Developing BYOD Policies: 5 Questions to Ask

By Jason Moody

The employee satisfaction and productivity benefits of BYOD are too great for most companies to ignore, but when creating policies for the use of personal devices, it’s vital to understand that one size doesn’t fit all. BYOD policies should be implemented on an individual-level based on the answers to five fundamental questions starting, respectively, with who, what, when, where and why. Here are the five questions you need to ask, along with the enterprise mobility management capabilities you’ll need to answer them.

 1. Who is logging in?  

The first step in creating individualized BYOD policies is having the ability to verify that the person logging in is, in fact, the person authorized to do so. This process can be implemented through a series of security questions or password gateways. As part of the authorization process, a solution for enterprise mobility management should include a single sign-on to validate the user’s identity while making it easier to use mobile applications.

2. What device is being used?

Once a user is verified, the device being used must also be validated. Your mobility solution should prevent access by unauthorized devices, as well as by authorized ones that users have “jail broken,” which means they have installed unauthorized applications, such as a file sharing app, that can put the organization at significant risk.

 3. When is the login taking place?  

The ability to track when a user logs into the corporate network is a useful way to manage risk. For example, if a user typically logs in during business hours and the early evening, then a sudden attempt late at night could indicate an attempt to hack the network. Additionally, an enterprise mobility management solution should support a complete onboarding and off-boarding process, which eliminates access by employees who have left the company.

 4. Where is the device? 

Similar to “when,” the ability to track where a login attempt is coming from can help eliminate unauthorized network access. For example, if a user typically logs in from an office in Los Angeles, a sudden attempt from Beijing should raise a red flag.

5. Why is this person logging in?

An administrative assistant in HR should not have the same access capabilities as a vice president of sales. As such, it’s extremely important to understand why particular employees need access to specific data. So, create appropriate policies accordingly. Your enterprise mobility management solution must be able to permit access based on those policies.

Keep in mind that individual-level access policies aren’t just about preventing unauthorized access; they are equally about ensuring access for those who need it. If your mobility solution doesn’t support fine-grained policies or the general access policy is too restrictive, then employees may find another way to access what they need, leading to the rise of shadow IT and increased risk. It’s essential to understand, at a user level, what information employees need and why, so policies can be developed and implemented to empower them to be productive.