Protect your small business from liability, security risk, and noncompliance by creating a few simple rules for employees and their smartphones
Take a poll of your employees. How many of them carry a smartphone in their pockets? How many are using them—or want to use them—to read and send work emails, text with colleagues, and even access cloud-based business applications? Because so many people now use these remarkable handheld computers to get so much done, small companies are being forced to figure out how they fit into their networks. And that means developing a usage policy for wireless handheld devices that your employees use for work.
The very first element your policy should cover is whether or not you allow employees to connect to your business network with their personal devices, like smartphones and tablets. If you want to let them check their work email, use your cloud-based apps, and use your other productivity tools on their devices, then you’ll need to figure out the detailed specifics of what data and applications will be allowed on those devices—and how they can be used when connected and not connected to your network.
A wireless device usage policy is similar to an acceptable use policy (AUP) for your network. This post can help you write an AUP for your small business.
Crafting a workable wireless device policy
You must address a number of questions in a wireless handheld usage policy. For example, who can use their wireless devices on your network? What kind of information is allowed? How much control do you retain over personal devices? Answers to these questions must be covered in your policy to protect your company from potential liability, security risks, and becoming noncompliant with mandated data privacy requirements. Here are the critical questions to consider:
1. What types of information can be accessed or stored on employees’ wireless devices? This boils down to business-critical and confidential information vs. non-critical or even public information. If you’ll allow users to access files that are sensitive, then you’ll have to implement stricter controls. Remember, so much important data is sent through email and stored in the cloud, it’s probably safest to expect that everyone using their smartphone will at some point access sensitive information.
2. Who owns the wireless devices? If your company decides to provide users with smartphones, then you own them and can dictate their use. However, if you allow employees to use their own devices, you can exert less control over them. Still, you can stipulate certain conditions—namely, adhering to the rules you set in your wireless device policy—that users must follow to be allowed to access your network , applications, and data with their personal devices.
3. What security measures must they take on their devices? This may be the most important condition you set. You can require people to set passcodes and actively run mobile security software, like anti-virus and self-destruct applications, on their smartphones and tablets. You can also ask that the devices be checked against these mandated security techniques before users are given the OK to connect to your network.
4. Can employees sync their handhelds with their work computers? When you sync your smartphone to your computer, you can easily transfer private data from one device to the other. This can pose a security risk if someone steals sensitive data and then leaks or gives it away, say to a competitor. Also, this is a path for malware and viruses to come into the company.
5. Can people share their devices? If some employees have different access rights to company data, you probably do not want them sharing their handhelds with each other. Any need-to-know classifications your company has given certain employees will help structure this part of your policy.
Enforcing this policy
When you write your policy, make the conditions and consequences specific, but don’t name particular devices. By keeping the policy generic to “wireless handheld devices,” for instance, you can be sure that your wireless device usage policy will apply to any new technologies that make their way into your office.
What do you allow employees to access on your small business network with their smartphones and tablets?