BYOD has a long history. We have been fighting mobile USB hard drives for twenty years. They're always huge compared to whatever storage is on the server and being backed up. We look around and find a 250 GB hard drive here and a 500 GB hard drive there. They get attached to the network, taken home, and moved about with no record whatsoever.
More importantly, we have laptops, smart phones, tablets, Kindles, iPads, and whatever they come up with next.
Devices get connected to the network. Data, security codes, client information, and all kinds of information gets moved between devices and the network. Devices are taken home, connected together, and who knows what.
BYOD Can Become "Bring Your Own Destruction"
It doesn't take much imagination to see data going where it doesn't belong, security holes big enough to drive a truck through, and important company data spread all over a series of devices with no controls whatsoever. This is very scary for us I.T. Pros, even if clients don't appear to give a shit.
Clients have always relied on us to just take care of things. They haven't had a bad experience (security breach, etc.). Therefore, they think we can keep doing whatever magic we do and protect them forever.
Clients honestly don't know how much danger they are in.
On top of all that, they are naturally resistant to passwords and complex security. So jumping through hoops to get devices connected is a tough sell.
Whether they like it or not - whether they want it or not - we need to push them to deploy a BYOD Policy for their employees. Just cell phones and iPads alone are enough to justify this action. Creating a policy forces them to bring the issues to the front of their mind.
Here's a sample policy you can start with. I have a few additional comments at the end.
- - - - -
BYOD ("Bring Your Own Device" User Policy
[ Company Name ] BYOD ("Bring Your Own Device" Policy
[ Company Name ] acknowledges that the use of Personal Electronic Devices (including but not limited to laptop comptuers, tablets, and cell phones) contributes to the effectiveness of our employees. This policy is established to govern the use of Personal Electronic Devices (PEDs) that access resources owned and managed by the company.
The company may from time to time publish lists of devices that may and devices that may not be used to access company resources. Please contact our I.T. Service Provider if you have questions about devices that may be used to access company resources.
Every PED that is used to access company resources must be approved before it is used to access company resources. Every PED must have our management agent installed before accessing company resources.
Please Note the Following Guidelines:
- Your account access will be locked whenever there are [_____] unsuccessful attempts to log into your account.
- The PED must employ a "screen saver" or time-out function that automatically locks the device within [_____] minutes or less of non-use.
- Your PED must require a password to operate or get past the lock-out screen.
- Your PED password must be changed at least once every [_____] days. Passwords must be compliant with company-wide password policies.
- No PED attached that accesses company resources may be operated in a manner that is illegal or in violation of any end user license agreements associated with any hardware or software on the PED.
- You are responsible for all costs associated with the operation of your PED, including but not limited to data service plans.
- Your PED will be "wiped" and all data erased if any of the following occurs:
- - The PED is lost or stolen
- - Our monitoring system determines that your device is associated with a data breach or security breach of any kind.
If your device allows for selective remote wiping of data, you may elect to have only the company-related data wiped.
[ Company Name ] pays a [ monthly / quarterly / annual ] stipend of [$_____] to the employee to compensate for the "company use" of a PED. This is the only compensation associated with this policy.
- - - - -
You might notice that this policy is designed to be partly enforcement-oriented and partly educational. Client need a bit of cold water in the face around security sometimes. They put a premium on ease of use. You need to make sure they understand the balance between "easy" and secure.
It's also the case that scaring clients a bit will help them to accept that a policy - and MDM - are a good idea.
- - - - -
About this Series
SOP Friday - or Standard Operating System Friday - is a series dedicated to helping small computer consulting firms develop the right processes and procedures to create a successful and profitable consulting business.
Find out more about the series, and view the complete "table of contents" for SOP Friday at SmallBizThoughts.com.
- - - - -
Next week's topic: HIPAA Part One - Training
I appreciate the accommodating statement in the policy preamble "...contributes to the effectiveness of our employees". If IT pros ignore this powerful motivator, any careless policy created will simply come off as another attempt to restrict one's productivity. Well-said!ReplyDelete
Thanks, Jared. I agree.ReplyDelete
What about PED's like home pc's used for remote access?ReplyDelete
Thanks for the question, Kristen. Personally, I would require that they be secured by the company's I.T. department. But, to be honest, I would be more careful than ever to restrict this access unless it is absolutely necessary. The possibility of having a rogue cryptovirus attack 100% of the company's data is more likely from a home machine than a managed machine.ReplyDelete