How to Implement a Smart BYOD Policy

As more companies shift to remote or hybrid work models, new security challenges arise. A bring-your-own-device (BYOD) policy has become essential for most companies. Business leaders should recognize that employees will often access work-related accounts from personal devices, even when instructed against doing so. But as with any other policy, BYOD will be more widely adopted if it is well planned. Here are a few guidelines that can help.

Adjust your perspective. BYOD device policies often tend to focus on restrictions. Don’t forget to consider what employees can do on their devices, with an emphasis on greater flexibility and productivity. When you only focus on the limitations, you overlook possibilities and might also come across as punitive. Bottom line: set forth clear guidelines for safety, and articulate them strategically.

Focus on network security. Working remotely means employees will likely tackle work-related responsibilities from a variety of locations and networks. Unfortunately, that often means non-secured, public networks.

The frequent solution to this dilemma is to adopt a virtual private network (VPN). But because the VPN is used by so many devices across a variety of locations, it can be a liability. Hackers frequently target VPNs. Companies must implement clear policies regarding their use.

Insist upon software patches. When software developers discover a security vulnerability, they release patches to address them. But patches only work when they are installed by each device user. It only takes one unpatched device to place the entire organization at risk. BYOD policies absolutely must address this point.

Authenticate devices. Not only does BYOD mean employees will be connecting to your network with their chosen device; they might even use multiple devices. Things can then get complicated, fast. Multifactor Authentication (MFA) can ensure that only authorized devices gain access to your network. But because hackers have designed programs to bypass MFAs, you cannot rely solely upon MFA as your only security protocol. Rather, MFA is only one tool in your toolbox.

Provide security management software. Your network is only as safe as each device on it, and each device is only as safe as its security software allows. That’s why many organizations have begun to provide Mobile Device Management (MDM) software to each employee. However, employees often express concerns regarding their own private data when forced to use MDM. Moving to a Unified Endpoint Management system can provide security while reassuring employees about their own privacy.

Consider Zero Trust. The Zero Trust framework starts with the assumption that every access request is unauthorized. Every device, every user, and every piece of data must prove itself. Zero Trust uses the following six principles:

  • Ongoing monitoring and validation
  • Principle of least privilege
  • Device access control
  • Preventing lateral movement
  • Multi-factor authentication (MFA)
  • Microsegmentation

Make it make sense. The problem with many security protocol measures is that they look good on paper, but don’t make sense for the way employees actually work. When implementing security measures, make sure you’ve examined both sides of the coin: What works for security, while also allowing ease of access for employees?

Consult with IT experts about appropriate security measures for remote work. Also confer with your business planning attorneys regarding the various liabilities and responsibilities of BYOD. While internet security is never 100 percent guaranteed, the policies you set forth now will offer significant protection for the foreseeable future.


Picture of Michael Kimball, Esq.

Michael Kimball, Esq.

Mike Kimball offers practical, timely, and economical legal solutions that move projects along and allow you to focus more on your core business objectives. He has years of experience partnering with companies ranging from Silicon Valley startups to firms in aerospace, biotech, construction, and many more. Mike’s in-house experience includes Yahoo!, Krux Digital (acquired by Salesforce), and Commerce One. He has worked on transactions with Eurostar, Red Bull, Major League Baseball, NASDAQ, Goldman Sachs, Liveramp, Amazon, and NASCAR.