Key considerations for your specific business environment

Strategically it is often the case that one of two issues arise with planning minimum device requirements:

• Minimum requirements are in place but not sufficiently clear to the workforce.
• Failure to focus on one or more critical areas needed to make the BYOD policy robust.

Any BYOD policy needs to be formulated with these potential blind spots in mind. 

Often overlooked areas to focus on when defining minimum device requirements include:

• operating systems currently and historically used by the device and the support of those operating systems;
• specifics around the hardware being used (including flash drives and other ancillary remote storage), and;
• Device management solutions.

Device Follow Up Policy

Corporations with significant workforces make it very challenging to monitor ongoing device status. A thorough device follow-up policy is essential if the BYOD policy factors in stipends or other reimbursement costs.

Many companies offer stipends or other reimbursement plans to employees who use their own devices either in the workplace or remotely. In most cases, this is to offset employee costs associated with internet access and data plans.

CTOs developing BYOD strategy need to consider two main factors carefully:

• The costs of stipends and other reimbursement expenditure, both on an ongoing basis and year on year. CTOs and CIOs should state the frequency and limits of employee reimbursement.
• BYOD policies often include ‘staged’ or threshold reimbursement plans where employees are reimbursed after exceeding data thresholds. Companies operating BYOD should be able to monitor monthly and, if the business needs demand, daily exposure from employees close to data usage thresholds.

Many companies have become wary around allowing employees to choose their own passwords for devices. But there still seems to be a blindspot around renewing passwords, including (but not exclusively):

• How often passwords need to be reset.
• Who is responsible for choosing renewed passwords.
• How and where password information can be stored.

These considerations should also be factored into any BYOD policy.

BYOD: Security Risks

Against the above backdrop of BYOD policy specifics, there are more general risk management considerations that extend beyond BYOD but are also extremely important to BYOD policy best practices. These include:

One of the major potential issues with any BYOD strategy is the risk that data could be leaked or exposed. There are many ways this can happen, ranging from occasional family’s or friends’ use of devices containing corporate data all the way through the device theft and even rogue employee actions. Any BYOD strategy needs to factor in all conceivable ways data could be leaked either unintentionally or deliberately, with appropriate risk management measures in each case.

Whilst secure servers (SSL) are becoming the standard across the internet; many websites are still lagging behind when it comes to secure servers. At the time of publication, just under 47 million websites in the US had SSL installed, which is nowhere near the many hundreds of millions of US websites.

Under BYOD, companies do not own employee used devices. This means that drivers, apps, or other software and hardware can be routinely out of date. This introduces various vulnerability risks that any BYOD device policy will need to define and manage.

One of the more insidious risks for CTOs and CIOs when it comes to BYOD is the inevitable mix of corporate and personal data. Employees might save some sensitive data on their personal Google Drive in order to ‘work from home in the evening’. There is always a temptation to email oneself with documents for ease of reference. These and many other behavior traits can all lead to corporate risk when it comes to sensitive data.

Personal devices are often not backed up effectively. This opens up the risk of potentially significant data loss in the event of device failure or even the employee losing the device. This risk should be considered very carefully from a strategic perspective and appropriate risk management procedures put in place.

In order for BYOD to work, company IT infrastructure is required which can access device data. In some cases, this can be perceived as an invasion of privacy by employees. When devising, reviewing, or implementing a BYOD strategy, care should be taken to ensure that all stakeholders – including employees – have sufficient buy-in to practically make the policy work.

Developing a BYOD strategy

With all of this in mind, what are the critical steps that CTOs and CIOs tend to follow when updating an existing, or deploying a new, BYOD solution?

1. Steering Group Selection

2. BYOD goals & Contemporary usage

3. Company Policy Landmarks

4. Company Risk Profile

5. Strategy Straw Man

6. Transition from Straw Man to Full Documents

7. Processes and Risk Management

8. Rollout, Feedback and Review

Secure Remote Worker was developed as a Windows-based solution to address the concerns around BYOD security. It enables IT departments to ensure device and data security in any remote working environment.

During work, the employee launches Secure Remote Worker, creating a secure workspace environment managed centrally by IT, allowing access to corporate resources and services remotely – all within a PCI, HIPAA, and GDPR compliant device. Secure Remote Worker comes with built-in features that prevent malware, eliminates threats of data leakage, and enhances employee productivity.