10 Tips for Developing Effective BYOD Policies

0819131258Earlier this week I wrote about the rise of the “Bring Your Own Device” (BYOD) paradigm in modern business. What I did not discuss in detail was the best way to develop effective BYOD policies to guide your firm in the future. These policies will address how you protect your vital client information and firm data while allowing attorneys and staff the flexibility that mobile devices provide, along with the comfort of using their own devices. As such, it is CRUCIAL that the policies are developed with an eye toward the future, and are not assembled haphazardly.

Here are my 10 Tips for Developing Effective BYOD Policies:

1) Development of the policy must be transparent and inclusive.

This policy will govern what devices your attorneys and staff can use, how they can use them, and will, most likely, limit the ways they can use their devices for personal use. Remember that you’re still pitching this whole program as being beneficial, without regard for the fact that you’re actually pushing a business expense onto your staff. Therefore, everyone should feel like they had input. (For outside assistance, you can always check out some of the mobility management programs, like this one offered by CDW.)

2) The policies must be universal, in both applicability and enforcement.

Nobody likes it when someone is able to “pull rank” to avoid doing something that everyone else has to do. Even worse is when someone higher up on the food chain is caught doing something against company policy, but there are no repercussions. For a policy to be effective, everyone has to follow it. The more people who are given exemptions due to their status, the less important the policy will seem to everyone else. Don’t forget the importance of these security measures: for a hint on what can happen when someone deviates, read this story on Dropbox.

3) The policies must clearly address what devices are permissible.

It’s a list, simple as that. If devices have questionable security measures, leave them off. If devices cannot use the software you want to use, leave them off. Remember, this is a policy about allowing attorneys and staff to use the devices they currently own, and are familiar with, on the company network. However, if you require it, or wish to encourage wider use, consider leaving fewer items off the list.

4) The policies must include a firm-wide social media policy.

If you don’t know why this is required, you haven’t been paying attention to, well, anything lately. Remember that it’s your company’s network that they will be operating on, so you can control, to a limited extent, how they use their devices at work. If your office computers block Facebook, why would you allow mobile devices to access Facebook on your network?

5) The policies should clearly address what kinds of personal data is permissible on the devices.

Here’s where we start getting into the areas where people might feel you’re just making them pay for a tool to use at the office. While the policies do not have to be ultra-restrictive, they should address things like lewd or inappropriate photos and other forms of personal data that you would not want to be shared or accessible on the company network.

6) The policies should contain a list of mobile apps that are prohibited from use on the devices.

This is where that feeling of being used probably goes up considerably. By restricting data and programs that can be used, you will likely take away a lot of the personal comfort and convenience feeling about BYOD. However, it is most definitely necessary, as you can see from this article. Stated even more clearly in this article, access to the data occurs through the apps. Bottom line is that you will be giving access to your firm’s data to these devices, and you need to be able to prevent malware from gaining easy access. So if your firm uses a secure encryption tool for Dropbox, you should probably prohibit most other forms of data storage that do not contain their own high-level encryption system.

Also, block Angry Birds. No real reason for it, I just want to see how many people get upset by that suggestion.

7) Require strong passwords, auto-lock, and anti-brute force protection.

So you’ve set up a great encryption system, secured your data, but allow one of your employees to secure their iPad with the code 0000. That’s what is called “failure,” and it only happened because you were too lazy to require complex passwords. No, I get it, we don’t like passwords, it goes against the idea of mobility and ease of use. Who cares? This is about your firm’s confidential data. By requiring auto-lock, you ensure that nobody will endanger the security of your network by leaving their Nexus 7 on for too long while company is visiting, and anti-brute force protections, which delete or disable a device if the wrong password is entered too many times, is essential today. (Read a humorous take on this exact issue here.)

8) Encrypt all data stored on the device.

Odds are that if you’ve gotten to the point where you’re coming up with BYOD policies, your company uses some form of local or cloud data storage. Good, access is important. However, make sure that the data is encrypted. Not just at the storage facility, but also in whatever app your attorneys and staff use to access and store the data on their devices. There are hundreds of options available, just make sure you use one.

9) The policies should include a provision that personal data is to be kept separate from company data.

Human perception makes this one a little harder to understand, because how can you separate data in such a small device. This rule will also make the users of the devices a little less happy, but it’s necessary. The best way to accomplish this task is to use different apps for different tasks. If your company uses Dropbox for data storage, require that employees use something else, like Box. Keeping the data separate reduces the chances that any malware that infects your personal data will gain access to your company data (unless the malware happens to gain access to admin functions, like it did here).

10) Your firm’s BYOD Manager must ensure the policies are frequently reviewed and updated.

This is technology, so you can guarantee that any policy you will write will be out of date, in some form or fashion, in the hours following its adoption. Be it new devices, new operating systems, new time-waster apps, or new malware, something that your policies did not address will arise in the near future. Be responsive and flexible with the future, but also make sure you keep enforcing good policies. Effective BYOD policies are ones that allow for slight modifications as the conditions change, but requires little change in its overall structure over time.

If your policies follow these suggestions, your policies should keep your employees happy, reduce your firm’s expenses, provide excellent data security, and hopefully increase your firm’s overall profitability.