What association CEOs need to know about Bring Your Own Device (BYOD) policies
- Dave Coriale
- May 27, 2015
Your association is already practicing Bring Your Own Device (BYOD) whether you have a BYOD policy or not. Staffers are using mobile devices in the office, while commuting, and at home to read emails, work on documents, and access your network and apps. And why wouldn’t they? We’re an always-on, get-it-done society.
You need a BYOD policy that everyone can understand and follow. And, it must be a policy that your IT staff can enforce. A good BYOD policy defines the roles, responsibilities, and expectations for IT staff, non-IT staff, and management concerning the use of mobile devices to connect with your association’s network, apps, and data.
What to consider when making a BYOD policy
In developing a BYOD policy, one of the most critical considerations is security. How will you minimize the risk of security breaches in a way that doesn’t adversely affect staff productivity and privacy? What will you do if an employee’s mobile device is lost, stolen, or missing? Will you be able to wipe that device clean to protect your network and data?
Large associations may have the luxury of investing in Mobile Device Management (MDM) suites that provide more granular control over individual apps and the ability to wipe devices clean when warranted. You still have to balance staff expectations of privacy with the association’s expectations for security, and making it clear to staff where the line is drawn between the two. For example, with MDM, you have the ability to track someone’s location because of their phone’s GPS. Staff must be able to trust IT and management not to look at personal data and photos on their phone.
Understand what part of your data is subject to PCI, HIPPA, Sarbanes-Oxley, and other regulations, and develop a records retention policy that complies with these regulations.
Your BYOD policy must identify the services provided by IT staff to mobile device users. Which devices do you offer for staff’s use and/or support? What type of support do you offer? Do you provide any reimbursement to staff using their own personal devices for work?
You should also spell out the responsibilities of mobile device users. What is your password protocol? What type of back-up must staff use and how often?
Even if you have a good BYOD policy, people are susceptible to being human. They will do things like leave a tablet behind in a hotel room, click on phishing links, or use weak passwords. You will minimize these risks if you provide regular training to build a culture of security.
Provide regular BYOD training to staff
Train staff on the dos and don’ts of BYOD during on-boarding and off-boarding processes. Disgruntled former employees can wreak havoc if you don’t have the appropriate BYOD and security policies in place. Reinforce the training regularly so staff doesn’t fall into bad habits.
Make sure your BYOD policy and training cover all practical security concerns and scenarios. For example, what is your policy on accessing the AMS and viewing reports via a mobile device?
Have an email protocol in place and provide the training to support it. Don’t assume everyone knows and follows safe email practices. Just imagine several staffers venting about a board member via email. What if someone decides to forward that email?
4 items for your BYOD to-do list
Here are 4 things you should do to avoid these types of scenarios:
- Find out if you have a BYOD policy.
- Find out if your IT staff can tell you how many people are accessing your system via mobile devices and what type of devices they’re using.
- Decide what level of support you will spend on mobile devices and mobile device management.
- Make mobile device considerations part of your employee onboarding and off-boarding processes.
These resources can help you further explore BYOD considerations.
- The White House’s toolkit for federal agencies implementing BYOD programs
- CIO.com’s list of 10 MDM tools
Once you determine where you are on the BYOD spectrum, if you decide to seek outside help, our technology consultants can provide additional guidance for developing a BYOD policy and training program, and/or selecting an MDM tool.