BYOD Policy – Are you implementing it correctly?

July 28, 2013, by | Start Discussion


Bring your own device (BYOD) is the business policy of letting employees bring their own devices at workplace for doing work. The concept has gained popularity in recent years mainly due to the following reasons:

  • Employees are more willing to spend on their devices as they have the ownership of the device.
  • Maintenance and protection of these devices is taken better care of as the employees only will be liable for the losses if they happen to lose them.
  • Allows employees to be more flexible and add more productive hours at workplace since they can contribute more to the organization growth from anywhere, anytime.
  • A correctly implemented BYOD policy can foster a culture of eagerness to work, producing efficient and productive employees as a result since as their needs are directly addressed by the company.
  • This makes the workplace a “fun” place to work.
  • Reduces the burden of IT inventory maintenance tasks such as commissioning / decommissioning corporate devices used for work. Subsequently, new hardware purchase costs are also lowered down.
  • A start-up, small or medium size company, can avoid high purchase costs for laptops, smartphones, data cards and tablets for their employees since employees have the flexibility to use their own devices at workplace.
  • These smart devices often provide better processing speed and power for accomplishing the tasks better.
  • Substantial Savings are made on carrier/ISP charges since organization doesn’t need to maintain elaborate corporate data plans but letting the employees use their own data plans.

However, it needs to be remembered that the corporate data which is residing on user’s own device remains the property of the company. Hence adequate protection measures need to be in place for protecting that sensitive corporate data.

Defining a Strong Business Case for BYOD

The most common reason which causes the failure of successful implementation of any BYOD policy is that senior management and end users routinely fail to grasp the fundamental concept which drives the BYOD policy; it’s all about device ownership. BYOD is fundamentally no different from corporate-owned device policy; but just that the device ownership now resides with end-users instead of the organization. However, the ownership of corporate data will still remain with the company.

There is one important caveat while going for the BYOD policy. Going for the BYOD policy is a discretionary judgement which needs to be carefully made by senior management with careful planning. Senior management must not look from only one facet of cost savings. It is an important business decision which will directly affect the growth of the organization. The senior management should have a clearly defined and quantifiable goal to achieve the benefits offered by BYOD. Just by going by the industry trend “Hey, everybody is doing it, let’s implement this in our organization” attitude can spell disaster for organization’s growth if no advance planning measures are taken place. For this, a strong business case is needed to reap the benefits of BYOD policy implementation.

Senior management must also accept the risk that by implementing BYOD, more avenues are opened for the data leakage from employees’ devices. Many of these devices can also share data in the cloud; increasing the likelihood of data duplication between cloud and apps. Hence, appropriate solutions, tools and techniques to prevent and contain this vital business information from leaking outside must be implemented as well.

Defining BYOD Policy rollout

For a successful BYOD policy rollout generating maximum return on business (ROI), we must follow these steps:

  1. Assess organization readiness and define leadership: A well-defined business case with clear cut goals is a pre-requisite before developing BYOD policy. Next, the control group operating and overseeing the BYOD policy needs to be defined and assigned responsibilities. The policy needs to be communicated in top-down order so that no ambiguity remains in adoption. Penalty clauses and security mechanisms must be designed in BYOD policy for giving adequate security to the devices.
  2. Develop BYOD Charter: A well-defined BYOD charter will ensure that regular investments for the security of BYOD devices are required from the business managers. This helps to determine a business justification in monitoring and administration of the corporate data residing on employee-owned devices.
  3. Setting up BYOD governing body: The governing body of BYOD would be responsible to develop, implement, oversee and maintain the BYOD program. The governing body should include business vertical heads along with HR, legal and finance domain experts for smooth implementation of the BYOD policy. The governing body may start with the rough checklist assigning BYOD tasks such as:
    • Which employees will qualify for BYOD? This should be defined as per role basis
    • Written signed agreements with employees for accepting risks concerning the device usage
    • Which OS version will be supported for devices?
    • Policies regarding wiping of personal/ corporate data in case of device loss
    • Methods used for separation of personal and corporate information on devices
    • Actions to follow after a security violation.

    All policies must comply with region specific laws which will automatically be given first priority while designing the BYOD policy. It is important to update the policy document and adjust with the ever-changing landscape of evolving technology. It is better that a BYOD program be implemented in a phased approach. Initial success will generate enough confidence in senior management about its successful operation. Likewise, it can then be applied to other departments. The users from the initial phase of BYOD deployment must emerge as champions for BYOD usage to spread the culture effectively and securely across the length and breadth of the organization.

  4. BYOD IT Process Group: This IT processing control group will look after the required software upgrades, license implications for mail access from employee-owned devices.
  5. Managing BYOD policy: BYOD programs require strong security solutions like network access control (NAC), Wi-Fi routers, Mobile Device Management (MDM) solutions for organization wide personal devices management. Containerization tools to separate corporate data from personal data must be procured. A technical way to separate the employee and personal data is by having dual-persona smartphones; i.e. having one interface for personal use and another for business use. High end smartphones such as Blackberry Z10 currently support this.
  6. Post Deployment Support: High quality help desk support is a pre-requisite for successful BYOD deployment. It should provide assistance with diagnostics tools for troubleshooting and list of manufacturers support phone numbers for quick reference.

Common Pitfalls to Avoid During Deployment of BYOD Policy

Though adopting BYOD strategy might seem very attractive proposition at first glance, it is advisable to exercise caution and care during its implementation in your company. Left unhandled, BYOD can act as a constant fund drain for the organization. This holds especially true when BYOD policy is implemented across a large organization spread across multiple geographies.

For example, in a traditional setting of following corporate-owned approach for a large firm, the firm typically invests around $200 for compatible smartphones and $500- $1000 for notebooks/tablets along with the high end corporate data plan for all its employees. But here it gets interesting. The corporate data plans allow these companies to pool their voice minutes and their data bucket. If any one employee goes over his or her allotment limit, the company can adjust this by taking unused voice or data from another employee’s allotment to make up the difference. That gets rid of much of the average fees their employees would otherwise end up charging back to the company.

Needless to say, carriers offer better discounts to corporate plans when compared to an individual. National and international roaming charges are also offered at heavily subsidized rates in corporate data plans. The savings made from these fixed cheaper call rates eventually work in favour of the company which has its international footprint across its international offices. Now, imagine if BYOD would replace this system, each user will typically shell out $1-per-minute voice costs and $10 per 10MB that many individual users pay for when abroad. Multiply this with typical work force of 5000-10000 man-force of large organization. This figure clearly pales in comparison to the savings made while using corporate plans.


BYOD policy seems inevitable in coming years as the technology advancement in “smart” devices helps the employees to achieve better productivity with flexibility at the workplace. Instead of denying access citing the security concerns, it would be best in business interest to embrace this business policy which allows people to be more productive in longer run. No doubt, we do need clearly defined rules and accountability factors which should be enforced via legal and technological means for protecting the sensitive corporate data residing on people devices. But as the nature of doing business evolves with technological advancement, it’s in everybody’s best interest to accept BYOD policy since it directly addresses the need to collaborate and communicate at times when it matters most. After all, when it comes to business; time is money!


  1. InformationWeek – 8 steps CIOs should take to maximize BYOD ROI
  2. InfoWorld – Buckle up — here comes the hard part of mobile    
  3. COMPUTERWORLD – BYOD, or else. Companies will soon require that workers use their own smartphone on the job
  4. NetworkWorld – Forrester Research calls mobile-device management ‘heavy-handed approach’
  5. InfoWorld – The right way to manage BYOD
  6. InforWorld – The unintended consequences of forced BYOD
  7. InforWorld – Why almost everyone gets it wrong about BYOD
  8. InforWorld – How a trickle of BYOD costs can turn into a deluge
  9. InforWorld – Message to old guard: Accept social business
  10. CIO.IN – The Dark Side of Today’s Hottest Tech Trends


Manasdeep currently serves as a Security Analyst in the Technical Assessment team at NII Consulting, Mumbai. His work focuses on conducting Security Audits, Vulnerability Assessment and Penetration Testing for NII’s premier clients. He possesses strong analytical skills and likes to keep himself involved in learning new attack vectors, tools and technologies. He has flair in technical writing and shares his thoughts on his blog “Experiencing Computing…” at He has also published information security paper(s) in International Journal of Computer Science and Information Security (IJCSIS) along with various seminar / conference proceedings.

Leave a Reply