Take Control & Harness Power of BYOD

Best practices for enterprise owned and BYO mobile devices

Mobility and BYOD (Bring Your Own Device) are consumer led, hence evolve outside of IT departments control.  At the same time mobile computing has introduced new ways of working, making it possible for employees to work smarter, faster and collaborate better. Mobility has also changed how customers interact with your company, through new product and service offerings and real time access to information. To maximise the benefits mobility can bring to your business, it is essential to map your enterprise sales and delivery processes against, how mobile computing can improve these processes, and then implement roll out of both BYO and Enterprise owned devices.

Key Findings

The use of mobile computing within the enterprise has gained significant momentum in recent times due to the power and increased penetration of smart devices, together with ubiquitous connectivity and the popularity of BYOD (Bring Your Own Device).  CxO level management expectations for employee productivity are higher than ever and no longer take into account location, device or connectivity as inhibitors. Consequently, the need to access professional content from anywhere at any time is not going to relent and will only continue to rise.  In this environment it is essential for IT departments to proactively develop a mobility strategy that caters for Enterprise owned and BYO mobile devices.  Without a strategy it is highly likely employees and Business units will develop mobility practices that may put the business at risk.  Key components of this strategy should include:

• Use case – the various roles, within your enterprise, that require a mobile device (smartphone, candy bar, tablet and mobile data).
• Mobility resources - the resources and applications, ERP, CRM, e-mail, document management etc. that will be accessed by mobile users.
• Funding policy – Identifying the current mobility costs and future impacts
• Mobility administration – Policies, Processes and procedures for deployment, maintenance and retirement devices and services as well how employees can use these devices are essential.

Recommendations

In order to put some consistency behind mobility computing efforts and to effectively govern them, a good starting point for any organisation is to establish their Enterprise Mobility Framework (EMF).  This framework would clearly identifies the role of mobility in supporting the business objectives and defines the role of high-secure corporate lockdown (COBO), to Corporate Owned Personal Enabled (COPE), to BYO devices.

Introduction

The influx of personal smartphones, tablets and laptops that connect with and use corporate resources is challenging companies to walk a fine line between channelling the benefits of employees purchasing and using their own mobile devices and making these devices secure and cost-effective enough for the enterprise.  The BYOD trend holds immense potential to transform business, enable agility and encourage innovative ways of interacting with customers and business partners. The key is to approach BYOD holistically, responding to employee expectations while fulfilling business requirements for security, compliance and risk mitigation.

Transitioning to a BYOD model should be phased in over time. Organisations need to mitigate security risks, such as inappropriate usage or loss of corporate data and the ensuing financial and legal implications. Establishing effective governance mechanisms to ensure data privacy and security can be challenging when embracing a BYOD philosophy.

1. Use case

To maximise the benefit of mobility and BYOD it is essential define how mobile devices (smartphone, candy bar, tablet and mobile data) are currently used within the business and define use cases that apply to the current and future ways of working.  Examples of "use cases" may include:

• Sales: Who spend the majority of their time with customers, require access to sales documentation, pricing, configuration tools, delivery/order status (ERP), customer information (CRM) etc.
• Services: Who spend the majority of their time with customers, require product documentation, availability of spare parts components etc. access to workforce management and CRM systems
• Executive Management: requiring access to sensitive documentation such as board papers, strategy documents, access to HR & ERP systems to approve OPEX and CAPEX
• Middle management with access to HR & ERP systems for review and approval and CRM systems for customer information.
• Mobile users with high Overseas travel with access to classified documentation
• Mobile users with access to email only
• Occasional travelers with access to email only
• Contractors

The above provides typical examples of users in most organisations and is by no means exhaustive.

2. Mobility Resources

The above “use case” will clearly identify the systems which are being accessed today and may be required to be accessed in the future.  This will allow the organisation to understand where maximum benefit will be gained from mobilising the workforce, as well as where the security risks are. 

Where there is large benefit to the organisation of providing mobility access to these resources the information contained within needs to be classified, e.g. open, commercially sensitive, and highly classified for example etc.  In addition its necessary to determine how the information is protected, e.g. is the data protected at the source via methods such as DRM, Virtual desktop (VDI), WEB or at the network interface via Identity Access Management (IAM), or at the device via containers/sandboxing, app wrapping and VPN’s or a combination of these methods.  Protecting the information as much as possible at the source (within IT control) is advisable to enable the implementation of BYOD to be more secure, simpler and attractive to end users. This provides greater choice of device types that can be supported and impact of the end users device is minimised.

The maturity of enterprise’s security systems and digital platforms will determine how quickly BYOD can be rolled out to the users and the functionality that will be required within the Enterprise Mobility Management (EMM) system.

3. Funding policy

To maximise the benefits of mobility and reduce cost it is essential to understand current mobility cost, such as, device costs, monthly carrier service fees, separated fixed fees for voice & data, as well as variable and roaming charges for voice & data.  Mapping these costs into the “use cases” will allow the business to understand savings that can be achieved.  It is also essential to understand, both corporate and personal taxation implication of these expenses.

Option	Device Ownership	Service Ownership	Usage	Device Grouping
1	Corporate	Corporate	Corporate	Corporate 1
2	Corporate	Corporate	Corporate & Personal	Corporate 2
3	Personal	Corporate	Corporate & Personal	BYOD 1
4	Personal	Personal	Corporate & Personal	BYOD 2

Table 1  : Funding options

In addition to the above direct costs, it is also essential to understand indirect costs, such as mobility related expenses (where an employee may be claiming work related expenses, on their personal mobile service), licensing costs (per users fees for Enterprise applications).



Thus each “use case” may have one or more of the funding alternatives defined in table 1 and appropriate funding policy, such as “Sales” may only have available option 1 which would be fully funded,  “Executive Management” may have option 2  & 3 which is fully funded and 4 which has stipend of $100 per month.

In developing funding models it is essential to provide fixed stipends or allowances and all expense claims for mobiles are removed.

4. Mobility administration

With the introduction of BYOD all policies in relation to mobiles, security, IP and access needs to be reviewed and if not available developed.  No technology solution is 100% effective, thus policies must be in place to cover off any unforeseen situations and also clearly articulate to employees their obligations and rights.

Eligibility: Eligibility requirements need to be created, as well as the criteria used to establish eligibility. Role-based restrictions regarding access to certain applications and data should also be clearly stated. Organisations should have clear process for the approval of personal devices for work purposes.

Acceptable usage: Employees should understand their responsibilities with regard to acceptable use and minimum device connectivity requirements. The policy should encourage employees to prioritise business-related use when they are at work.

Based on “user case” and device policy, there may be different levels of “acceptable usage” policies.

Device Policy: Comprehensive evaluation criteria need to specify which devices are allowed and how employees will be notified if their devices satisfy that criteria.

Device policy will depend on the EMM and the applications that will be supported for mobile users.  Where full access to systems are provided the choice of device types may be more restrictive, but as access to a number of systems and security concerns are reduced, a wider range of devices may be made available, see above diagram.

Flexible guidelines need to determine which devices are evaluated on an ongoing basis, particularly as new devices, platforms and operating systems emerge and employee expectations evolve.

A methodology that is as simple as possible, is needed to evaluate and certify devices. The policy should provide a list of compliant and preferred vendors for sourcing devices and licensing for core applications.

Compliance and governance: Communicate non-compliance to users and outline the remedial actions they can take to be compliant. Organisations should get executive buy-in for the BYOD policy and involve all related departments, such as HR, finance, legal and operations, in addition to IT.

Ownership and liability: Guidelines must be clarified on who owns the device and the data. These should define liabilities related to loss of corporate data stored on personal devices, as well as the liability the organisation is willing to accept for affecting personal data, due to the management of corporate data and apps.

Benefits: In rolling out BYOD, the benefits in terms flexibility, taxation, and cost should be clearly identified.  Users should be enticed to adopt BYOD rather then forced.

Provisioning:   Provisioning should, where possible, be automated, in terms of application and approval and should utilise self-help systems.  Where possible, take advantage of service providers who provide WEB based ordering systems.

Support:   BYOD users tend to be tech savvy and will be more inclined to support themselves and help one another.  Again where possible self-help systems should be used for support and where necessary only provide 2 ^nd or 3 ^rd level support.

Security: The organisation needs to define its stance on how corporate data will be retrieved and wiped in case of device loss or theft, as well as the rights it reserves for dealing with corporate data and applications. It should outline restrictions on usage of device features such as cameras, storage and recording functions and should stipulate the use of anti-virus and malware software and the frequency of updates.