The term BYOD relates to staff using personal devices such as smart phones and computer tablet devices for business use, as well as personal use. However, the business owner does not have sufficient control over these devices. Connecting these devices to the corporate IT systems can introduce a range of security vulnerabilities and other data protection concerns if not correctly managed.
BYOD raises a number of data protection concerns due to the fact that the device is owned by the employee rather than the business. An alternative is to issue key employees with devices that are owned by the business, but enabled for company use. This is called COPE – Corporately Owned and Personally Enabled.
COPE can be a less expensive option that BYOD, in which employees are often reimbursed for all or part of the cost of the devices they buy. This is because if the company buys devices, it can generally get them for less than retail price. COPE also gives the company more power in terms of policing and protecting devices, thus reducing some of the risk that comes with BYOD.
The Information Commissioners Office website has some really well written information regarding BYOD.
My recommendation is to write a short but comprehensive BYOD policy, backed up with a procedure on applying security settings, and what to do if the device is lost or stolen. Many devices have a ‘remote wipe’ facility, and business owners and their employees need to be competent at doing this, as one day it may needed.