By attorney James Drake, Special to THELAW.TV
Most Bring Your Own Device (BYOD) policies are reactive. In itself, this is not necessarily bad, but it often leads to the implementation of a hurriedly drafted policy that leaves employer resources as vulnerable as before because of poor wording and misunderstanding. This guide will provide an approach that is immediately usable and adaptable as new technologies come on line.
Why you need a BYOD policy
The implementation of most after-the-fact BYOD policies is usually ineffective, but insidious. They are ineffective because those who already have access must be convinced that there is a link between the new policy intrusions and recognizable benefits. The insidious aspect of a quickly drafted policy is that management becomes complacent, thinking that the mere existence of a policy is the same as compliance. The end result is a failure that will often not become apparent until after a serious breach occurs.
What constitutes a serious breach will vary from organization to organization, but it can generally be characterized as the publication of proprietary information that would otherwise remain confidential. Examples include hacking into customer lists, compromising company financial data, and accessing valuable R&D trade secrets.
Most businesses that allow employees to access work email, share drives, or in-house databases have already implemented BYOD, whether they have a definitive policy in place or not. Indeed, unless you are just starting a business and you know every one of your employees by name, access will quickly spread beyond the capability of the organization to control it.
There are numerous IT solutions that can address these issues, but most of these force management to choose between the convenience of access and the safety of strong security measures. In nearly every situation, convenience will win out -- especially if the CEO wants to be able to type out instructions to his reports on his personal tablet right before he goes to bed at night.
In order to be effective, organizations need to implement targeted protections that guard the organization's crown jewels, while managing access by way of ongoing training. In this way, employees will be reminded of their responsibilities while still enjoying the convenience of untethered access.
Before implementing any policy, however, it is important to decide whether access or security has a higher priority and to consider the consequences of elevating one over the other. Higher security often means less autonomous employees. This can be good in a rigidly structured environment such as a manufacturing plant, but may result in a competitive disadvantage in areas such as sales. This why a BYOD policy should gather input from all internal stakeholders so that levels of access and security are commensurate with individual roles, responsibilities, and expectations.
For anything that a company would consider a trade secret, i.e., information that provides significant value by virtue of not being public knowledge, strong information technology protections should be put in place. This can include tiered levels of access (Read, Annotate, Administer) to company databases that contain this information, as well as the conscious decision to maintain some information on storage media that are not connected to the internet. This not only creates barriers to malicious third parties, it also reminds authorized users to be careful in accessing this information.
It has become axiomatic that the biggest source of leaks in cases of corporate espionage is an employee who unwittingly provides her access codes to a person she believes has similar authorization. These "social engineering" hacks are much easier and less time-consuming than the popular Hollywood trope of the lone hacker employing sophisticated software to break in and steal what he wants.
Accordingly, in addition to limiting the number of people who can access highly sensitive information, as well as what they can access, a world-class BYOD policy must include a training component. Training can be incorporated as part of document management training and should focus on the following:
- What company information should be accessed from personal devices. Usually this can be limited to email and internal company messaging without disrupting the work process of most employees.
- Where one should access information. That coffee shop down the street may be convenient, but its open Wi-Fi presents serious risks of hacking. Should access be allowed overseas or at industry conferences, where employees are more likely to be targeted for corporate espionage?
- What devices should be allowed access. Some operating systems are very secure, while others are rife with security holes. For example, will Apple devices and Android devices be permitted, but Windows phones prohibited?
- How access is controlled. Should access only be permitted through virtual private networks (VPNs) that can be secured by the employer? Should individual devices be required to download company-approved security software to control access?
Managing expectations is another crucial aspect of training. It can be easy to forget that these are personal devices paid for (in most cases) and maintained by the employees themselves. If employees who are used to unfettered access are suddenly confronted with overly restrictive policies that they perceive as making them less efficient, they may choose to ignore them or actively undermine them. Suddenly, the BYOD policy itself has become the catalyst for security breaches!
Communicating the policy
In addition to the topics listed above, the ultimate goal of training should be to insure that everyone in your organization understands the link between any new behaviors and the attendant benefits. Because the connection between new behaviors and the benefit of improved security is abstract, changes to behaviors should be simple and unobtrusive to assure compliance. There should be two to three main takeaways from training and they should be easily incorporated into the established workflow of the organization. These changes should be memorialized as a documented policy and cross-referenced to a code of conduct, electronic communications policy, and any other related policies.
BYOD policies will differ based on a variety of variables, and these variables should be addressed within the context of the policy itself. In particular, a robust BYOD policy should include headings that address the following:
- Purpose – This lets employees understand what is being guarded and why it is important to the success of the business to do so. It should avoid language that creates an accusatory tone.
- Eligibility – Who is allowed to access what resources?
- Supported devices – This allows employees to make a choice of personal devices based on individual desires to connect to company resources.
- Technical support – Will the company provide technical support and, if so, how will that be handled?
- Responsibilities – This is the heart of the policy. What is permitted and what is not? This will also be the foundation of ongoing training within the organization.
- Impermissible use penalties – The consequences of deliberate violation of the policy should be made clear. These penalties should track closely with similar policies related to protection of company proprietary information.
- Reimbursement – Careful consideration should be given to whether the organization wishes to reimburse employees for new devices and whether to provide reimbursement for any work-related usage fees. The decision to reimburse may be linked to mandatory installation of security software or similar monitoring.
The author, parent attorney James Drakes, blogs at intangibleexpertise.com.