This is the second blog post in a series providing guidance on rolling out and managing a successful Bring-Your-Own-Device (BYOD) program in your organization.
Bring your own device (BYOD)
by itself is not a strategy; it’s a decision on whether or not to support the device of choice of mobile users in your organization. Can your employees use the devices they want to use every day? Check, BYOD achieved. Unfortunately, that is all a BYOD strategy amounts to for many organizations. As you can see it leaves a lot of questions unanswered...
What about mobile apps? Enterprise data? Who pays for what?
Many organizations have decided that allowing BYOD is an effective approach to mobile. The problem is, a BYOD strategy all to often just means putting the onus of being productive via their mobile devices back on the employee. While employees get to choose the device they want, they also choose the applications that will be consuming and storing corporate data. The organization might save money on hardware, but what about service costs, and are these accurate?
Without policies in place, BYOD is essentially a do nothing approach that leaves IT out of the decision process on how corporate data will be used on mobile devices. BYOD enables many IT shops to ignore mobile at the expense of visibility into what their mobile workers really need. BYOD is only one piece of a larger strategy that allows IT to control costs and the use of corporate data on mobile devices.
BYOD POLICY BEST PRACTICES
Beyond security and management, it is important for IT to provide guidance in other areas to avoid employee confusion, reduce help desk inquiries, and reduce costs. The following outlines advice on specific areas that IT should address when rolling out a strategy to support BYOD users.
EXPENSES: WHO’S RESPONSIBLE FOR WHAT?
Organizations need to clearly outline which financial responsibilities will be borne by the company and those that are the responsibility of the employee in the event a device is lost, stolen, or damaged. For BYOD, be sure employees understand that issues with hardware will need to be supported by their mobile operator or device vendor, not IT.
Provide a clear company policy on how much of their service plan is covered. Outline the financial responsibilities of your organization and those of your employees in regards to monthly service fees such as data, text messages, and call time. For international travelers – being upfront about reimbursement policies for international service fees can avoid a fair amount of pain and expense. If you are going to reimburse your employees for service, you may want to explore the user of a telecom expense management service.
RIGHTS AND RESPONSIBILITIES
BYOD is about allowing employees to have a device for work and personal use, so there is an expectation that they will retain ownership rights over their device. However, because of the storage of sensitive corporate data, it is be prudent to require employees to keep their device’s OS updated in order to maintain a minimum level of security. Employees should also be responsible for informing IT in the event their device is lost, stolen, or otherwise compromised. It is also worth addressing the corporate actions that will take place in the case of job abandonment, resignation, or separation.
No BYOD policy should have access to a device owner’s personal data (e.g. private contacts, text messages, photos), as this information should always remain private. With solutions like mobile application management, IT can clearly state that they do not have the ability to view or delete personal data. If you’re thinking about rolling out mobile device management you will need to clearly define the reach of this technology to users and how it can impact their personal use of their device.
As corporate data is pushed or pulled to employee’s devices, even in an BYOD deployment, IT should retain control of that data. This sensitive data on an employee’s device should be managed at the app-level rather than at the device-level. This ensures that the employee’s rights as a device owner are not infringed upon, while at the same time, the enterprise to is able to manage all sensitive information by updating, modifying, or even deleting corporate data from mobile enterprise applications using mobile application management.
DEVICES: WHICH ARE SUPPORTED?
For sophisticated mobile strategies, you may need to define the devices that you will support. This decision depends on the types of apps that you provide for your employees. Corporate applications may not support every device out there, so be sure to clearly state the devices and operating systems that your apps will run on. It will be helpful to institute an approval process for new or updated devices that enter the market.
Depending on your tolerance for risk you may or may not support rooted or jailbroken devices. Such devices can be more susceptible to malware and. many organizations choose not to support them as they can introduce additional security concerns into the enterprise.
After developing a BYOD policy, ensure that all parties involved – BYOD employees and contractors, executive-level staff, IT – fully comprehend each component. Communication is key, so hold information and training sessions to explain and clarify your BYOD policy. Keep a forum open for BYOD employees to ask questions or raise concerns, and have them sign the policy once they’ve gone over it. In addition to addressing cost and liability concerns, having a meaningful BYOD policy in place means that all parties involved are on the same page, thus enabling your organization to gain more from its BYOD efforts.
In our next post
we will address BYOD security, sharing an approach to supporting employee devices that keeps corporate data secure without intruding on employees' personal data.