Bring Your Own Device initiatives still remain high on the priority list for many CIOs and as new portable devices are released, the pressure to provide an opportunity to use these devices grows. BYOD initiatives require careful thought and planning and often require policies that protect both the organization and the individual. In this article, I will outline four mistakes that can ruin even the best BYOD policy.
Limiting devices by specific models
In an effort to attempt to limit the initiative's impact on IT resources and simplify the arrangement, I've seen some BYOD policies that listed the specific devices and models that would be supported under the program. Although I don't recommend a complete hands off approach, attempting to get too granular with device choice will result in the following:
- Deep testing of every new device to see if it's supportable.
- The need to constantly update the policy as new devices are released.
- Frustrated users attempting to find the right device and becoming even more frustrated when the new device they want isn't on the list.
Instead, I generally recommend that organizations attempt to categorize and approve broad swaths of devices while keeping in mind the needs of the organization. For example, you might provide support for any device that supports Exchange Active Sync (which is what I did at a former organization) or something along those lines.
Excluding the right to wipe the device
Although controversial to many, I feel that the right to wipe the device should be included in any BYOD policy. Bear in mind that BYOD is not a requirement; it's generally an opt-in program. If an employee doesn't want to be subject to possible device erasure, they can either get a company-issued device or not use the BYOD program.
Why is this important? The security of corporate information is paramount in these kinds of programs. In a perfect world, companies implementing BYOD would use a robust mobile device management tool that isolates corporate information from personal. But, many will many buy such software. In the event that the device is lost or stolen or there is justifiable reason to believe that sensitive information on the device might become compromised, the company may need to wipe the device.
Even if you never plan to wipe the device, include the stipulation anyway. If a unique situation arises and you find it necessary to remote wipe a device, you will be covered.
Allowing opt out of critical upgrades
An organization upgrades its equipment every few years. This isn't just done for fun. New tools and new software require new computers and operating systems. The same goes for mobile devices. New apps may require new mobile hardware. If an employee has chosen to be included in a BYOD initiative, there needs to be a clear requirement that the selected device must support current business needs. Obviously, people have contracts with their devices, so there needs to be some flexibility, but employees need to ensure that they are able to do their jobs even when using a personal device under a BYOD arrangement.
Allowing opt out of corporate data management policies
Mobile devices are well-connected to cloud services. However, many cloud-based services are not yet used by businesses, who prefer to operate their own services behind the company firewall. Under BYOD arrangements, it could become very easy to bypass corporate systems. For example, why save files to the corporate file server when DropBox is right there?
Ensure that your organization has policies around data accessibility and integrity and that you provide your users with the tools that they need to be able to adhere to them.
BYOD can be an incredibly positive undertaking, but policy mistakes can come back and haunt the CIO for a long time!
To see more on BYOD, check out our Special Features page.
To see our BYOD Executive Guide, click here.
Since 1994, Scott Lowe has been providing technology solutions to a variety of organizations. After spending 10 years in multiple CIO roles, Scott is now an independent consultant, blogger, author, owner of The 1610 Group, and a Senior IT Executive with CampusWorks, Inc. Scott is available for consulting, writing, and speaking engagements and can be reached at email@example.com.