Is it time to BYOD?
Should you allow employees bring their own device (BYOD) into the enterprise? It's a question that raises many others. Is the business data going to be at risk? Can the business save thousands of dollars per year through not buying devices? Will the employees finally get the latest gadget they want?
The idea of employees using their own equipment at work is not new. Using private vehicles for sales representatives, couriers, and truck drivers has a long history in industry. Likewise enterprise mobility is not new. Companies like Intermec and Motorola have developed fit for purpose mobile devices since the 1970s. What has changed and continues to advance rapidly is the sophistication of consumer mobile devices. These are now more powerful and feature rich than ever before. With the explosion of mobile device technology early adopters immediately brought the latest devices into the workplace. Before the iPad was released in Australia, it was being used in Aussie workplaces to show videos, take notes, and access email. Therefore the big question for enterprises isn't "should we allow BYOD," but "how do we allow BYOD"?
BYOD strategy success factors
If we further explore the analogy of vehicles in the workplace you will see some governing factors that ensure their successful use. Firstly there are situations (dare I say applications) where it may not be appropriate to use a private vehicle. For specialist fields like mining, police, and health or where there is a need for branding a company vehicle may be a better fit. Secondly there are mature policies that outline how a private vehicle can be used. For example bicycle couriers may get a fee per delivery whereas taxi drivers must prepare and service their vehicle following strict guidelines. Another challenge to consider is that employees expect to be able to use their private vehicle in their own time for their own purposes. So what should the Enterprise do to prepare for the BYOD that is already happening? A useful technique is to develop a BYOD strategy that encompasses the requirements, risks, policies, and technology.
Current usage of mobile technology
The first factor to consider is how your enterprise currently uses mobile technology. The most common answers are phone calls, emails and associated attachments, calendar, internet, and map services. These features maybe low risk for most, however consider the specific risk to your enterprise and data. If a phone was found by a competitor what data could they get access to? Could a malicious user release commercially sensitive information or compromise a government regulation?
Increasingly, enterprises already use or are planning to use mobile technology to access the corporate network and back-end systems. These features of mobility warrant a closer review of the requirements and risks. Typically these applications fall into the category of either Web Based or Rich / Native applications. Consider carefully what data and features the mobile applications enable? Could a malicious user download all of the customer data? Some rich mobile applications are akin to the police car in the vehicle analogy and require specific equipment to run properly (eg bar code scanning, a specific Operating System, or utilize a printer). It may help to document each type of user and the features and applications they require.
Managing other risks and factors
While loss of IP and corporate data is of paramount importance there are a range of other factors your enterprise should consider for BYOD including:
• Cost of support – how will you handle problems on BYOD devices?
• Personal data – what if employee data is wiped or accessed?
• Who's paying – for the device, data, calls, and support?
• Short lifespan – with models changing every 6 months what will your upgrade plan be?
• Employees leaving – clean up the Enterprise data?
The right policies for your enterprise
This is a real "horses for courses" question. I've worked with small businesses that love technology and utilize every feature including geo-fencing and remote control of devices for support, but don't require strict regulations on their data. At the other end of the spectrum government regulated industries that only use technology when they have to and every feature needs to be encrypted and locked down. In my opinion sensible polices should protect the Enterprise without hamstringing productivity and innovation.
When you have a good picture of your requirements, data, and risks think about the policies that your enterprise would want to include in relation to mobile devices. These policies may in fact be appropriate for both BYOD and corporate devices. Most Enterprises have an acceptable use policy for their desktops and / or the internet and these may be a good starting point. Don't just consider the technical policies (for example security, authentication, password strength, and data segregation) also think about the commercial (that is who pays for the data, calls, and support).
Managing the mobile fleet
I've seen a number of organizations where the mobile fleet is out of control and monthly fees are paid for dormant SIM cards sitting on a shelf. Consider all the device models, brands, and operating systems that you have out in the field. Do you have a mixture of old and new devices, iPhones for executives and ruggedized devices in the field?
Just because your enterprise will support BYOD doesn't mean it needs support every type of consumer device. Look at the popular consumer device models and consider your enterprise requirements and policies. You can create a whitelist of devices that are suitable.
Supporting tools and solutions
Once you have a handle on the BYOD requirements and policies you may need to consider a toolset like Mobile Device Management (MDM) to assist with the implementation of your strategy. Typical MDM features include:
• Application management
• Asset & lifecycle management
• Authentication, policy & security management.
An MDM can help segregate personal and corporate data, establish a standard operating environment (SOE), and support fleets of devices more easily. However MDMs are reliant on the features provided by the operating system or hardware manufacturer. For example you may be able to remotely view the screen on a Windows mobile device but an Apple device might not support this feature. Likewise some MDM products are offered as a hosted service and others must be installed on your own hardware. Investigate the toolsets; a good starting point is Gartner's magic quadrant for MDM. If you're thinking about IOS a great public resource is the Department of Defense IOS hardening guide.
Employees always want to utilize the best tools and mobile technology is an area that continues to evolve. Be prepared so that your enterprise can cost effectively leverage the benefits of mobility. Develop a BYOD strategy that considers the requirements, risks, policies and technology. Consider that BYOD is happening but may not be suitable for every mobile enterprise need.
BYOD may suit:
• Phone Calls
• Web Based Applications
• Simple Workflow style Applications
• Reporting & Business Intelligence
BYOD may not suit:
• Applications that rely on rich device integration such as RFID, scanning, keyboard, or stylus
• When a specific Operating System or API is required.
• Scenarios where a rugged or IP rated device is needed
• Where the business process is wholly reliant on the device