By Joe Ross

Bring your own device (BYOD), in theory, is a beautiful thing. Employees are free to use their personal devices at work, allowing for more efficiency and flexibility. Not to mention that employers save on outfitting an entire company with PCs, phones and tablets, while at the same time getting a more reachable employee.

Yet the reality of BYOD is a lot more complex. It complicates the discussions around employer and employee rights, how company data can and should be stored on a device that doesn't belong to the company and what responsibility and accountability an employee has to keep company data secure. These challenges alone seem complicated and difficult to handle. Combine these with the fact that a good BYOD policy must also address the different work and tech styles of three employee generations and their varying levels of tech savviness, and a solid policy seems near impossible to create.

When approaching the problem of creating a BYOD policy that works for your company, a good first step is to understand how your employees use their technology, what weaknesses each is most likely to exhibit when it comes to security and how to address those weaknesses.

On Millennials

According to the U.S. Bureau of Labor and Statistics, the millennial generation will dominate the workforce by 2015. This is also the generation that is driving the adoption of BYOD. Millennials are mobile, work anywhere and everywhere, and the odds are pretty good that, whether or not you have a BYOD policy in place, they will use their personal devices for and during work.

A 2012 survey by Vision Critical found that 36 percent of milliennials have broken or would break a company policy banning BYODs. In the same survey, 55 percent responded that using their mobile device at work is a “right” versus a “privilege.” Sixty-six percent of respondents also said that they are responsible for the security of their devices, not their companies. This “do-what-I-want” attitude makes millennials a huge security risk for companies.

A good BYOD policy has an ongoing emphasis on education, training and communication. It should never be assumed that your employees understand all the guidelines spelled out in your policy

Joe Ross

When crafting a BYOD policy for millennials, it can be helpful to keep this attitude in mind. Assume the rules are going to be broken and provide them with the tools they need to keep their devices—and your company information—safe.

A few tools to keep in mind:

  • This group likes working on-the-go. Give them a resource to avoid using risky open WiFi networks. A VPN or hotspot are good alternative solutions.
  • Create and provide standard antivirus, anti-malware protection for all types of devices.
  • Separate data and applications from personal devices. Use cloud technologies to provide virtual desktops that employees can access on a browser. This eliminates storage of data on devices.
  • Consider proactive monitoring for your company. By proactively monitoring for employee credentials on the Internet black market, businesses can determine when an employee may have been compromised without needing any input from the employee. Businesses can then alert the employee that their device has been compromised and ask them to update their logins and passwords.

On Generation X

Workers in Generation X have a surprisingly similar approach to security as millennials. That is to say, they take a somewhat laissez-faire approach when it comes to BYOD security. A 2014 survey by security group Fortinet found around 40 percent of Generation X and millennial respondents said they never change their passwords on devices except when prompted to do so. Forty-percent of both groups say they use the same passwords across multiple websites. One area where Generation X had a slightly poorer showing than millennials was mobile security. About half of Generation Xers polled by Fortinet locked their mobile devices, compared to 63 percent of millennials.

These survey results underscore the importance of a having a BYOD policy that clearly spells out even the most basic security rules and makes them mandatory, for example:

  • Require your employees to update their device passwords every three months, or provide some sort of two-factor authentication method that will mitigate data loss in the event of a lost device or breach.
  • Require that employees use a PIN code for any mobile device that hosts company information.
  • Require that employees report any lost or stolen devices ASAP.

On Baby Boomers

It is no surprise that baby boomers are the least technologically savvy of the group. While millennials were born with a cell phone in their hands, baby boomers were born before cell phones, tablets and PCs—some were even born before the advent of color TV. A recent Gartner study found that 61 percent of 65+ year olds still use a basic cell phone compared to 24 percent of 18 to 29 year olds. Similarly, 59 percent of the older group use a desktop PC compared to 41 percent of the younger group. Most baby boomers in the work force have the technical expertise to work on their own devices but may not have the know-how to keep them secure.

With this in mind, a good BYOD policy has an ongoing emphasis on education, training and communication. It should never be assumed that your employees understand all the guidelines spelled out in your policy. Give them easy access to staff members that can explain the policy and help with any technology implementation. Keeping an open line of communication will ensure that employees have access to the technical support they need. It will also give IT the ability to quickly communicate new and emerging threats that employees should watch out for.

A Good BYOD Policy Is Never Done

A BYOD policy should never be considered complete. Security threats are constantly evolving and a good BYOD policy should be frequently updated to keep up with these threats as well as employee habits. An understanding of the strengths and limitations of your employees and their different ways of approaching security should make this process much easier as well as create a collaborative environment to implement new BYOD security measures.

Joe Ross is the president and co-founder of CSID.


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Advertise in IAPP Publications

Find out how to get your message in front the people you want to reach. Download a media kit now.

Get more News »

Find a KnowledgeNet Chapter Near You

Network and talk privacy at IAPP KnowledgeNet meetings, taking place worldwide.

Women Leading Privacy

Events, volunteer opportunities and more designed to help you give and get career support and expand your network.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

The Training Post—Can’t-Miss Training Updates

Subscribe now to get the latest alerts on training opportunities around the world.

New Web Conferences Added!

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Staff

Get your team up to speed on privacy by bringing IAPP training to your organization.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.

Learn more about IAPP certification »

Get Close-up

Looking for tools and info on a hot topic? Our close-up pages organize it for you in one easy-to-find place.

Where's Your DPA?

Our interactive DPA locator helps you find data protection authorities and summary of law by country.

IAPP Westin Research Center

See the latest original research from the IAPP Westin fellows.

Looking for Certification Study Resources?

Find out what you need to prepare for your exams

More Resources »

GDPR Comprehensive: Registration Open

New! Intensive two-day GDPR training led by the sharpest minds in the field. It's a can't-miss event.

The Congress Is Cancelled

The IAPP Europe Data Protection Congress 2015 is cancelled. Click through to learn more.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

Exhibit at an Event

Put your brand in front of the largest gatherings of privacy pros in the world. Learn more.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»