A Startups Guide To Bring Your Own Device Policies (BYOD)

By 2017, one in two firms will no longer provide devices for use by their employees. Under deliberate or default “bring your own device” (BYOD) policies, an increasing number of employees are using their own phones and computers in the workplace rather than hardware owned by their employer. In a 2013 study conducted by Dell, 59% of IT Decision makers said they would be at a competitive disadvantage if they didn’t embrace a BYOD policy. And the companies at the forefront of the movement? Startups of course.

But is BYOD as great as it sounds? Start up companies are among the most financially savvy businesses, always looking for ways to stretch a small budget. At first glance, asking employees to purchase their own devices seems like an easy way to save company funds, while improving staff morale (19% of firms believe BYOD improves employee satisfaction) and offering other benefits.

On the flip side, there are some real concerns around BYOD policies that startups and businesses in general need to be aware of. One must ask whether the potential for short-term gain is worth the risk of long-term pain:

Securing your company intellectual property

According to an Ernst & Young report, the two main concerns about BYOD are mobile device security and data breach security. People are, in general, more relaxed with their own devices. As such these devices are more likely to be lost, shared and operated with out-of-date software and security. Secondly, employees are unable to access work content due to a lack of device support, they are more likely to use insecure internet, cloud and email programs to facilitate access.

When employees use their own device there is the added risk that they alone will possess vital digital evidence if there is any kind of legal disagreement between them and their employers. This kind of situation arises far more often than most new business owners believe. There is also the argument that employees become less productive when using their own devices with all the attendant distractions.

BYOD or bust?

All of these factors add to the headache of trying to monitor access to company systems, and seriously increase the risk of an unintended or malicious data breach. On company-owned devices, IT departments are more readily able to manage device software updates, security licenses and access controls. With BYOD however, these issues aren’t always considered.

So, from any risk management perspective, the safest option is to only use company-owned devices. For those businesses determined for one reason or another to try another path and / or minimise an initial spend, what other options are there? For startup companies needing to keep a lid on costs, BYOD alternatives such as choose your own device (CYOD) and company-owned, personally-enabled (COPE) policies are not usually a viable option. When executed properly however, with adequate planning and ongoing attentiveness BYOD can work for both the employee and the employer. They do offer economies of scale-type benefits for those willing to build a sound policy foundation.

If implementing BYOD, start with these four essential elements:

1. Create a support and operations model for BYOD

Before implementing a BYOD policy, make sure you weigh up all of the financial, logistical and security pros and cons. Don’t forget to include the cost of any risk management protocols you may need to implement, such as extra device support. BYOD may save money in the beginning, but if you’re paying for staff mobile and data plans, a content management protocol and investigative work to retrospectively address problems employees create, you may end up spending more money in the long run.

2. Create and implement a detailed BYOD policy

You’d be surprised how many companies that allow employees to use their own devices for work don’t have a related policy. To limit risk to both the organisation and the employee, your policy should complement other security protocols such as a workplace IT policy, and prescribe minimum standards of use for the employee. Having adequate security standards, authentication requirements and firewalls, storage encryption requirements and rights to monitor, manage and wipe data create a safer virtual workspace for company intellectual property and systems.

One way startups can closely manage their network and IP is by implementing a restricted BYOD policy, in which the company can manage compliance and security features on the devices to ensure systems are up to date and secure. A restricted policy should also allow employers to remotely block, monitor and wipe intellectual property from a device. This is most useful if the employee leaves the company, turns rogue or the device is stolen or lost.

3. Implement a Mobile Device Management strategy

Managing employee owned devices requires ongoing IT support to monitor usage of devices and ensure it is compliant with your BYOD policy. Before you begin it is wise to set up strict guidelines to follow for security measures, software updates and content access practices. Letting employees know there is IT support on hand, and implementing strict password security with a program like LastPass will prevent problems further down the track.

4. Test your systems

The biggest mistake you can make once you’ve finished all of this initial legwork is to leave it untested. Once all of your security measures such as password vaults, firewalls and data monitoring are in place, test them. Engaging professionals for penetration testing is the safest option, as they will assess all possible weak points into your company systems, including employee vulnerability through to device security, wifi networks, apps and firewall strength.

While employer-owned hardware is the safest option, embracing a sound BYOD policy can be an enviable plus for startups looking to launch with the lowest possible overheads. A proper policy will also keep costs relatively low if your business grows over time. It’s a nice plus for employees, too. But failing to adequately address and manage the risk implications can have a devastating result for your business-to-be. Take the time prior to launch to develop your BYOD policy, conduct a cost assessment, establish IT support and test your systems for vulnerabilities. The result will be a safe and secure work environment that fully embraces its BYOD competitive advantage.


Written by Lachlan Jarvis, MD of Lyonswood Investigations and Forensic Group (http://investigators.net.au/)