GETTING STARTED WITH BYOD? READ THIS FIRST!

You’ve read up on what is BYOD – Bring Your Own Device – and decided that it’s a good fit for your growing company to configure all the devices your employees already have into your network. But how do you get started, and how do you make sure that your data and information is safe on all these devices? The key is to implement good BYOD policies before you ever hook up a device to your network and share information between your employees' devices.

You must write up a clear policy for BYOD.

It should outline the rules of engagement and state up front what the expectations are.

• It should include the minimum hardware requirements (whether that is as general as “smartphone with email capability” or as specific as “iPhone 5.0 or above”). It should also set out how frequently employees are expected to upgrade their hardware, and whether they will be compensated in any way for upgrades.
• It should include the minimum data/connectivity requirements, and whether there is any reimbursement available or offered. If you expect your team to use their devices consistently and regularly for work, offering to compensate them for some of the cost of their IT and telecom data plan is reasonable.
• It should include the expectations for use. Dictating to employees how they can and can’t use their personal devices can become a sticky situation. (For example, a policy prohibiting viewing or transmission of explicit content.) But especially if you work in a sensitive industry, you might consider mandating conduct requirements as a condition of employees being allowed to use their device for combination work-personal purposes.

You must lay out minimum security requirements.

You can do this either by requiring or providing specific security tools as a condition for allowing personal devices to connect to company data and network resources.

• You should contract with or designate an IT professional to ensure that each device meets the minimum safety and security requirements and has appropriate software installed to ensure applicable security protocols are maintained.
• Each BYOD device should be registered and approved with your company.
• Your BYOD policy should set forth the policies and procedures for updating the security protocol on the devices, whether that is independently downloading and installing updates or arranging with your company to do so. You should ensure that updates are completed as scheduled on each registered device. 

In many industries, there are elevated standards or laws governming security, privacy, and encryption of sensitive data and protected information (such as PCI DSS, HIPAA, and GLBA). You must ensure that employees who access this data on their own devices comply with the rules for your industry and that their use and handling of that data complies with those data security requirements. Implementing proper training procedures and security protocols is key to ensuring compliance.

You must ensure that your data stays even if an employee leaves.

When an employee is terminated or leaves your employ, you must retrieve and remove company data from his or her device. Having experienced IT professionals do this is recommended. Your BYOD policies should provide guidance for the procedures to be followed in case of employee separation. You may wish to also involve your legal counsel or compliance professional if appropriate.

BYOD can be safe, secure, and beneficial for your company and your employees!