How the CIO Can Establish a BYOD Usage Policypost by Chris Curran on March 8, 2012
If you’re grappling with putting policies and procedures in place to manage the consumer-driven transition to a bring-your-own-device workplace (BYOD), don’t worry. You’re not alone.
Only 43 percent of respondents to PwC’s 2012 Global Information Security Survey said that their organization has implemented a security strategy for use of employee-owned devices. It’s not surprising that companies are struggling. Developing a BYOD strategy can stir up a hornet’s nest of issues for the CIO at the nexus of technology, HR and legal.
If you’re still sitting at the drawing board, consider bringing your legal and HR colleagues to the table. Yes, it’ll complicate matters without a doubt, but there’s ultimately no way around it. Together, you can tackle the thorny questions that you are already asking yourself.
For example, what happens when an employee loses her personal computer that contains trade secrets? Do I have the right to wipe the data with a mobile management system that I require employees to install? What happens if employees refuse to download the software? Should I share ownership of personal devices with employees so I can wield the legal power to protect sensitive information? Does this mean that I give employees stipends to buy want they want and make it clear that the gadgets are on loan for all intents and purposes? Should I demand employees back up their files? Will they listen? What happens if they don’t? What are the repercussions? What tools do I have at my disposal to make them comply?
Tread lightly as you approach this unwieldy intersection between technology, HR and legal. If you go too far in trying to dictate what employees can and cannot do with their own equipment, you run the risk of ending up right back where you started before you stopped pushing back on the infiltration of personal devices into the enterprise. Workers revert to circumventing your systems and creating security breaches. Or, on the opposite end of the spectrum, your department winds up saddled with the daunting task of micro-managing thousands of gadgets, which defeats the benefit of embracing BYOD.
If you enlist the heads of HR and legal, they should be able to help you ensure your policies and procedures are empowering to you from a risk management perspective while palatable to employees. Obviously, you need some level of control to protect corporate assets. At the same time, you don’t want to invade the personal privacy of employees or drive them to go rogue. The challenge is to strike the delicate balance between going too far and not going far enough.
- Require employees to sign binding agreements that say that their computers, including their personal data, could be wiped in the event the computer is lost or stolen
- Require employees to back up personal information stored on the devices and explain that the organization cannot be responsible for loss of personal files
- Require employees to relinquish some rights to control the device and mandate that they install a mobile device management client, encrypt their device and email and use strong passwords
- Outline the support and repair policies for the equipment
- Get upfront permission from the user to wipe corporate data and applications from the device when he or she departs the company, voluntarily or otherwise
- Explain to employees that they will be responsible for costs associated with excessive data use, excessive 411 calls or selection of smartphones that are more expensive to use in some circumstances, if your company retains management of the smartphone service plan
Do you have a BYOD usage policy? If not, do you plan to implement a BYOD usage policy? What challenges are you finding? Please share your experiences in the comment box so your peers can learn from you.
Image supplied by Wandering Angel