Allowing your employees to use their personal smartphones, tablets and laptops for work can make your small business run more efficiently and productively — and save you money. But this bring-your-own-device (BYOD) approach can also open you up to risk. Nearly half of small businesses say mobile devices access applications that are critical to their operations, according to the Ponemon Institute.
Keeping your business safe from mobile attacks means creating a BYOD policy that clearly outlines what devices are allowed, how staff can use them for work purposes and why they must follow the rules you have established.
Follow these steps to craft a policy that protects your company’s information.
Talk with Your Employees
BYOD policies should be formulated to reflect current and future device usage. Your first step should be to survey your employees. It is easy and often free to create a poll using online services or apps. Gather information about the personal devices your team uses, the tasks they complete via these devices and the business information they access. This will give you an accurate view of how your company’s information is being used. Consider making the poll anonymous to encourage full disclosure.
Craft the Policy Fundamentals
Next, define which devices can be used, technology protocols for these devices and what information cannot be accessed on them. Include the following elements in your BYOD policy:
- Authorized devices. Let employees know which devices they can and cannot use for work — for example, smartphones and laptops are permitted, but tablets are not.
- Allowed information. Stipulate which types of business information can be accessed and shared via mobile devices. Clearly outline which data can only be used on company computers.
- Wi-Fi use. Restrict the use of unauthorized, unsecured Wi-Fi networks, such as those in airports and restaurants. Educate employees on how to spot safe networks they can use on their devices.
As new devices enter the market — for example, smartwatches — revisit your policy. A periodic survey of your employees can keep you in touch with their usage trends.
Establish Good Security Habits
Strong security protections are the heart of a good BYOD policy. Though the specifics of your policy will depend on your business, data protection fundamentals should include:
- Good passwords. Ask workers to use long-form, unique passwords with all lowercase letters. The Ponemon report found that 51 percent of SMBs require staff to use passwords for BYOD.
- Limited app downloads. Require employees to download apps only from official marketplaces, such as the Apple App Store or Google Play. Apps from less reputable, third-party stores are more likely to contain malware, which could pose a risk to data stored on a device.
- The right to remote wipe. Depending on the nature of the data stored on devices, you might reserve the right to wipe them if they are lost or stolen. If you include this point in your policy, consider advising employees to back up their personal data.
Know Your Support Capabilities
Consider designating one employee as a point person for colleagues who are having problems with their devices. For example, if a smartphone is freezing up, the point person can work with the employee to troubleshoot the issue or look for helpful resources from the manufacturer.
Also decide whether you will reimburse employees for work-related use of their devices. Some businesses provide a monthly allowance based on an estimated percentage of device use that’s work-related. Other companies cover out-of-plan expenses, such as roaming charges for work calls made while employees are traveling. Other businesses do not reimburse at all. Having a clear policy will minimize misunderstandings.
Educate and Enforce
Once you’ve drafted BYOD guidelines, review them with your team. Emphasize why following the rules is important — and that doing so is the price to pay for the convenience of using personal devices. Recirculate the policy periodically and make it a part of your onboarding process when training new hires.
Any technology-related policy will require updates, so put a date on your calendar for at least an annual review of this important document. New devices, changes in staff, and new security threats are just a few of the factors that make these periodic updates a good idea for your business.