Best Practices: Bring Your Own Device Policies for Small Businesses

IDWise Logo

When was the last time you worked from home, or took a personal call on your company-provided cell phone? If you're like most U.S. workers, it was probably recently. Mobile technology has blurred the line between inside and outside the office. Where once an employee would have to physically be at their desk to check their e-mail or find a document on the network, many of these tasks can now be conducted from a tablet, laptop, or smartphone from anywhere in the world.

For small businesses, however, equipping employees with these devices is cost-prohibitive. That's where Bring Your Own Device (BYOD) policies come in. The company allows employees to choose the devices that work for them—in most cases, devices they're likely to already own.

Despite the benefits of cost savings, increased productivity, and higher employee morale, BYOD policies can be risky. With less control over devices and network access, the chance of data theft or security breaches goes up.

If you've looked at the risks, however, and decided a BYOD policy is right for your business, here are the things you need to know to stay secure. Choose which devices to allow. This is the first part of any BYOD policy. It's important to choose devices that can be secured, that are agile to use, and that can be scaled as your business grows and new technologies emerge. Things to consider:

  • Your current technology needs
  • Your current security needs
  • Potential future requirements

BYOD Safety Checklist

  • Choose which devices to allow
  • Create an acceptable use policy
  • Set security policies
  • Provide training and support
  • Plan for departing employees

Create an acceptable-use policy

An acceptable use policy sets standards for device users by outlining BYOD rules and protocols for the entire company. For example, set ground rules about what types of files and programs can be downloaded to reduce the risk of viruses and malware. An effective policy should also include clear disciplinary actions and consequences for non-compliance, and it should make employees accountable by requiring them to sign the BYOD policy.

Set security policies

Since employees will have the ability to access company servers from anywhere, you'll need strong security policies to make sure sensitive information isn't exposed. That might include two-factor authentication, strong passwords, and a requirement to change those passwords periodically. For more information about password security for small business, see our article “Best Practices: Password Management for Small Businesses."

Provide training and support

It's important to keep communication open—both ways—with your employees. Hold regular training sessions to keep users up to date with your acceptable use policy and security procedures. And even though you're not providing your employees with company-owned devices, they'll still need tech support to keep both security and job satisfaction high. Technical support can help employees manage and use their devices effectively, find potential security vulnerabilities, and enforce BYOD policies.

Plan for departing employees

When an employee leaves a company with a BYOD policy, you don't have the security of asking them to turn their device in when they go. Therefore, you'll have to make a plan for removing their network access, corporate email account, and other programs and data sources to which they have access. Create an exit checklist—a good one might include changing all passwords held by the employee and disabling their email--and follow it to the letter whenever an employee departs.

IDWise Logo
What is IDWise?

Funded by a partnership with the Texas Legislature, and powered by the Center for Identity, IDWise is a resource center for the public on identity theft, fraud, and privacy. IDWise offers clear and accessible resources to empower citizens—both online and offline—to be better informed and make smarter choices to protect their personal information.

Sign Up for IDWise