more-arw search

Failing to Update BYOD Policies Exposes Companies to Risk

While letting workers use their own smartphones and tablets for work purposes is convenient—and usually cost-efficient—companies need to have the right language in their BYOD agreements to help them avoid liability and mitigate potential risks.

Are There Risks Associated With an Incomplete BYOD Policy?
More companies are allowing employees to bring their own devices. A 2012 Aberdeen survey revealed more than 80 percent of responding companies now permit employees to use their personal devices for work, compared to just 10 percent in 2008. However, not all of these organizations have revisited their internal policies to accommodate such changes—and as a result, they are opening themselves up to risk. According to Business Finance magazine, only 27 percent of IT executives think their corporation's current BYOD policies would stand up against an outside audit.

What Should a BYOD Policy Include to Effectively Mitigate Risk?
Unclear rules can leave companies open to lawsuits or major, unexpected expenses. There are certain points a corporation should include in its BYOD policy to ensure it isn't vulnerable to such risks.

• Clearly define acceptable use. Many companies fail to provide clarity when it comes to BYOD policies, and their employees are left to navigate vague guidelines. Don't assume employees will interpret rules correctly—instead, make sure everything is clearly spelled out in a BYOD agreement and that nothing can be misunderstood. If multiple employees have questions about a policy or how something is worded, it may be time to update the document to ensure it's simple to comprehend.

• Mention access rights and monitoring guidelines. While executives may believe they should have the right to access an employee's device to ensure company information isn't being used inappropriately or check up on what data is being accessed, that doesn't mean an employee will agree. Demanding to review a worker's personal device used for work purposes could be considered a violation of the employee's privacy, and it's important to define expectations and requirements before teams are given permission to use their own smartphones, tablets and laptops on the job.

• Take into account the potential for loss or theft. Smart devices are a common target for thieves, and because they're commonly brought everywhere, they're also easy to lose. While many employees are especially careful when they use devices to access sensitive files and information, a degree of caution can't completely eliminate the risk of theft or loss. BYOD policies should determine who is responsible for replacing a device should it be misplaced or stolen and also set requirements for remote wiping or password protection that would make it impossible for outsiders to access corporate data.

• Consider current software licensing agreements. When drafting a BYOD policy, businesses need to consider the implications of current software licensing contracts. A company that currently licenses software from another firm should read through its agreement and determine how employees accessing software on their mobile devices fit into the policy, or if they'll need to obtain different types of licenses for workers to use certain programs on their smartphones or tablets.

• Deal with costs upfront. One important aspect of BYOD many companies fail to consider is costs. Employees may have purchased their devices months before they began using it for work, but will they expect reimbursement for the expense? Some workers may also expect a stipend for their monthly smartphone bills or data packages for their tablet, while others may assume their employer will purchase a new device should theirs be lost or stolen. It's important to address these concerns in a BYOD policy so all employees are clear on expectations and are well aware of what will and will not be covered. This will mitigate any potential risk and ensure a company isn't liable for any unexpected costs associated with its guidelines.