Back to Blog

Implementing a Bring Your Own Device to Work Policy

Image of EJ Phillips
EJ Phillips

Bring Your Own Device (BYOD) policies can help set up your business for success, especially if you are a small company. A BYOD policy enables your employees to use their own devices—smartphones, tablets, laptops, etc.—for work. It is a trend that has been on the rise for years and became even more popular when COVID-19 forced many employees to suddenly work from home.

If you are considering implementing a BYOD policy at your organization there are things you should think about to properly address liability, security, and the employee experience.



  • Familiarity

One of the biggest pros in a BYOD program is that each employee is able to use a device upon which they are familiar. Some people are diehard Apple fans. Others are only happy on an Android. By allowing your employees to use their personal device for work, you can honor their preference. There also is no down time in a person having to learn a new OS or getting comfortable on a new device.

  • Flexibility

The modern workforce often requires mobility. Allowing your employees to use their own devices for work means they are able to access necessary documents whenever and wherever they are. Perhaps they are on vacation, and you just need that one email. No need to lament that they’re at the beach and don’t have it on their work phone that was left at home. Nope. It is right there, and they can forward it onto you in a jiffy.

  • Reduced Cost

This one is pretty self explanatory. If  a company allows its employees to use their own devices, they are not having to purchase phones for its employees. While many companies do offer monthly reimbursement plans to their employees for cell phone coverage, not having to purchase the phones up front is a cost savings. Another perk of this, reduced repair costs. Employees are more likely to take care of their phone and protect it if they own it, which also reduces the employer’s responsibility for repairs and upgrades.


  • Liability

Who is responsible for repairing a device when it is broken during work? What if something goes wrong on an employee’s device due to a work-related task or application?

These are questions that should be addressed in a BYOD policy and stated clearly for both the safety of the employee and the employer.

  • Security

When employees are allowed to bring their own devices to work, that means their personal devices are used to access sensitive company information and applications. The security of that information on private devices can be more difficult to manage for IT departments and contractors.

Organizations implementing BYOD policies must face that they are relinquishing some control over what is deemed appropriate use of employee devices. And there is only so much a company can do to ensure that devices are being used appropriately. And what is deemed appropriate and inappropriate should be well laid out in a BYOD policy.

  • When an Employee Leaves

Security of information also can be an issue with BYOD policies when an employee leaves the organization. While you will want to remove all your company information, when a device is owned by an employee, you simply cannot remove all the data and photos.

Furthermore, when an employee leaves with their phone number, all her contacts will still have that phone number. If she moves to a competitor, even if she has signed a non-compete agreement, you cannot legally stop your clients from reaching out to her.

What Should Be Included in a Successful BYOD Policy

So you’ve decided to leave your employees to their own devices. (Sorry, we couldn’t resist the pun!) What’s next? A well-designed BYOD policy will save your organization money and headaches and grant your employees more flexibility. But what exactly should a BYOD policy include? Here are pim’s recommendations. (1)

  • Passwords

If your employees are storing valuable company information and data on their personal phones, having password protections on devices should be non-negotiable. Yes, this may be a hassle for the user, but passwords are the first line of defense when it comes to an effective security protocol. Some organizations also require regular password changes every 90 days, for example. You may also want to consider having 2-factor authentication upon apps and programs that are accessed from employee-owned devices.

  • Employee Privacy

Obviously, company data belongs to the company. But this information is held upon a privately owned device. How much right to privacy does this employee have if their personal data sits next to sensitive client data? A thorough BYOD policy needs to address how you protect your company data while also ensuring the privacy of your employees. Some companies choose to tell their employees to expect no privacy when using personal devices for work purposes.

  • Data Transfer Provisions

If an employee is using an unapproved app to transfer data, and this unapproved app is breached, you could have serious legal problem on your hands as well as the trouble of a data breach. All company data should be encrypted, password protected, and only transferred on company approved applications.

  • Proper Maintenance

Your BYOD policy should mandate that employees keep their personal devices used for work up to date with security patches and updates. These updates help provide protection from known risks. Keeping devices and applications up-to-date is part of overall digital security.

  • Approved Applications

Make sure that your team has a list of approved devices, or else your employees may establish their own apps to use. Make sure to include all appropriate applications that secure messaging, email, and your CRM. Make sure also to include a list of forbidden apps, if you choose to forbid some applications.

  • Provisions in the event of Termination

Allowing your sensitive company data to remain on a personal device when a person leaves your organization, either through termination, finding work elsewhere, or retirement, is a bad idea. Procedures should be in place in your BYOD policy that outline how company data is to be removed from personal devices. Furthermore, upon any termination, an organization is obliged to ensure that all company data is removed from all devices and all permissions from company applications should be revoked.

Above all, once you have a detailed BYOD policy in place, make sure that it is easy to understand and enforce. This will make buy in by all stakeholders, both employees and employers, much easier.


Related Posts

How Much Should Your Business Budget for Information Technology?

Image of EJ Phillips
EJ Phillips

Determining how much your business should budget for its technology needs can be a high wire...

Read more

What to Consider When Purchasing Hardware for Your Business

Image of EJ Phillips
EJ Phillips

Every business needs to routinely purchase new computer hardware or software, from the smallest of...

Read more