Many employees expect to be able to use their own devices at work. Here’s how enterprise IT teams can ensure the BYOD craze doesn’t expose their networks to undue risk.
The bring-your-own-device (BYOD) movement is not exactly breaking news in the enterprise IT space. All the way back in 2015, nearly 60% of companies were already allowing their employees to use their personal devices for professional purposes. By 2016, 87% of companies were allowing their employees to at least occasionally access business applications from their personal devices, and a clear majority of these companies (60%) had a formal BYOD-friendly policy in place.
The prevalence of BYOD workplaces has only increased since then, and in truth, it’s not hard to see why. The flexibility and familiarity that define BYOD culture has led to happier, more productive employees. Not only does a BYOD policy eliminate the need for a company to invest huge sums in multiple devices for each of its employees, but it empowers employees to work remotely and/or at odd hours — something Millennial workers in particular find hugely attractive.
In fact, a 2013 study found that a well-conceived BYOD policy can generate an average annual value of up to $3,150 per employee. For large enterprises employing thousands of people, this amounts to a substantial chunk of change.
That said, the operative phrase in the study’s findings is “well-conceived.” Its huge upside notwithstanding, the BYOD movement presents enterprises with a number of challenges related to excessive bandwidth usage, identity access, and, most importantly, cybersecurity. With that in mind, here are five things enterprise IT teams should keep in mind as they’re drawing up — or simply refining — their office’s BYOD policy.
BYOD need not — and often should not — be an all-or-nothing proposition. Accessing sensitive or otherwise valuable company data on one’s personal device is a privilege, and should be treated as such. There’s nothing wrong with reserving BYOD rights for a select few employees who either have proven themselves trustworthy or are assigned tasks that would benefit greatly from the increased flexibility created by a BYOD policy. In fact, it’s often worthwhile to (internally) publicize the goings-on of a “BYOD beta group” so that other employees get a clear idea of the behaviors they need to exhibit in order to earn the privilege of working from their personal devices.
When it comes to their knowledge of and adherence to cybersecurity best practices, the average enterprise employee is far closer to an average consumer than an average IT professional. Unfortunately, half of all U.S. consumers admit to having visited a website that they feared would compromise their device and nearly 70% of U.S. consumers report having clicked on a link in an email that directed them to an unexpected site.
To minimize the frequency with which these bad behaviors seep from the personal to the professional sphere, enterprises need to provide every employee with extensive training before they’re granted BYOD privileges. This training should include cybersecurity basics like proper password construction and phishing awareness, but it should also include lessons on BYOD-specific topics. These might include explanations of the necessity of maintaining separate directories for the storage of work-related information, or the importance of only utilizing secure applications downloaded from credible app stores.
Data ownership is one of the trickier issues raised by the move to BYOD. While employees clearly retain ownership of their physical devices when they bring them into the workplace, it’s often unclear who owns what on those devices. To protect themselves against all eventualities — disgruntled employees, misplaced devices, etc. — enterprises must make it clear from the get-go that they own any and all data related to their operations that employees produce on their personal devices.
This data ownership enables an enterprise IT team to remotely wipe the business-related data on an employee’s personal device if the circumstances call for such a course of action. Of course, for an employee to feel comfortable granting such comprehensive access to their personal devices, their employer must make a concerted effort to keep the employee’s private data private — full stop.
While using extensive training to instill good cybersecurity habits in employees is important, it’s just as important for enterprise IT teams to build a culture of cybersecurity at the organizational level. The pillars of a strong cybersecurity culture will vary from organization to organization, but drawing up a whitelist of devices, operating systems, and applications that qualify for a BYOD program, devising a way to regularly patch these devices, and implementing strict employee password protocols are all applicable in almost any corporate setting.
For an enterprise just starting to dip its toe in the BYOD waters, a thorough cybersecurity audit can be a great way to pinpoint its current cybersecurity vulnerabilities and figure out the best way to shore them up.
A sufficiently well-considered enterprise BYOD program can get very confusing, very quickly, especially for nontechnical employees. As such, enterprise IT teams should take the time to put their BYOD policies down in writing and disseminate these formalized policies to all employees, not just those currently bringing their own devices to work. A formal BYOD policy should address the rules and regulations governing the use of personal devices in the workplace, the responsibilities employees have if they choose to use their own devices, and the consequences employees will face should they fail to discharge these responsibilities.
For many companies, partnering with a networking expert like Turn-key Technologies (TTI) is the most effective way to manage a BYOD program. With nearly three decades of experience, TTI can help any organization get the most out of the BYOD movement while minimizing its risks. From in-depth network assessments to end-to-end managed IT services, TTI is able to craft a BYOD solution tailored to any organization’s unique needs.