The Ultimate BYOD Policy Every Organization Needs to Implement

published on Legal Risk Management, Legal Technology

According to several estimates, the number of smartphones used around the world will reach 2 billion by the end of this year. The increasing use of smartphones, tablets and other mobile devices means that more employees are carrying out work from their own electronic devices, whether organizations like it or not. It used to be that IT departments took control of technology at work, but due to the invention of the iPhone IT culture has shifted so now users are the ones buying the latest technology and they want to bring those device to work. If your organization hasn’t drafted a Bring Your Own Device (BYOD) policy, it’s time to start thinking about it. Here’s what your BYOD policy should include:

Specify What Devices are Permitted:

In the “olden” days when everybody had BlackBerry devices, everybody brought the same device to work. These days, when there are so many choices available, it’s important to decide what your organization means when you say “bring your own device.” Do you mean bring your iPhone but not any other phones? Bring your own iPad but not any other tablets? Make sure it’s clear to employees which devices the policy allows.


Establish a Strict Security Policy for all Devices:

Users often tend to resist installing hard-to-guess passwords or pin codes on their personal devices because accessing their apps becomes a little less convenient. This is not a valid complaint because phones connected to the company’s network contain so much sensitive information. If employees want to use their devices on the company network they need to protect their device with a password and lock the screen when they are not using it, even if the device is sitting on their desk.

Define a Service Policy for Devices:

It’s important that your organization sets boundaries when employees experience problems with their personal devices. The BYOD policy should define what level of support the IT department will offer for broken devices and apps installed on personal devices.

Make it Clear Who Owns What Apps and Data:

While it’s obvious that the organization owns the personal information stored on the servers employees access with their personal devices, an issue arises when a device is lost or stolen. Wiping the phone erases all content, including personal pictures, music and apps the company has not paid for. The BYOD policy should make it clear whether the company has the right to wipe devices, and if so, how employees can back up their content so they can restore personal information.

Decide Which Apps Will Be Allowed or Banned:

It should go without saying that employees cannot access banned apps regardless of whether the device is owned by the company or the employee. Another question to address is whether users can download, install and use applications that present a security risk on devices that can access sensitive company data.

Set Up an Employee Exit Strategy:

Make sure that when an employee leaves your organization they aren’t taking any sensitive company data with them. In the case of a BYOD policy, employees can’t just return their phone. In this case, companies can hand over the responsibility of disabling access to the company network as part of the exit checklist, while more security-conscious companies choose to wipe the device. If your organization prefers to wipe the device, there should also be a clear method for backing up the employee’s personal pictures and applications.


A BYOD policy has the potential to save money because organizations don’t have to spend money on buying mobile devices for employees or updating them and employees are happier using a device they’ve picked out themselves. While there are always going to be security risks – and some of them can seem quite overwhelming – policies are the first line of defense against data breaches, as long as employees are on board.