Editor's Note: This article was co-authored by Angela Wyantis, founder and President of AHF Communications, a vendor neutral consulting firm in Charlotte, NC; and Wayne Shumate, Senior Consultant for AHF Communications.
Most enterprises are considering whether or not to implement policies and procedures for employee-owned mobile devices (i.e., bring-your-own-device or BYOD) to provide access to enterprise information resources. This has been stimulated by an ever-growing number of employees who wish to use personal smartphones, tablets, and other mobile devices, even their cars, for business purposes. The enterprise has to gain control of BYOD or risk business anarchy that affects the enterprise's productivity, security, privacy, regulatory compliance, and reputation.
Creating BYOD policy and enforcing it can be a headache for IT. There are several possible BYOD situations to consider:
* The employee uses their mobile device on and off the enterprise network but does not inform the enterprise IT staff of its use. In this situation, the enterprise cannot enter the employee's device in a Mobile Device Management (MDM) system and has no control over its use except to block access. There is no enterprise compensation for the employee owned device.
* The employee mobile device is entered into the MDM but no policy exists or is enforced. There is no compensation for the employee owned device.
* The enterprise does control the employee-owned device's access to enterprise resources and has it included in the MDM. There is no compensation for the employee owned device.
* The enterprise does control the employee-owned device's access to enterprise resources, has it included in the MDM and pays a stipend to the employee.
* The enterprise does control the employee-owned device's access to enterprise resources, has it included in the MDM and has a reimbursement policy and procedure for its use.
Most enterprise IT organizations find themselves involved in one or more of these situations depending on the business unit involved.
There are no right or wrong policies. Each enterprise must develop its own decision based on the business benefits, technology requirements, regulatory, compliance, security and privacy issues, and employee expectations and benefits. There are 15 recommendations at the end of this paper for the enterprise to implement an effective BYOD plan and policy. A survey form for polling the enterprise users can be found at http://www.ahfcommunications.com/industry-mobile-device-survey-form.
BYOD is Inevitable
The July 2011 IDC survey "2011 Consumerization of IT Study: Closing the Consumerization Gap," sponsored by Unisys, asked IT executives to rate their level of comfort with employees' use of personal devices. These executives recognized employees are going to use BYOD, and that BYOD can increase morale, improve productivity, and be essential to satisfying business objectives and services. IDC did state BYOD will increase workload for IT and help desk staff. The survey results are that:
* 69% thought tablets, iPads and other devices will be part of the business tools used.
* Unfortunately, 57% thought that IT will have an increased workload when these devices come into use.
* 52% of executives expect that their devices need to be supported.
* 43% thought that a BYOD policy would improve morale.
* 37% thought a BYOD policy would enhance productivity.
Some analysts focus on the BYOD device. But when applications and security software are implemented in the device, the operating system is what matters. One of the impacts on the enterprise is the fact that there are at least five operating systems out there that might need to be supported: Android, Symbian, iOS, RIM and Microsoft.
Know the Risks
The Trend Micro survey results, "Enterprise IT Consumerization Survey June 2011," shown below, lists concerns that IT staff have identified for employees' use of personal devices in the workplace. These concerns provide a broad overview of some of the risks faced by IT. They can be used to inform executive staff of the issues that need to be investigated and mitigated in order to allow employees to use their personal devices to access the enterprise network and data resources.
Source: Trend Micro
Developing the BYOD Policy
It is interesting to note that almost all organizations allow employees to use mobile devices for business purposes. However, just over 50% of enterprises have indicated they had revised their cell phone policies to include employee-owned devices.
For those enterprises that have already started the transition to employee-owned devices, the following "pain points" can be identified:
* A clear, approved definition of enterprise-owned vs. employee-owned is necessary.
* Better staff communications are needed to describe the change to a BYOD policy.
* It can take longer than expected to get the policy in place.
* The effort needed to work with carriers to keep the same phone number and features for employee-owned devices cannot be ignored.
Source: Trend Micro
Setting Standards
Standards are important for all mobile devices, whether enterprise-owned or employee-owned. Almost all organizations have standards for mobile devices. While these devices are mainly enterprise-owned, it is critical for enterprises to develop and publish standards regarding employee-owned devices, operating systems, and levels of support.
Most enterprises do not treat tablets (e.,g., iPads) differently than smartphones. Tablet support is less common but is increasing rapidly.
One decision all enterprises face is whether to provide employees with a stipend or reimbursement. About half of enterprises provide either a stipend or reimbursement.
Support
Support for employees using mobile devices has become essential. This support may either be provided by in-house IT staff or through a 3rd party vendor. The vast majority of enterprises provide support for their enterprise-owned devices. A minority allow employees using personal devices to contact the enterprise help desk or IT department. As enterprises move to more employee-owned devices, they will have to review and evaluate their support procedures and communicate them appropriately to all users.
The use of a Mobile Device Management (MDM) Solution will help enterprises to effectively provision, deploy, and manage multiple platforms. It will be especially needed for enterprises that manage large numbers of mobile devices.
Recommendations
When the enterprise decides to move to an employee-owned mobility model, it should consider the following recommendations, which are based on an assessment of private survey responses, phone interviews, industry research, and telecom experience by AHF Communications.
1. Establish a Mobility Committee.
The Mobility Committee should include key executives, IT and user departments, legal, human resources etc. The Committee will evaluate the benefits and risks of mobility options, develop the corporate mobility policy, set strategic goals, establish action plans, and determine measures for success. The Committee will also need to clearly define "mobile devices" and identify all devices (e.g., smartphones, standard cell phones, iPads and tablets, aircards, laptops, PDAs, USBs, cars, cameras, etc.) that should be included in the policy.
2. Determine the Current Mobility Environment.
A mobility survey (sample is linked above) of employees and department managers should be conducted to provide a broader understanding of the business value and needs of the mobile workforce; define current usage; and provide knowledge of additional benefits not yet identified. IT should evaluate the mobility needs of employees in order to provide a competitive edge and maximize employee retention and morale. IT needs to know their current carriers' contract terms to ensure they maintain commitments until contracts are open for revision. This carrier detail and usage data will help the transition from the corporate plan to an employee’s personal plan.
3. Revise the Current Cell Phone Policy.
The current cell phone policy will probably need to be revised to include all current and future mobile devices, and policies and processes for employee-owned devices. This policy must address privacy issues and ramifications for noncompliance of corporate policies, and should be reviewed on an annual basis, especially since the mobile devices world is changing so rapidly. Employees should be informed that while connected to the enterprise data and applications, their personal information such as SMS, MMS, e-mail and phone records are all available to the corporate environment. Employees must be made aware of the impact on their personal data if they lose their devices and/or if IT needs to wipe the device or data for security reasons (for example, if the phone is lost or stolen). Employees should be reminded that it is their responsibility to back up their own personal data.
4. Accommodate Users But Protect the Enterprise Network and Data.
Moving to employee-owned devices shows that the enterprise is attempting to meet the needs and expectations of an ever growing number of employees who want to carry only one device, while having access to their enterprise e-mail, calendar, business applications, etc. Employees need to know IT will try as best as possible to accommodate their desire to use personal devices, but must, at all costs, protect the enterprise network and data. IT should manage mobile devices with access to information resources like they do PCs, and must implement similar security, authentication, and protection procedures. IT should separate enterprise data from personal data.
5. Ensure Compliance Regulations.
Privacy and regulatory decisions must be identified and evaluated for employee-owned devices. For example, will users with their own personal devices be allowed to use camera capabilities while at work? Are there any special regulations or compliance issues that apply? In addition, legal liabilities for employees’ use of cell phones while driving, or IRS changes in regulations for enterprise-owned cell phones, must also be considered. IT should consult the legal department for guidance on what actions to pursue if illegal activity is discovered during audits of employee personal devices and records.
6. Require Employees to Sign User Policy.
All employees, especially those using personal devices, must be required to acknowledge and sign the user policy and procedures before obtaining access to enterprise resources. If an employee does not agree to all terms in the policy, IT must not allow the employee and device to access the enterprise network and data.
7. Centralize Management of Services.
Centralized management of telecom services and support, including wireless technologies, provides the best organizational structure to control costs and continue to maintain an environment where mobility can grow while ensuring secure access to corporate data. Centralizing management provides the focused ownership needed to review polices, network security, job functions, and user requirements as mobile hardware and applications become available. In addition, it is important to continue to manage all associated telecom expenses, even when moving to employee-owned devices.
8. Strengthen Security Policy.
Enterprises should evaluate and probably modify their current security policy and procedures to reflect the risks of employee owned devices. Employee owned devices should be secured with strong passwords and data encryption, and policies enforced that prevent data security breaches. Be sure users with employee-owned devices know that, depending on security, legal, or administrative needs, their devices may be wiped remotely. While every effort should be made to protect personal data on employee-owned devices, users should know there are no guarantees. IT security policies, procedures, and support applications should be evaluated and updated on a regular basis.
9. Develop Corporate Standards for Devices and Platforms.
With an explosion of smartphones, tablets and even devices integrated in cars, it is critical to standardize on the type of employee owned devices, platforms, and operating systems that will be allowed and supported. This is especially true when IT is supporting these with in-house staff and applications. Where appropriate, the enterprise should utilize their existing Mobile Device Management (MDM) solutions that provide full life-cycle support for multi-platform devices.
Recommendations continued on next page
10. Create User Groups and Policy Standards.
Define and identify which employees, by user group, will be eligible for either enterprise owned or employee owned devices, the type of devices, applications and data allowed, appropriate stipend or reimbursement options, and levels of technical and help desk support. Define what users, devices, and applications will be fully supported by the organization, or perhaps not supported at all. If necessary, review and modify job descriptions, roles, and responsibilities.
11. Determine Payment Options.
For each defined employee user group, identify how IT will fund employee-owned devices, whether by stipend, reimbursement, or not at all. These payment options should include voice and data services costs. Organizations vary in their approach to funding employee owned devices, and there is no magic answer to this dilemma. Many organizations that were surveyed established the amount from their previous corporate plans. Stipends are recommended if expense reduction is the goal. Simple reimbursements limit any control on costs, especially if personal mobile plans are not negotiated appropriately by the employee.
12. Minimize the Impact on IT and Help Desk Staff.
Trying to meet the needs and complexities of many different employee-owned devices and platforms will be very difficult for in-house IT and Help Desk staff. Adding to this challenge is the constant introduction of new smartphones and tablets into the marketplace, certainly at a much greater rate than traditional desktop computers and laptops. Consequently, an already overburdened IT support staff will be asked to do more. To help reduce the number of help desk calls and IT support, a self-service portal could be set up or web resources utilized. Where appropriate, IT should utilize their existing Mobile Device Management solutions that provide comprehensive user support services. The ultimate objective is to improve employee satisfaction, productivity, and support.
13. Develop a Communications and Training Plan.
IT must develop and publish a comprehensive communications and training plan to make sure all affected employees are aware of the new policy, standards, guidelines, and procedures. This plan should be published on a self-service portal or through web resources. In addition, it is important for employees to know the consequences of non-compliance with the new policy. Portals and training resources should be updated on a regular basis as applications, devices, and policies change.
14. Evaluate Mobile Device Management Solutions.
IT should fully utilize the features and capabilities of their existing Mobile Device Management solutions before moving to employee owned devices. These tools provide an organized approach to implementation, and can manage both corporate-owned and employee owned devices. Given the significant number of current and possible future devices, IT will be required to manage and use a MDM solution which will be essential for successful provisioning and deployment, device and application security, and user support.
15. Measure Results.
A critical component of a move to employee owned devices is to measure the results to show that initial goals and objectives have been achieved. Key metrics would include dollars saved, employee satisfaction, and help desk response time.
Implications for the Enterprise
With respect to the industry insights, information, and figures shown above, IT should:
* Study the impact of employee owned devices on its staff in order to provide a high level of service and support for users and devices.
* Standardize on mobile platforms and, more important, use their existing Mobile Device Management solutions to manage the possible multi-platform environment.
* Identify and evaluate all risks associated with employees’ use of personal devices to include network, data, security, privacy, business, compliance, and legal.
The potential executives, IT staff and department employees should be asked to complete the previously mentioned survey form. The results of the survey will provide IT with the knowledge to deal with the growing BYOD situation.
