Having a good BYOD in policy in place is critical for most companies in the current day, especially in the financial services industry. Employees using mobile devices that are connected to a corporate network, and that are privy to valuable and sensitive data, need to know exactly what protocols they should follow in using that device.
According to Nolan Goldberg, an intellectual property and technology counsel with Proskauer LLP, knowing the fundamental principles of information governance is key so that any BYOD policy can grow to handle whatever comes tomorrow in this world of rapidly changing technology. Firstly, he says it is important to note the difference between an organization giving out mobile devices for work use, as opposed to allowing employees to use their personal devices for work and store corporate data. Most companies have a mobile device management policy in place for the former, so it's that latter that requires a well-implemented BYOD policy.
InformationWeek Leadership Summit: Build Your CIO Chops
[Do you aspire to the C-suite, or some other spot in upper IT management? Then bulk up your credentials around today's most pressing IT movement, digital business, at the Information IT Leadership Summit.]
If an employee is allowed to use his personal device to gain access to a corporate network for work purposes, he needs to know the expectations of privacy and ownership of data that comes with that privilege, notes Goldberg. For example, if that employee leaves the company and corporate data needs to be removed, will the entire phone need to be wiped, thus causing the employee to lose personal data as well? These are scenarios that need to be addressed in a BYOD policy, Goldberg says.
"It needs to be clear who owns what," he adds. "The employee has an obligation to know what he can and can’t do."
Goldberg says the biggest mistake companies make is allowing employees to use personal devices for work use ad hoc without having a policy in place. "I don't think as of right now there's enough of a history to say that one kind of policy is better than another," he says. "The biggest thing is to have one in place."
Further, he says it is important to involve all of the corporate stakeholders in crafting a BYOD policy
"While one purpose of the policy is compliance and protecting the company, it's important not to overlook that another purpose is to facilitate business goals," he says. "Employees need to be able to meet business needs with their devices within the constraints set by the other stakeholders, such as HR."
Ultimately, Goldberg says the ideal scenario for managing employees who use personal devices for work is the combination of having a clearly defined policy in place along with implementing good mobile device management software.
"Having technology in place that will help you implement the policy is key," he says.