CXO

Three BYOD policies for keeping workers (and IT) happy

Here are three alternatives to preempting disaster through reams of policy documents and forcing users to install piles of corporate "managementware" on their personal devices.
Policy 1: Follow the Golden Rule

While it sounds a bit snarky and evokes Google's oft-ridiculed "do no evil" mantra, too many companies fail to follow the Golden Rule-to treat others as they'd like to be treated in return-when it comes to BYOD. These are generally the companies with policy declarations that rival the government tax code and contain more "Thou shalt nots" than even the most repressive religionists or moral tomes. IT treats employees as children, and more often than not those employees do childish things to skirt policy, or willfully ignore policies out of sheer disgust.

At even the largest corporations, where confidential customer data are routinely handled on mobile devices, I've seen highly successful BYOD programs that treat users as adults. Most are fairly liberal with which devices can connect to a limited number of services on their network, in return for following some basic security-related policies. There are certainly environments in which controls must be stringent, but with widely available encryption and remote wipe capabilities, worries around data loss can largely be mitigated with some off-the-shelf software. Policies that assume users are adults, explaining the necessary "tickets to ride" and providing the appropriate software, are generally more successful than multi-layer approvals and draconian prohibitions.

Save valuable time and effort. Download TechRepublic's ready-made BYOD (Bring Your Own Device) Policy and customize it to fit your organization's needs. Policy 2: Start small, and open email

Perhaps the most requested corporate service for BYOD access is email, and it's luckily one of the most readily security and cross-platform capable services. Everything from traditional in-house mail servers to cloud-based email providers likely provide mobile functionality, and in many cases it's paired with basic device management like remote wipe and password policy enforcement. If you're struggling for a service to trial in a BYOD environment, few are better candidates than old-fashioned email, and present all the major challenges (security, provisioning, management, etc.) of BYOD, along with the major benefits (reducing costs of device procurement and provisioning, employee satisfaction, etc.).

Policy 3: Guide and correct, rather than preemptively punish

BYOD requires a mental shift for most IT organizations accustomed to having the most intimate access to the devices they were tasked with managing. For both better and worse, BYOD shifts IT's focus away from managing devices toward managing the data on those devices. Most users intuitively understand the need to protect proprietary data, and will comply with directives that protect those data. Make the underlying assumption of your BYOD policies that an employee's contract with IT is shifting from complete management of that employee's device to management and protection of the data on that device. Guide users through protecting those data via software and configuration checklists, as well as IT tools that identify missed settings or installations related to protecting data.

If your standard assumption is that users will protect corporate data if given the proper tools and job aids, you'll likely design a program that's easy to comply with. Conversely, if your assumption is that you must apply the old managed device paradigm to BYOD, you'll end up treating users as risks rather than partners in protecting data. This is not to say that your BYOD program should be a free-for-all, but rather that policy violations should be identified to the user and punitive action taken when he or she fails to correct the violation, rather than attempting to preempt disaster through reams of policy documents and piles of corporate "managementware" users are forced to install on their personal devices. There's a balance for different organizations, but too many IT shops initially err well on the side of "preemptive punishment."

To see more on BYOD, check out our Special Features page.

To see our BYOD Executive Guide, click here.

About

Patrick Gray works for a global Fortune 500 consulting and IT services company and is the author of Breakthrough IT: Supercharging Organizational Value through Technology as well as the companion e-book The Breakthrough CIO's Companion. He has spent ...

2 comments
TechGuy1313
TechGuy1313

Patrick, I certainly agree in theory, but with some data you cannot rely on "correct and guide".  With compliance issues  (HIPAA, PCI DSS, SOX, etc) one breach can mean massive lawsuits and business ruin. Still it is a good thought in at least with the less controversial data.

I have a couple of other policy suggestions for people if they are interested. This video (https://www.youtube.com/watch?v=ITP-02z02tI) is called Navigating through BYOD and is not only educational about the research-supported suggestions – but also features pirates!.   See if you agree with these.

maj37
maj37

Three common sense ideas, though as we all know for some folks sense isn't very common.

Editor's Picks