People Management Employee handbooks

BYOD security considerations: Why you must create a policy

Beth Braccio Hering
Beth Braccio Hering
Published: May 19, 2020
Updated: February 12, 2025

BYOD: A win-win for businesses and workers

Look at the benefits of BYOD (Bring Your Own Device), and it is easy to see why both workers and employers often support the arrangement. Employees can select the tech they feel most comfortable with and enjoy access to work-related and individual information in one convenient place.

To a company’s advantage, BYOD spares (or at least lowers, if sharing costs) the business expense of issuing smartphones, laptops, or tablets. And staff members possessing the means to connect from any place at any time raises productivity potential, especially while traveling or when an emergency closes the office.

However, the setup also contains a variety of potential pitfalls that both sides need to be aware of from day one. Here, we examine some of the risks of BYOD and actions to combat these dangers.

Risks of bring your own device

Using tech always involves some risk, which is why companies take safety measures such as installing anti-virus software and requiring passwords to access files.

IT departments keep in-house machines up-to-date on security and permissions, and computers never leaving the office minimize the chances of being lost or stolen.

Much of that control gets compromised when devices are not company-owned and routinely move outside the office. Owners may not diligently keep up with security patches. Outsiders may view the files an employee has open or hack into them. Devices can be forgotten anywhere.

Keeping company interests top-of-mind also can be problematic. When an employee owns a device, he may not operate it as carefully as a machine clearly marked solely for work.

He may decide to delete business messages that should have been saved, leading to potential problems if the content is ever needed for legal cases.

The employee also may not realize that inappropriate cyber behavior, such as sending sexually explicit photos to a colleague, isn’t “excused” because executed on his own device — landing both the worker and the company in a great deal of hot water.

Malicious behavior on the device becomes an immediate issue if an employee gets terminated. Without swift action to prohibit access to files and permanently wipe off company information, an angry former employee may tamper with records and other proprietary or confidential data.

Creating electronic policies and procedures

Protecting the company starts with clear, written instructions governing the use of personal devices. Such a document is important. Therefore, many aspects must be considered. Consequently, input is needed from a variety of relevant sources.

These sources include legal counsel. Furthermore, input should come from senior executives. HR should also provide input. Additionally, records managers are important contributors. Finally, IT needs to be involved as well.

While companies formulate BYOD policies and procedures based on their own needs, the following are often at the heart of what should be covered:

  • User will password-protect the device by company standards.

  • User agrees to maintain the original device operating system, keep the device current with the manufacturer’s security updates and patches, and allow company IT to install security (firewall, antivirus, web protector applications) as seen fit.

  • Users will not install software that bypasses standard built-in security features and controls.

  • User agrees the device will not be shared with family, friends, or others.

  • The user will follow company rules governing what employees may and may not do with business records and HR information on personal devices. This includes an agreement to delete sensitive business files that may inadvertently be downloaded/stored via email attachments.

    Sensitive business data includes documents and data. Furthermore, the loss, misuse, or unauthorized access of this data can adversely affect several things. Specifically, it can harm the privacy or welfare of an individual.

    This includes personally identifiable information. Additionally, it can impact the outcome of a complaint or lawsuit. Moreover, proprietary information is considered sensitive. Company financials are also sensitive business data. Finally, other business records fall into this category as well.

  • User will forward business-record text messages, email, and other electronically stored information to business email accounts at the end of each workday.

  • User must notify management immediately if the device is lost or stolen.

Distinguishing personal and company devices

Guidelines also often require employees to let IT examine personal mobile devices as necessary. As this can be a controversial action, take care to craft a sensitive statement, such as this sample:

The company will respect the privacy of your personal device. Company IT will only request access to your device. This access will be for specific reasons. First, they may need to implement security controls. Second, they may need to respond to legitimate discovery requests.

These requests can arise out of administrative, civil, or criminal proceedings. However, this access for discovery requests only applies under a specific condition. Namely, the user must download business records, email, attachments, or other company documents to a personal device.

Note that this differs from a company’s policy for employer-provided mobile devices and services. Employees do not have the right, nor should they expect, privacy when using company-owned mobile devices or services.

What about when an employee leaves?

A BYOD policy should also address what happens when an employee leaves the company. Workers need to know that IT will wipe (delete) business data and HR records stored on the device when they leave.

You should consider developing a protocol. This protocol will protect employees’ personal, insignificant information. Simultaneously, the protocol will remove all business records. It will also remove HR information. Furthermore, the protocol will remove other company data.

Remember, though, that guidelines mean little if just tucked away. For them to be effective, give employees a clear understanding of their individual and collective roles regarding lawful record management and compliant online behavior.

Educate workers about what policies exist and how these words apply to everyday actions. An educated staff serves as a great first line of defense by preventing problems before they start!

More resources:
Get your employee attendance policy right
How to choose a PTO policy for your business
ADA compliant substance abuse policy

Want more insights like these? Visit Beth Braccio-Hering’s author page to explore her other articles and expertise in business management.

WHAT TO READ NEXT