http://www.cxounplugged.com A research whitepaper published in November by Ovum and commissioned by Logicalis, revealed a great many interesting BYOD trends – many of which were highlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the most startling, however, was the very low proportion of ‘BYOD-ers’ who have signed corporate BYOD policies.

1. No BYOD Policy? Time to grasp the nettle
Chris Gabriel considers why it is that so few organisations have a BYOD policy in
place, despite allowing employees to use their own devices for corporate purposes –
and highlights a series of issues that an effective BYOD policy must take into
account.
A research whitepaper published in November by Ovum and commissioned by
Logicalis, revealed a great many interesting BYOD trends – many of which were
highlighted in a recent CXO post (BYOD Research) by Ian Cook. Perhaps the most
startling, however, was the very low proportion of ‘BYOD-ers’ who have signed
corporate BYOD policies.
78% of firms have no BYOD Policy
The research found that, globally, almost 60% of full-time employees partake in
some form of BYOD, but only 20% of them have signed a BYOD policy. Is that a
result of employees simply failing to sign a policy? Apparently not. A separate piece
of research recently found that 78% of firms whose employees BYOD do not have a
policy at all.

2. If I might indulge in the art of understatement, that seems a bit of an oversight and
something of a risk. Without a policy in place, how can an organisation exercise any
control over the blurring of lines between personal and corporate, and protect both
parties against the BYOD risks that are so well documented? Quite simply, they
can’t.
Given that the number of consumer devices in the workplace is predicted to double
by 2014, reaching 350 million, I’d suggest that correcting that oversight will, or
should, be a priority for a great many.
However, and maybe this explains why so few firms have tackled the issue to date,
putting together a BOYD policy is not necessarily straightforward. Indeed, the task
almost certainly requires collaboration between a number of business functions –
human resources, legal and, given the technical nature of the risks, IT.
In fact, I’d argue that IT has a key role to play, given that the way BYOD is enabled
will shape the risks. That is, the starting point for any BYOD policy must be quantify
what the organisation’s BYOD infrastructure enables employees to do with their own
devices when and where, how information security is protected and what can be
done if something goes wrong. That input will form a vital framework against which
legal and HR teams can shape policies according to risks, regulations and corporate
governance.
No small task, and the outcome will differ from firm to firm, industry to industry,
region to region. There are, however, a few common themes that most policies will
have in common. They include:
1. The ‘Right to Wipe’. What happens when a device is lost, stolen or misused,
putting the security of sensitive data at risk? A policy may stipulate that devices
must be password protected, encrypted and locked, but may also give the
employer the to remotely delete data when a device is compromised. Any policy
setting out a ‘right to wipe’ should be very clear as to how much data can be
wiped from the device and, depending on the specific BYOD approach, makes
employees aware that personal data may be lost.

3. 2. Employee Responsibilities. There cannot be any wriggle room when it comes
to employee responsibilities, for instance making sure devices are compliant
and security software is kept up-to-date. Depending on the exact approach to
BYOD enablement, it may also be necessary to restrict BYOD access to a pre-
defined set of smartphones or tablets – for instance those supporting corporate
access apps or specific security protocols.
3. Employer Responsibilities. Any effective policy must also make clear where
the employer’s responsibilities begin and end. If an employee owned device
malfunctions, who covers the cost of support or repair? Does the company
wash its hands of support, or could that compromise security? Alternatively,
some policies set out a sliding scale of support depending on job function – for
instance, it makes sense to offer support where the helpdesk cost is outweighed
by the potential for lost productivity.
4. What’s allowed? This is really the crux of the matter and where the company
can limit that blurring between ‘consumer’ device behaviour and BYOD. The
starting point is to work out what employees should be allowed to do with their
won devices, what data they can access, and what they cannot do – within the
limits set out by BYOD infrastructure and security. Obvious limits will be on ‘jail-
breaking’ devices, downloading corporate data and accessing certain websites,
or types of websites. But there is a balance to strike, because setting too many
limits risks putting employees off, which means missing out on the productivity
and collaboration benefits that BYOD can deliver.
There are, of course, a whole host of other considerations. Who pays for any
additional data allowance that might be needed, and who covers device insurance?
What does the ability to access and store corporate email, files and data on personal
devices mean for processes like eDiscovery, Legal Hold and Purge?
The point is, an effective BYOD policy must be comprehensive in protecting
businesses and employees, but no so restrictive as to make BYOD practically
useless. Getting it right is a complex and time consuming task, requiring
collaboration across functions that may have conflicting views.
Maybe that explains why so many firms have yet to grasp the BYOD Policy nettle.

4. To see more blogs written by IT leaders, visit www.cxounplugged.com
CXO Unplugged is written by IT leaders specifically for C-level executives in the IT community, highlighting the
latest news, trends and topics in the industry. We encourage all readers to join in the conversation, sharing
opinions and experiences. With so much information vying for readers’ attention on the Web today, we know that
C-level executives need a source to filter out the news that affects them, and their peers, on a daily basis.