Six tips for building a healthy BYOD policy

Does your business have a bring your own device (BYOD) policy? Whether you need to develop one or you need to update your existing policy, we’ve got handy tips to help you build a robust policy that will help to protect your enterprise. These tips will help you to address the key components of a BYOD policy, including IT service, application use, and device security.  

There are an estimated 270 million smartphones in use in the United States alone. Unless your business is in a position to offer each employee a company-owned mobile device, employee-owned devices will be used to access corporate email and calendars. In many companies this is the direction taken by company executives who may find that smartphones and tablets are an easier option when they are between meetings and traveling extensively.  

If your business has not yet been encouraged to establish a BYOD policy, it’s important to take the time to do so now. 

Step 1: Your policy should specify the types of devices that are permitted 

In years past there was generally just one type of device used for work. BlackBerry was it. This made cybersecurity a bit more manageable for IT pros. Today, there are a number of device choices. From iOS-based devices to Android smartphones and tablets, to Chromebooks and more.  

It’s a good idea for your organization to be clear about what you mean when you tell your employees to “bring your own device.” Does this mean smartphones only? Does it refer to iPads and no other tablet types? Be clear to your employees who are interested just which devices you will be able to support and allow. With that, also be sure to cover the types of devices you won’t be able to support and allow. 

Step 2: Establish a robust security policy, for every device 

Users quite often resist using passwords on a personal device. Passwords can be cumbersome and make it less convenient for users to gain access to all of the functions of the device. From a business security perspective, this is not a valid reason to avoid using a password. 

If a personal device is going to be used to connect to your corporate network, the device is going to have access to sensitive information. This sensitive information cannot be kept secure if it can simply be accessed by anyone who has a hold of the device.   

If your employees want to connect their personal devices to your business systems, they will need to agree to a complex password on each of their devices. 

  • The password should not be a simple 4-digit numerical PIN 
  • The password should be alphanumeric. 

Remind your employees that the device password should be updated every few months, for ongoing security protection. 

Step 3: Establish a BYOD service policy for devices 

Your employees will need to understand the type of service and support they’ll get when using a personal device for work purposes.  

  • What kind of support can your organization offer to users struggling to connect to the network with a personal device? 
  • Will your IT team be able to provide support for broken devices? 
  • Can your team provide support for applications that are installed on personal devices? 
  • Who will ensure your employee-owned devices are updated with the latest in security fixes? 

Limit help desk support and service for concerns that are work-related. Email, calendar, video conferencing apps, as an example. Establishing these policies can help your business better manage your IT support resources. 

Step 4: Data ownership concerns 

It makes sense that your organization owns the information that employees are accessing with their personal devices. Things become a bit more problematic when you are faced with the need to remotely wipe a device if it has been confirmed as lost or stolen. 

When devices are wiped, all content that was on the device is erased. This can include personal data, personal pictures, music, and other content that the device owner may have paid for. It might not be possible to replace some of this content if the device is wiped. 

Your BYOD policy will need to make it clear that your organization asserts the right to thoroughly wipe the personal devices that are used on your network. It is also important to provide your employees with valuable guidance about how they can secure and back up their personal data if something does happen. 

There are many free and low-cost cloud backup services that your employees can use to protect their personal data. 

Step 5: Do you have an acceptable use policy? 

If your company has planned well, there are good odds that there is already an acceptable use policy that covers business-issued devices and other equipment that can access your network. Your employees should be aware of what they should and should not access using a work-issued device. But when it comes to allowing a personal device to connect to your business VPN, things can become blurry. 

  • If you don’t permit your employees to access social media from a business-issued device, can they access and post on social media using a VPN tunnel on their tablet or smartphone? 
  • If an employee accesses and browses an objectionable website and content while on your network, what actions should or can your business take? 
  • What about if someone transmits inappropriate content over your network, using a personal device?  
  • Do you have monitoring tools to detect violations and enforce policies? 

Combine your acceptable use policy with your BYOD policy to ensure you’re covering your business posterior. This may be opportunity for your IT team, human resources and legal advisor to come together to solidify your rights to set up such policies. 

Step 6: Employee exit strategy planning 

If your employees are using a corporate-issued device, it’s a simply process when they leave the organization. They simply turn it over. But what about employees who have used their personal devices to access your network? How can you enforce removing email access, access tokens, and other proprietary data or applications?  

You could disable access. You could also opt to perform a clean wipe of the device as a part of the mandatory exit strategy. 

You should have a transparent and firm methodology for backing up the employee’s personal data from the device prior to performing the “exit wipe.” Work with departing employees to help them back up their important data. 


Allowing your employees to access your network with a personal device can bring with it several benefits for both the organization and employee. Ensuring that you have a strong BYOD policy can protect everyone and can also help to secure your assets across the board.