BYOD Policy From the Top Down
The drive for greater BYOD security starts at the top. Many of the employees are stakeholder partners. As an employment law firm, they've seen the blunders other companies have made. They understood the dangers having some 50 attorneys carrying phones with access to client documents but no passcode protection or wipe capabilities.
"If we end up on the front of the Fresno Bee because an attorney left his phone at the bar... the damage to your reputation could literally be millions of dollars," Adcock says.
The first iteration of the BYOD policy emphasizes passcode and wipe. It requires passcodes with a minimum of five digits every five minutes of screen inactivity, along with the capability to fully wipe a lost or stolen device and to selectively wipe devices when attorneys leave the firm. The latter only affects Active Sync accounts for corporate contacts, email and calendar.
Adcock knows that BYOD can't start out heavy-handed. "You can go a little deeper once they're comfortable with it," he says. "But if you put all 10 policies on at once, then they're going to fight back and call you Big Brother your whole life."
Upcoming requirements for BYOD user policy 2.0 will include measures such as making sure attorneys have updated anti-virus software. Corporate documents aren't allowed on BYOD phones and tablets but often make their way onto them, and so new requirements will block attachments from being saved.
Dowling Aaron does not track GPS locations nor read personal texts and emails. Adcock does little data collection and auditing even though the mobile device management software he uses, AirWatch, is capable of delivering a wealth of information. He will monitor device memory and advise attorneys when they're nearing thresholds.
That's pretty hands-off, but it didn't stop the "Big Brother" catcalls.
Par for the Compliance Course
Adcock has had his share of run-ins with noncompliant attorneys. One attorney, for instance, is an avid golfer and uses a GPS-enabled mobile golfing app that bogs down due to the five-minute screen inactivity requirement. The attorney regularly turns off the passcode, which invokes an automatic compliance warning from AirWatch to Adcock.
"I'll tell him, 'Let me guess, you're golfing again, just make sure you put it back on so we get the compliance back to 100 percent,'" Adcock says.
Other times, Adcock has had to take more drastic actions, even one aimed at a partner in the law firm. The attorney was sharing his iPad with his family, and they kept taking off the passcode. Adcock sent a friendly email reminder. On the next failed compliance check, Adcock had to selectively wipe the iPad per the BYOD policy.
Top management compelled the attorney to comply with the BYOD policy in the future.
"Luckily, the other board members are all playing ball," Adcock says. "We practice what we preach, because we know it's best practices."
Sign up for CIO Asia eNewsletters.