Legal Tech: Top tips for creating a 'BYOD' strategy

Elizabeth Millard, The Daily Record Newswire

Back before middle school students had cell phones, a corporate mobile device strategy usually went something like this: You’ll use what we give you, don’t download anything personal on it, and we’ll scrub it clean whenever we like.

With the huge surge in device usage, though, this strategy soon became obsolete, and what most companies have now is called BYOD, or “bring your own device.” Employees erase the line between professional and personal, with devices like smartphones and tablet computers, which not only may be partially subsidized by the company, but also used to upload Instagram photos of last night’s fancy dinner. Because these devices sync to the company network, security and privacy issues come up. Many larger companies tend to have sophisticated BYOD policies as well as IT management services for mobile tech. But smaller businesses don’t need to hire a mobile guru to keep up — they just have to put a few key strategies in place for protection:

Make sure remote deletion is available

Devices get lost or employees leave a company, and suddenly all that corporate information on a smartphone becomes a security threat. In the past, a company could use “remote wipe” technology to delete all data, but with a personal device, this method also trashed family photos, personal contacts, apps, music and anything else that’s stored. Fortunately, remote deletion capability is much more sophisticated these days, and a company can remove just enterprise-related data from a device and leave all the other content intact.

“A company must be able to remotely delete sensitive data off these devices without permission,” said Heather Manley, president of Minneapolis-based IT services firm On-Demand Group. “For instance, with one click, we can remove a company calendar, email and [business] contacts from anyone’s device if it’s connected to our CRM (customer
relationship management software).”

When creating a BYOD strategy, remote deletion should always be part of the policy, and shouldn't require employee sign-off before it’s done because situations like theft, loss, or employee malfeasance make timing an issue.

Create a written policy specific to BYOD

While a small business already may have a security policy in place, it’s helpful to create a BYOD policy as well, advised Steve Quigley, sales director at Clear North Technologies, an IT consulting firm in Plymouth.

“Take BYOD policies seriously and make sure you set proper employee expectations about what these policies mean to your employees,” he said. “Employees need to truly understand that they will probably forfeit some control of their personal devices.”

Companies in highly regulated industries like health care and finance may be subject to stricter data compliance rules, he added, which means their policies will need to be robust. When drafting a policy, think in terms of guidance and common sense, Quigley said.

Discuss privacy issues

In any BYOD policy, privacy should be addressed because employees will often use devices to store personal content, including photos, videos, text chats, Twitter feeds and other activity. Employees need to be aware that as an employer, you may have access to everything on the device if it’s brought in for repair, or even just connected to the company network.

Also, some corporate mobile management applications allow for location tracking, which tends to make employees uncomfortable, Quigley said. “Small companies need to have a clear BYOD policy on privacy and, if needed, how their location tracking will and will not be used, particularly during an employee’s personal time,” he said.

Use the cloud wisely
One of the best ways of making sure that corporate data is secure when dealing with mobile devices is to store the data elsewhere, like in a cloud-based service. That turns a device into a kind of “dummy terminal,” used only to access data and not to retain it.

But not all services are equal, according to Matt Woestehoff, director of business development and operations at Minneapolis-based IT support and service firm The Foundation. Consumer-designed services like Dropbox may be popular, but they can have vulnerability issues.

“These kinds of options make people nervous, because they can be accessed from anywhere — without any kind of corporate security controls,” said Woestenhoff. “It’s like having a flash drive hooked up to your computer, where you can just take information and then store it wherever you like. It’s much better to employ mobile management tools where you can control where data is going.”

Although BYOD strategies in a workplace can make some executives nervous, just a bit of communication, security and knowledge can go a long way toward a more protected small business and more mobile employees.

—————

Elizabeth Millard has been writing about technology for 17 years. Her work has appeared in Business 2.0, eWeek, Linux Magazine and TechNewsWorld. She attended Harvard University and formerly served as senior editor at ComputerUser.