< Back to Publications Index

BYOD needs policies for managing business data on private devices

News and ViewsPublicationsBYOD needs policies for managing business data on private devices
BYOD needs policies for managing business data on private devices

'To get the most from BYOD policies, it is essential that they are moderated and, when breached, enforced.'

This article was originally published on V3.

The rapid rise in tablet and smartphone use has had a dramatic impact on business. Mobility has become a part of everyday office life and employees are presented with increasing flexibility when it comes to how they choose to work.

Freedom to work from home or elsewhere can give employees real choice, not only in how they manage their time but what types of devices, apps and operating systems they use. These developments in technology have opened up a wealth of opportunities for any employer. However, freedom of technology brings with it a big issue – data security.


A sign of the changing times was seen with the government’s recent adoption of the Open Document Format. In July 2014, the government announced this new format that is set to drastically improve the flow of information and remote access to documentation. It will make government services cheaper and easier to access, ultimately improving the economy. While the Open Document Format is set to revolutionise data sharing and security, it didn’t happen overnight and has been a long and costly process.

Most companies acknowledge that remote working can be secure, but this is often limited to a home desktop or laptop computer. The complexity of securing mobile apps, content and devices seems to be perplexing modern workplaces as the divide between personal and work lives becomes ever more blurred and complex.
Hand-held devices add another layer of complexity as employees use a number of different manufacturer specific operating systems, multiplying the number of “moving parts” companies must consider when managing and securing confidential and sensitive information.

There are a number of mobile device management (MDM) products on the market that aim to address this problem; however there are still practical limitations on how far an employer can go in managing data on a private device.


Properly monitored and enforced bring-your-own-device (BYOD) policies create the basic starting point for a company and should outline how it intends to manage and secure corporate data on mobile devices. This should include transparent guidelines for how corporate data will be managed and separated from personal data.

BYOD policies should be carefully developed, ideally created in consultation with those employees who will be expected to work within it. If compliance is too onerous, employees will find a way around them. For example, if an employee is having trouble sending emails or sharing documents on official work platforms, they may look to use a personal email address or an unauthorised personal cloud sharing platform to move these things on without delay and between devices, putting sensitive corporate data outside of IT’s management.

Mobility policies should be collaborative in order for it to be adopted and they require transparent communication to all affected staff. It is important for companies to understand the reasoning behind the policies and educate employees about what non-compliance means in real terms. This includes the security implications of non-compliance (i.e. data breach) and, in some cases, disciplinary action for employees who don’t comply.


To get the most from BYOD policies, it is essential that, as previously explained, they are moderated and, when breached, enforced. Each time the policy, or any policy, is enforced, it is good practice to distribute a reminder around staff (without breaching internal confidentialities), highlighting best practice and adapting the policy if required. This can act as a timely refresh of the policy and remind employees of the consequences of non-compliance.

MDM applications can also assist with mobility information management. The ideal application for a device is one that offers immediate remote deletion of sensitive information, should it become necessary. For this to work it must be used effectively and completely. A company should use a vender that can help to separate corporate and personal information on devices, making secure management much easier for IT departments.

For example, the end of any relationship can be difficult and a termination of employment, for whatever reason, can be an equally passionate cause for concern. Retaining control over confidential and sensitive commercial information that an employee may have access to is vital to any organisation. Enterprises must be able to access and delete any files, emails, or company information remotely. If such data is stored on personal devices outside of the control of the company, it is necessary for them to review secondary contractual or policy terms.

A well-managed and informed BYOD policy allows an organisation to embrace and benefit from developments in the digital world, but the inherent risks must be protected against at the same time. A sensible policy can improve internal and external communication and company morale. A robust set of restrictive covenants that are properly considered and reasonable will assist this and allow employees to feel the freedom of accessing information remotely, without the company worrying that the data is insecure.

Employees will be using their own devices whatever happens. It is far better to manage that use than suffer any unfortunate consequences.

03 Oct 2014