Small Business BYOD Policy Tips
Speaking of company policies for small business BYOD, let's look at some other important tips. Smack at the top of this list: permission from employees to remotely and automatically install security and other company software and updates on their devices. You'll also want to get permission to automatically backup any company data stored on the phone.
If your company uses cloud services, much of that data will be stored off the device already. However, customer and client names and contact info may end up in the employees contact database. The dual-persona devices described above can handle that problem nicely. If you don't have that feature in place though, you need to address how you're going to get customer contact and other data from that personal device.
Paul Hill, senior consultant at SystemExperts, provider of IT compliance and security consulting services, suggests that —when writing your company policy—you spell out the stipulation in exact language, such as "employees should not store any company data on cloud-based storage services unless explicitly authorized in writing by their manager."
Even so, you'll likely need to train employees and constantly remind them of the policy forbidding the use of such apps for work.
"The last point can be difficult for many employees to fully understand and manage," says Hill. "Many cloud-storage services come with a variety of integrated, third-party applications. In some cases an employee may be using an app and not realize the data is not stored locally."
Examples of cloud storage vendors include Apple's iCloud, Google Drive, Microsoft OneDrive, Evernote's cloud storage, Dropbox, Adobe Creative Cloud, Box, Hightail, and CloudOn. Not only might you have trouble ever getting that data back into your database, but you may have trouble protecting it in the cloud from hackers and providers, too.
There's one more often-overlooked issue that you should address in your BYOD policy: the importance of not sending objectionable material from a personal mobile device that is also used for work.
"Because BYOD blurs lines between work and private life, we see more and more discrimination lawsuits that involve employees sending inappropriate or objectionable conduct over their personal devices," says Shira Forman, an employment lawyer with the New York office of Sheppard Mullin Richter & Hampton.
Forman advises small businesses that adopt BYOD programs to be vigilant about updating and enforcing their anti-discrimination and anti-harassment policies.
"Employees need to be reminded that just because they are using their own smart phone doesn't mean they should feel free to send an inappropriate personal text or video to a colleague," she says.
Limiting BYOD Device Options
The most common mistake small business owners make with BYOD programs is to open the gate to any and all devices employees might want to own. This creates havoc for your IT department (or you, if you do the company IT support yourself).
It's better to narrow the types of devices you will support by operating systems and versions rather than supporting a huge range of devices that will likely constantly change as employees upgrade or refresh them. The situation becomes more complicated if employees insist on using mobile devices with old operating systems the manufacturer no longer supports.
"If a small business attempts to support all types of devices, it's inevitable that neither the employees that own the devices, nor the employees responsible for the IT security of the company will be happy with the result," says Hill.
Hill went on to say that small business owners should understand that the carrier, the phone manufacturer, and the management platform affect device management capabilities as much as the device's operating system features. In other words, make sure you are fully versed in the ease or difficulties in device management capabilities before you add any given device or phone carrier to your BYOD approved list.
BYOD Security Tips
Beyond securing your company data using the technologies and techniques previously discussed, there are plenty more things you can do to further enhance data security.
"Protecting data on a BYOD device is much like protecting it on traditional computers," says Lysa Myers, a security researcher at ESET, a security product producer.
"Update software as promptly as possible, encrypt sensitive data in files sent across the network, backup important files, and enable security features within the operating system—especially remote wipe and auto-lock," she added. "You may also wish to limit apps to an approved list, to minimize the possibility of employees installing leaky apps."
You should also train employees so they know what they can do to prevent making themselves—and the company target for hackers. Explain how they should fortify their home Wi-Fi and avoid public networks. To aid with home network security, and thereby extend protection of company data, consider offering company security software for their home use on other devices. Or, simply point them to a list of free or affordable security products, and teach them how to use them if need be.
Dr. Engin Kirda, computer science professor at Northeastern University and co-founder and chief architect at Lastline, a security product producer, recommends you take the following security measures:
- Make sure employees have a strong alphanumeric password on their home router
- Implement security tools on everything from their home printer to their tablet
- Keep their operating systems up-to-date
- Be prudent about using unsecured cloud applications, thumbdrives, Bluetooth sharing or other uncontrolled transfer technologies to transmit confidential data
- Make sure they're not afraid to ask for help or request special training
- Urge them to use a password manager e.g., open source tools such as KeePassX to generate and store strong passwords
Also, be careful to vet security products before you buy or share them with employees. In other words, make sure you understand what the product can and cannot do before you invest in it.
"Personal devices often don't have the same level of security technology installed, and not all enterprise-grade security technology 'scales down' to personal devices, or small businesses for that matter," warns Dr. Kirda.
This is true for both company-owned and personal mobile devices, it's just that BYOD security is tougher to conquer by virtue of the range of devices, operating systems and carriers you must accommodate.
To BYOD or Not to BYOD: That's the Question
As noted earlier, many of these issues apply to both company-owned and personal mobile devices. Make sure you compare the two options accordingly when making your final decision.
In some areas, BYOD trumps company-owned devices hands down. One example of this, as counter-intuitive as it seems, is dual-persona solutions on private devices.
This option beats owning two devices—one company-owned and one personal—in limiting company data exposure on personal devices. In other words, one protected personal device is generally safer than two devices, as employees will often use the personal device for business purposes anyway.
In other ways, company-owned devices will actually be cheaper and easier than BYOD. For example, IT support is simplified. Device control is often better too; however, data protection is not. Employees still tend to work on their personal devices and, conversely, personal stuff on the company devices.
You should also consider how receptive your employees are to BYOD. While employees in many companies not only enjoy but demand BYOD, employees in other companies don't welcome what they see as an additional cost they can ill afford. It's best to figure out where your employees stand before you make your final decision.
In the end, what matters is which choice benefits your company the most in costs and benefits. Only you can decide that.
Pam Baker has written for numerous leading publications including, Institutional Investor magazine, CIO.com, NetworkWorld, ComputerWorld, IT World, Linux World, Internet News, E-Commerce Times, LinuxInsider, CIO Today Magazine, NPTech News (nonprofits), MedTech Journal, I Six Sigma magazine, Computer Sweden, the NY Times, and Knight-Ridder/McClatchy newspapers.
|Do you have a comment or question about this article or other small business topics in general? Speak out in the SmallBusinessComputing.com Forums. Join the discussion today!|