What issues should be in a company smart phone policy? There are a lot of different options for restriction or permissiveness, depending on the company and any associated culture. If we run down all the possibilities (that we had thought of by this time, there’s always more) you can use the list to check or build your own company policy.
Is company business permitted on personal phones, and vice versa? This is the most important bit of information in your policy. It determines how much effort you can expend in other areas, and how expensive they’ll be, or how much risk you’ll accept. If you try a half-way approach, the end result is the same as if you openly permit mixing. If you fail to address it, you have accepted the inevitable, so you might as well document it as such. Company business on personal phones and personal business on company phones is no simple issue.
Allowing personal business on company lines means your security personnel can monitor it, or should. You’re monitoring all company assets for anomalous behavior, right? Hackers are into phones these days. You’d be a fool if you weren’t at least checking them once in a while, like we used to check PC’s for viruses once a week. However, most employees don’t like knowing their personal calls are monitored. Plus, since any company property can become legal evidence, anything done on that phone can potentially come out in court. We all like to think our private calls to that certain number are private and unknown to others, but if it’s a corporate phone, it had better be known or one day it may turn into a courtroom surprise. Express your intent to have phones utilized in a professional manner for business use only to reduce the likelihood of courtroom embarrassment.
Permitting work on personal phones is worse in one way, which we’ve discussed previously, so we’ll zip through it here: your personal phone gets impounded as evidence, and no, you can’t back it up before we take it.
Specifically differentiate between business and personal use, what is acceptable, and in what quantity. The easiest way is to specifically restrict use, even if it’s realistically impossible; at least you’re trying. Failure to address it at all, however, means you implicitly accept it, which means you might as well document it so management understands what risk they are accepting.
Be specific, if you can, about what behaviors, frequencies, and durations of behavior are acceptable if you are permitting personal or business use. If you can’t be specific, you are assuming anything goes. At least try and limit it with a stock “professional behavior” phrase or similar.
Does your policy cover all the features of current phones (cameras, sms, etc…), or just talk about a couple issues? It needs to cover everything plus contain extension language so when they figure out how to do new things with phones you don’t end up having to rewrite the policy. Who knew ten years ago we’d finally be doing all the things today they told us about 40 years ago?
Discuss why you are restricting use. People are a lot more likely to follow a policy they understand than one they think is draconian and absurd. Don’t wait to educate them until you’re coming to get their phones for a legal case.
Discuss who it applies to. If you’re treating the executives differently than the staff, better mention it, or it could cause problems. Treating everyone exactly the same makes things easier unless you’re the person explaining it to the C levels.
Define the terms you use that could be misunderstood, perhaps deliberately, or what could be termed “weasel” words. When you say “personal use and business use”, what do you mean? When you say “off hours”, do you mean the same time for all shifts or different times? Don’t say “disciplined” when you mean terminated. Weasel words.
Define any exceptions, generally if necessary. “You are allowed to use the company phone to make emergency calls, where emergency implies life and death situations.” Why someone would need that laid out for them is a mystery, but you know if you leave it out, someone will get sued after somebody lets someone die because they couldn’t make a personal call on a company phone. Read a spray paint warning label if you doubt it.
Particularly vulgar misuse should be defined and the resulting disciplinary and legal steps laid out to discourage straying from the expected path. “If you take pictures of guests without permission and post them on the Internet or sell them to someone you will be fired and charges filed with the appropriate criminal authority.”
Make sure to cross link to your social networking policy, since many people take pictures just to upload them to their site and share with friends.
Can personal or business devices connect to business or personal networks? In other words, are you going to trust that the mail-room guy’s phone is clean enough to let it access your corporate network? This is the second most important issue, and it leads directly to complexity and cost.
Will you, for example, attempt to isolate personal phones from the main network? If you do a good job, it’s going to cost. If you don’t do a good job, you increase risk. Mention it to management and see if they’re comfortable with it.
Will you permit work devices to surf on any old network and then return to the fold bearing who knows what sort of infection? If you do a good job, it costs you, if not, it increases risk.
Related policies reminder. Remind users that when using a device in a setting other policies may apply. So while that smart phone may be great for surfing porn in their basement, because it’s a work device, it’s still not permitted. Oh, and you can see them in the logs you’re monitoring.
Finally, damage. If they drop their work phone at home, or their home phone at work, who’s paying and under what circumstances? If they lose the phone on a subway, who’s paying to replace it? Some employees will flush phones down the toilet repeatedly, it’s just in their nature. Who’s paying? And if you have someone losing phones, have plans for dealing with it.
Very importantly, have a hard policy regarding how fast they notify authorities and who those authorities are. Many people will wait to inform you of a loss until they get the new device or the loss personally inconveniences them. Meanwhile, the lost phone has been in the hands of bad guys for days or weeks.
Put a reward sticker on the phone. It might result in the return of several valuable phones that would otherwise end up in pawn shops. A few cents per phone versus hundreds of dollars for a single loss makes it worthwhile.
Security; alluded to above, is the cost that makes any risk bearable. What will you do, or be able to do, if a phone containing potentially sensitive business information is lost, or if personal information is exposed on company networks? There are a few facets to phone security issues.
Loss. In either business or personal property cases, where company information may be present, it is best to:
- Be locked with a code of some sort, to prevent immediate use. Also, activate this lock after a period of inactivity, like a screen-saver on a PC.
- Be encrypted, to prevent stronger efforts at compromise, such as corporate espionage or other subversive reason.
- Be remotely wipeable, to allow for a positive acknowledgement that a device is completely safe. This is critical for assets storing very sensitive data, but won’t always be possible, especially in cases involving corporate espionage, so in those cases strong encryption is an additional requirement. Note that remote wiping of a personally owned device can create additional liabilities, the most obvious being, what if it’s done accidentally. Likewise, with a business device, a sales person could lose valuable scheduling data that hasn’t synchronized with HQ yet, costing them sales. Address these and other risks by having users sign an agreement and understanding of how phones are protected and specifying what they can do to avoid complications, as well as the companies refusal to accept any liability. Place the onus on them to care for data that is important to them.
Integrity of the device: anti-virus, anti-tampering. Companies concerned about data leaks must weigh the risk of device compromise through malicious software and employ appropriate measures. Anti-virus is available for phones, as is anti-tampering software that performs an integrity check on the program portions of phone memory. This plays directly into whether or not you permit 3rd party untested applications to be installed on devices. If it’s a personal device, you don’t have much choice, so factor that in to any decisions: such phones will leak data like a sieve. Business phones can be much more locked down, but you’ll need a process whereby new apps can be requested and tested.
Disable unnecessary services, just like with a computer. If you can avoid Bluetooth, do so. Same with Wi-Fi, but if you can’t, take appropriate mitigating steps.
If restrictions in use could conflict with emergency contact from relatives, provide contingency contact plans for them. In other words, if you require personal phones to be removed or turned off, provide a way for relatives and emergency contact through other means, such as a paging system or central contact number that can reach the person. Kentucky coal miners, as an example, cannot receive calls down in the mine, so relatives must contact the mine office which will use radios to relay appropriate information.
Legal requirements. Your legal department will likely want a couple paragraphs in the policy, most notably regarding compliance with local laws and ordinances. Just because the business provides a phone, doesn’t mean you can use it in violation of laws such as phone use while driving. The legal department will specifically want that mentioned to escape liability when an employee breaks that law and ends up in trouble.
That’s a pretty big policy for such little devices.