In Part 3 of "It's 2013. Do You Know Where Your BYOD Policies Are?" we will address developing BYOD trends and best practices. Please check out Part 1 and 2 of this 3-part series addressing employee and employer concerns, respectively.
Recent Findings: Widespread Adoption, Lagging Management
Recent studies show that security practices and corporate policies are struggling to keeping pace with the popularity of BYOD. As mentioned in Part 1, a recent Cisco study found that 90% of full-time American workers use their personal smartphones for work purposes. Surprisingly, widespread adoption is reported in industries handling highly sensitive and regulated data: banking at 83.3%, and healthcare at 88.6%.
Given that BYOD has become the norm even across sensitive industries, it is troubling to learn from the Cisco study that 40% of workers do not use even basic password protection, and 50% report accessing unsecured Wi-Fi networks. These loose security practices may be the result of lax management. A recent report commissioned by the Logicalis Group showed that only approximately 30% of BYOD users in the U.S., and 20.1% worldwide, signed a mobile device policy. Unconstrained digital activity poses a real threat to an organization for all of the reasons described in Part 2 to this series. A properly enforceable and enforced corporate BYOD policy may be the best strategy to balance corporate security interests with the privacy interests of employees and third parties.
Overriding Theme: Security-Privacy Balance
Appropriate BYOD policies must strike a balance between security and privacy interests. This balance can be achieved, for example, by requiring segregation of personal data from work data on a device, selective wiping, and requiring employees to frequently back up device content. Security measures should be proportional to the security risk and target corporate, not private, content whenever possible. Finally, privacy provisions of a BYOD policy must be clearly communicated to employees, and their consent obtained. An employee's reasonable expectation of privacy can only be overcome with clear notice. Clear notice is more important than ever when BYOD blurs the line between personal and work spaces.
Consider the following best practices for designing an effective BYOD policy and compliance program:
- Draft an enforceable policy. A policy should be legally enforceable and realistic. Consider managing, but not prohibiting, activities that employees are almost certain to engage in (e.g., remote cloud storage).
- Collaborate horizontally. Collaborate horizontally within your organization when designing a BYOD policy. Include stakeholders from legal, IT, and HR departments. Consider the impact of BYOD policies on other policies and processes, including sales, employment agreements, and corporate security.
- Tailor a policy to your corporate profile. "One size fits all" does not apply to BYOD programs. Policies should take into account the unique risks and regulations within an industry. In certain cases policies could be tailored to fit divisions or locations within a corporation
- Notify employees and obtain consent. Explain specific employee obligations, and guide employee privacy expectations with plain-English rules and examples. Do not forget to keep good records of notification and consent.
- Enforce the policy. As with any policy, a BYOD policy will only be effective if continually enforced. An unenforced policy may prove worse than not having a policy at all.
As BYOD has become the new normal, corresponding risks must be understood and mitigated against. Social expectations and norms are still evolving between employers and employees. Technological solutions, such as mobile device management services, are being developed and refined as well. Within this new and rapidly changing world the most important step that all companies should take today is to draft, enforce, and communicate appropriate BYOD policies.