Whether businesses like it or not, bring your own device (BYOD), sometimes referred to as the consumerization of IT, is firmly entrenched in many companies. Employees are bringing their own phones, tablets, and laptops to the office, rather than merely accepting whatever their employers offer. The question is not when it will happen, but how to handle it in a way that serves both the business and the employee.
The key is a clear understanding of everyone’s place in the grand scheme of things. Both employer and employee must be in agreement on each party’s responsibilities.
That means policies. Policies that are signed off by each employee before being granted access to corporate resources on his or her personal device, and that are enforced by the employer. A policy without enforcement is useless.
It’s a fine line to tread. The policies need to protect corporate data and guard the employer’s interests while not stepping too hard on the employee’s proprietary rights. And they need to apply to everyone; if some people are allowed to run roughshod over the policies everyone else is expected to observe, you can count on those policies being universally ignored before too long.
What should be in a policy document?
It needs to assert the ownership of the device, to begin with. If an employee buys a device, and brings it in, merely connecting it to corporate resources shouldn’t mean that the company then owns it. On the other hand, some BYOD models allow employees to choose a device and be reimbursed for its cost, which may mean the company owns it. That has to be made clear, as does (possibly more importantly) who owns liability for the device, who supports it, and how it is managed. The employer may or may not cover part or all of the cost of the telecom service for a phone; that needs to be defined up front as well.
Management and security are especially touchy subjects that must be codified as explicitly as possible. Both user and employee need to be clear on what business data may be accessed by or stored on the device, and on the privacy of the user’s personal information. It’s also important to agree on how the device may be managed – can an agent be installed to monitor it, and is the employer allowed to wipe it (spoiler: the answer should be yes, but for corporate data only), if it’s lost or stolen, for example.
All parties also need to agree on what happens when the employee leaves the company, either voluntarily or otherwise. Who keeps the device, and who keeps the associated phone number? How is the device sanitized of corporate data, if it remains with the former employee? Factors like these need to be considered and codified so there’s no debate.
Finally, both employer and employee must know exactly what the penalties are if the policies are violated. For example, are any infractions firing offenses? The legal department ought to vet those clauses to avoid issues later.
