD practically useless. Getting it right is a complex and time consuming task, requiring collaboration across functions that may have conflicting views.

Maybe that explains why so many firms have yet to grasp the BYOD Policy nettle.

What are your thoughts on BYOD policy, do you feel you are on top of the situation?  Share your thoughts below. Next week Vince DeLuca looks at what we can learn about DRaaS in the wake of Superstorm Sandy.