2.) TAKE CONTROL
Once we own the things, then it’s time to start getting the data we need to manage them effectively. There are any number of good telecom expense management (TEM) programs that can help with the task of analyzing cellular expenditures, and lots of consulting firms that can help you get a handle on your wireless spending. You might need a two-phase plan where you first reduce the number of cellular carriers you’re using. Focus on carriers who can provide the type of computerized billing you will need to do a meaningful analysis.
Based on this analysis, you may be amazed to find how much your company is spending on downloadable ring tones. Take a good look at data overages, particularly if all you thought you were paying for was Blackberry-based business email. Along with stanching the bleeding, this exercise will put you in a much stronger position when it comes time to negotiate your next cellular contract. Thanks to computer-based TEM programs, you can now deal with more granular calling information (like who called whom and when), so you can start to get a grip on where you might get a break on in-building or employee-to-employee usage.
The first objective of this exercise will be to secure the best cellular contract(s) for your legitimate business cellular usage. Once you have that under control, there are a number of additional strategies you can explore. Many organizations currently use cell phones for in-building mobility; replacing those with WLAN phones (assuming you have deployed a voice-capable WLAN) is a no-brainer. If you have a population of heavy mobile users who split their time on- and off-site, a dual mode fixed-mobile convergence (FMC) solution like one of those from Agito or DiVitas Networks could be an option.
While you’re at it, take a look at any other wireless solutions you’re using. That might include licensed or unlicensed point-to-point systems, push-to-talk radio, and other specialized systems. In the end there may or may not be a way to incorporate them in an integrated solution, but you don’t know unless you look.
3.) DEVELOP A MOBILITY POLICY
Normally I would put the policy recommendation first, but as enterprises are often hemorrhaging losses in the wireless area, you can probably start focusing on getting the house in order before the mobile usage policy is fully defined.
That policy should start with an overall description of the role of wireless communications and a clear statement of acceptable use. It should also identify who owns the phone (the company), and the purposes for which it can be used. That policy may allow a user to port their personal number to that phone when they join the company, but if they do, that personal number should never be made known to business contacts. Most IP PBX vendors have solutions that will route all incoming and outgoing mobile calls through the PBX, thereby hiding the cellular number.
The policy should look to provide users with the tools they need to do their jobs effectively while curtailing unnecessary expenses. The starting point will be to define who needs wireless access, what services they need to do their jobs, and how that can best be provided. That means you start at the bottom, and work your way up to what is required for each job category that entails mobility. It is important to pilot test those planned wireless solutions to ensure that they really do work. A low-cost solution can wind up costing a lot more if it impacts the user’s efficiency.
Once you have a handle on what you need, you can begin to negotiate with your cellular carriers in a meaningful way. You should look to prohibit consumer frivolities like downloadable ringers, pictures, music, and the like. Given the outrageous roaming charges involved, international is always a big target; the carriers don’t bother doing much about these because they feel they can simply blame it on the other carrier. Of course if you have European users visiting the U.S. and U.S. users visiting Europe, you’re getting hit coming and going!
The primary strategy we are using to reduce those international roaming charges today is mandating the use of IP-based softphones on international trips. Whenever possible, have the user connect their laptop to a broadband Internet connection and use the softphone client to place their calls. If you are using dual mode Wi-Fi/cellular handsets, look into the possibility of having them operate over the local office’s Wi-Fi network when the user is visiting a company location, or through public hot spots if that can be done securely.
Mobile security must also be a key element of the policy, and once again, there should be real penalties for non-compliance (e.g. first infraction you lose it for a week, next infraction you lose it for a month, third infraction and it’s your job). The need for a strong mobile security policy stems from the fact that a growing percentage of those business cell phones are smart phones or PDAs. These computer-based devices have considerable storage capacity, operating systems that may be vulnerable to viruses and malware, and will typically have multiple communications interfaces (e.g. Wi-Fi, 3G, Bluetooth, IrDA, etc.) to serve as entrance vectors. You can also include the synching process as a two-way entrance vector to pass malware back and forth between the mobile device and the user’s PC; the first Windows cross-over virus that could pass between a mobile device and a desktop was described in 2005.
While mobile malware gets a lot of coverage, the most typical exposure is bad user practices. The typical scenario is simply losing a mobile device that does not have basic security mechanisms such as power-on password and on-board file encryption. Mobile devices have slipped under the security radar for too long, and that’s an accident waiting to happen.
Finally, the mobility policy should also protect the organization from liability. If an employee is involved in an accident while talking on a company phone and driving a car on company business, there is no doubt that the liability lawyers will be coming after the company. As an attorney, Martha Buyer prefers that the mobile devices not be owned by the company at all. Unfortunately, that approach conflicts with our security objectives. Ms. Buyer recommends that if the company is going to own the mobile device, every employee should be made to sign a document confirming they understand and will adhere to the company’s no-exceptions policy banning cell phone and mobile data use while driving. That agreement should also specify that the user understands the penalties for non-compliance, and that in extreme cases this could lead to termination.
A mobile policy with this level of enforcement calls for strong management commitment. However, the issues are serious, and along with the obvious danger to the employee, the company’s potential liability could be tens of millions of dollars. In the meantime, we may want to define an additional presence status called "driving," which means "leave me alone!"
