Definitions[]
Mobile phones[]
Bring-Your-Own-Device (BYOD) is
“ | [a] type of rate plan offered by some mobile phone and VoIP service providers, for customers who want to use their own existing mobile phone or VoIP device, respectively, when they sign up with a new service provider. BYOD plans typically have no term commitment, no early termination fee, and possibly even a lower monthly recurring charge than the service provider's other plans, all of these concessions made possible by the service provider's not having to incorporate a subsidy for a "free" instrument into the rate plan.[1] | ” |
[]
Bring-Your-Own-Device (BYOD) (also called Employee-Owned Information System) is
“ | a concept that allows employees to utilize their personally-owned technology devices to stay connected to, access data from, or complete tasks for their organizations. At a minimum, BYOD programs allow users to access employer-provided services and/or data on their personal tablets/eReaders, smartphones, and other devices. This could include laptop/desktop computers. . . .[2] | ” |
“ | the policy that allows employees to bring personally-owned devices — including laptops, smart phones and tablets — to their workplace and to use those devices to access the company's applications and data.[3] | ” |
Risks[]
Significant risks of allowing BYOB include:
- The employee may lose a personal device that contains business information.
- The employee may unintentionally install applications that are malicious in nature.
- The employee may unintentionally disclose business information, for example, by allowing family members or friends to use a laptop containing sensitive business information.
- The BYOD implementation, itself, may be in breach of applicable laws and regulations wherein an improper BYOD implementation may be in violation of data privacy laws and regulations.
BYOD policy[]
At a minimum, the BYOD policy should cover the following:
- Who the policy applies to (e.g., staff, contractors)
- Which devices can be used (e.g., laptops, tablets)
- What services or information can be accessed (e.g., email, calendars, contacts)
- The responsibilities of the employer and staff members (including for security measures that need to be adopted)
- Which applications (apps) can and cannot be installed (e.g., for social media browsing, sharing, or opening files, etc.)
- How business applications and data are accessed
- Ideally, untrusted devices should access business applications and information via a virtual desktop. Citrix and VMware are examples of companies with virtual desktop products that are well suited for secure BYOD implementations.
- What help and support is available from IT staff; and,
- The penalties for non-compliance (e.g., loss of BYOD privileges and other disciplinary procedures).
References[]
Source[]
- "Risks" section: Cybersecurity Best Practices Guide, at 29.
- "BYOD policy" section: Cybersecurity Best Practices Guide, at 29.