.png)
So, one of your team members approached you about using their personal mobile to answer customer queries in-app while on the go - a good idea. It saves you from buying them a smartphone for the same purpose. But have you asked yourself how you safeguard your business data when accessed from personal devices?
If you landed on this blog, that's the very problem you are wrestling with. Don't worry; in this post, we'll introduce you to your new Bring Your Own Device (BYOD) policy and how to implement it.
What is a BYOD policy, and what's its purpose
At its core, your "Bring your own device" - BYOD policy permits employees to use their personal devices for work-related tasks. This policy, however, is not just about giving your staff convenience; it's about maintaining security and efficiency within your business operations while they use mobile devices you do not own.
Your policy will cover:
security measures when using BYOD devices
device compatibility guidelines
acceptable use policies
reporting and compliance procedures
Before you draft your BYOD policy
Before you start drafting your BYOD policy, take a moment to assess your business requirements. Start this process by understanding your industry and compliance obligations.
Ask yourself: How can my policy comply with data protection laws? How can it safeguard my customers and my team? And finally, will offering BYOD support your infrastructure, workflows and task completion?
Spend time anticipating potential hurdles such as employee resistance, security concerns, or technical issues. Implement a policy that will cover you and your team in all situations.
Also, allow yourself to be proactive rather than reactive during the rollout - you will encounter some challenges you hadn't thought of.
Consider the UK compliance guidelines
For businesses operating in the UK, it's crucial to tailor your BYOD policy to align with regional regulations and compliance standards. These include:
Data Protection Act 2018 - the legal requirements for processing personal data.
General Data Protection Regulation (GDPR) Compliance - the legal requirements for handling personal data. Including the ICO's approach to guidance and reporting.
Device security guidance (NCSC) - the governance for corporate and employee security
Ensuring compliance isn't just about safeguarding your business data and clients, but it's also about covering your staff and their needs while using their own devices for work.
Once you know what your policy should cover and how you'll remain compliant, it's time to sit down to your first draft.
What your first draft BYOD policy should cover
The National Cyber Security Centre has written an extensive guide on what to include (linked above); we'll go through that and add some of our advice on the subject.
Your objectives - What are your aims and needs from your scheme, and how long does your scheme last? What devices are you including, and how do you see these used in your business?
User needs - To what end do groups or individuals need BYOD devices? How will work programmes and notifications affect personal use of their device and your expectations around personal use during working hours? Or even staff workloads out of hours?
Risks and alternatives - What types of cyberattacks can users expect, and how do they deal with them? How will you plan for device downtime or system sync issues? Who is responsible for costs and replacement devices when a user experiences theft, loss or damage? What alternatives to BYOD can your business offer employees?
Guidelines and enforcements - How do staff remain safe and compliant using their devices? How do you handle reporting and fallout from data loss or theft?
Procedural guidelines on costs - Who is responsible for expenses incurred before, during or when replacing BYOD devices?
Here's what we think you need to add:
Alignment with your mobile device policy
Cloud security policy for cloud software access
Backup and recovery policy
Make sure you click through on those links, as each guide will walk you through the policy you need to include.
How to make your policy more inclusive
The first step to ensuring everyone is on the same page is to use jargon-free and accessible language. You need a clear and concise policy that everyone can understand and stand by - not just moments before a storm but when something goes wrong. You want everyone to feel that they clearly understand what's expected before they agree to take on a BYOD device.
Most of all, consider your employees' use cases. To do this, you'll need to consider their situational needs. For example, suppose a team member is visually impaired. In that case, you must provide a policy format that can be read aloud on any text-to-audio device. Suppose a staff member has cognitive impairment, temporal or otherwise. In that case, you must consider their needs and create a policy that helps them stay compliant.
Ready to roll out your new policy?
When your new policy is ready to go, it's time to communicate with your team so that they know what to expect. By doing this, you can also offer mandatory device support and training when staff use BYOD devices.
The best practice is trialling your new policy with a few staff members as a focus group. Their feedback will inform you of how much extra work you need to put into this project before you can go business-wide.
Your feedback mechanisms should remain in place when your policy is open to everyone.
Reviewing your BYOD scheme
It is good practice to evaluate performance with your scheme. To do that, you'll need to consider flexibility and cost savings against potential drawbacks like security risks and compatibility issues.
We recommend that reviews take place once a year, in line with your other IT and infrastructure reviews.
How IT Soho helps London's SMEs with BYOD policies
We can help you deliver certain aspects of your BYOD policy, specifically hardware, software and security support. Our IT Manager package is excellent for businesses that need onsite support. Through this package, we can help you and your team get set up on personal devices safely.
If you need assistance in the City of London, Soho, Mayfair, Covent Garden, Westminster and Fitzrovia, contact Eric today.