Since ‘BYOD’ seems unavoidable, organizations should consider some basic steps, which will hopefully help with audit and regulatory requirements: Make the device stateless, or at least keep all the corporate data in a VM, whose configuration is managed. This protects against device theft leading to data loss; Require users to run an anti-malware program, to protect against basic attacks like keyloggers; Require users and IT to collaborate in ensuring that consumer devices meet these requirements; and Absolve IT from supporting the device, beyond basic security validation.