Good BYOD advice from across the Pond


Today, I came across some good BYOD advice from the UK Information Commissioner's Office (ICO), which I thought I would share with you.

First, ICO recommends that enterprises ensure that employees keep their personal devices secure by using a strong password, encrypting data stored on personal devices, maintaining a separation between personal and work data and using only approved business apps for work-related activities.

In addition, firms should ensure that data transfers between personal devices and corporate systems are secure. Employees should use secure channels to transfer data and should avoid untrusted connections, such as public Wi-Fi networks and insecure public cloud storage services.

If an employee's personal device is lost or stolen, enterprises should ensure that they have the ability and legal right to wipe corporate data.

ICO also recommends that enterprises have an "end of contract" policy to ensure that corporate data does not remain on a personal device once the employee leaves the company or changes phones. The policy should spell out that when an employee leaves the company, all passwords are to be changed and all access to facilities, such as company email, intranet and social media, be revoked.

In addition, enterprises should provide information on how users should delete data on a personal device prior to disposal, resale or recycling. This is particularly important at this time of year as employees bring in new devices received over the holidays.

Firms should have in place a clear acceptable use policy to provide accountability for employee behavior. This policy should be linked to a social media policy if BYOD leads to an increase use of social media. In developing the acceptable use policy, all relevant departments, including IT and human resources, as well as end users should be included.

In releasing the recommendations, Simon Rice, ICO group manager for technology, commented: "As the line between our personal and working lives becomes increasingly blurred, it is critical employers have a clear policy about personal devices being used at work. The benefits must be balanced against the potential risks to work-related personal data."

While this advice is to ensure that UK firms comply with the country's strict Data Protection Act, it makes sense for all enterprises considering BYOD, even in less strict regulatory environments. - Fred