2020 BYOD Policy for SMBs and Nonprofits

March 11, 2021

Bring-your-own-device (BYOD) has become commonplace in today’s workplace as businesses leverage the tools their own staff have in what they hope is a way to bolster productivity. While it can improve communications and encourage remote work (i.e. they can answer critical emails while travelling) it opens your organization up to threats. Should you abolish the practice altogether? For some SMBs and non-profits, complete elimination of BYOD is not an option. But at the very least you need to create a firm policy.

1. Adopt Cloud-based Services for Mobile Device Management (MDM)

Budget-restricted SMBs and nonprofits don’t have the IT infrastructure to establish a traditional Mobile Device Management (MDM) system to ring-fence access to company data and workload. As an alternative, the cloud offers your organization a cost and resource effective way to secure data and workloads being accessed from staff devices. Should employees quit or be terminated, they can be blocked from company data and productivity applications. It will not remain on their smartphones or tablets. For this reason, it’s also a good idea to make non-permitted use of a device’s camera against company policy.

2. Restrict Personal Use on Company Network

When onsite, staff must switch to the company WiFi network. They must not be allowed to use their own data plan, nor grab a nearby WiFi signal that they may have access or a subscription to (Shaw Go, Telus, etc.). Assuming your organizational network is secure, it will help prevent their devices from being compromised over a non-secure network. This will also enable you to restrict their access to a wide number of websites, those that may be for personal use, and those that may be compromised by malware. Your policy should explicitly state that IT personnel will set up and configure devices before they’re allowed to access the business’s network.

3. Institute Multi-factor Authentication

All staff devices must be secured through multi-factor authentication (MFA). MFA requires more than one method of authentication from independent categories of credentials to verify their identity for a login or other transaction. In plain English, devices will require a password and a secondary or tertiary (preferred) piece of information to login. This renders the device inaccessible should it fall into the wrong hands. Modern devices will have facial recognition and a PIN, but demand the use of MFA over 2FA (Two-factor Authentication) because hackers are finding a way through popular 2FA apps, including Google Authenticator which was recently compromised via a new strain of Android malware.

4. Restrict Apps

Apps on BYOD devices must be restricted to those permitted by the organization. While apps in the Apple App store and Google Play are vetted by the respective digital distribution services, there is still a risk in downloading lesser known apps. For certain, no downloads from third-party app stores should be permitted – the policy must be firm on this. Add this app restriction rundown to your BYOD policy:

  • No downloads from third-party app stores
  • Stay up to date (via Google News alerts) on fake apps and scams
  • Review all app permissions

5. Automatic Updates

All permitted apps, carrier systems, and mobile device operating systems (iOS, Android, etc.) must be updated in real time, as soon as an update is available. This is because updates include patches for newly discovered vulnerabilities. Automatic updates can be allowed in a given device’s settings, but you may want to institute a review of all staff devices as soon as your IT personnel is aware of an update. It’s for this reason that you need a full accounting of all BYOD devices being used by internal and external staff – and even narrow it down to select smartphone/tablet/laptop brands and operating systems.

6. Document and Create a Reporting Policy

Everything above must be documented and shared with internal and remote staff as applicable. Included should be a strict requirement to report any of the following:

  • Report lost or stolen devices to the company immediately during business hours, or within 24 hours outside of your company’s business hours.
  • Report notifications of potential viruses immediately during business hours, or within 24 hours outside of your company’s business hours.
  • Report email phishing, SMS phishing, or Voice phishing attempts and instances immediately during business hours, or within 24 hours outside of your company’s business hours.