BYOD The Right Way
Nov. 18, 2011 (Vol. 32, No. 37)
BYOD is suddenly en vogue and the arguments regarding its benefits are in full swing.
It was only this year that the IRS repealed its rules requiring businesses and users to track personal usage on business devices. No one actually kept the required logs, but it’s a handy milestone to revisit now that the pendulum has swung so far in the opposite direction.
You can’t go to an industry conference, participate in a forum discussion or read an enterprise wireless publication these days without hearing arguments for the “bring your own device” model.
Needless to say, this approach does come with a myriad of potential security, management and support issues, and enterprises are wrestling with the question of whether BYOD should be allowed, and if so, how should it be done so that corporate information assets are protected.
The Case for BYOD: Cost and Functionality
The first question is why would organizations even consider this in the first place. Cost-cutting usually tops the list.
More than anything else, it was the introduction of the Apple iPhone in June 2007 that launched the BYOD movement. The perception of the corporate BlackBerry plummeted when users saw the things a smartphone could do, particularly one with a large touch-sensitive screen.
|
The Genesis of BYOD
In the beginning, there was only the corporate-liable phone.
Corporate policies surrounding the provision of cell phones and other mobile devices were created at the time when mobile phones were still a luxury item.
Initially only key personnel were provided with cell phones, but as time went on prices declined and the definition of “key personnel” was relaxed to the point where whole classes of employees were given corporate-liable phones. What started as a rare business perk swiftly became a status symbol, and the “me too’s” started pouring in.
Then came the smartphone revolution – led primarily by BlackBerry – and that mobile email capability added another $40+ per month to the bill, not to mention the cost of the BlackBerry Enterprise Server (BES) and the people to administer it. With mobile costs escalating in a never-ending spiral and the faltering economy putting a serious dent in IT budgets, CFOs began to question what they could do stop the bleeding.
BYOD presents a compelling solution, especially when users balk at carrying two phones and are increasingly comfortable being their own help desk.
|
Following on the heels of the iPhone was the grab bag of Android-based smartphones and soon users were clamoring for something to replace their BlackBerries.
To some degree, IT departments helped create the BYOD demand. One of the key features of the BlackBerry environment was the administrative capabilities of the Blackberry Enterprise Server (BES) which allowed mobility managers to enforce hundreds of security and policy features on those company provided BlackBerry devices.
As the BlackBerry was seen as a “corporate device,” over-zealous administrators often prohibited users from downloading any of the available BlackBerry applications so that the device was effectively “dumbed-down” to the point that it could only do voice, email and texting on BlackBerry Messenger (BBM).
Many users began carrying a personal iPhone or Android device along with their required corporate-owned BlackBerry. To get all of their emails in one place, the more creative users began forwarding their corporate emails to a personal email address they could access with the iPhone or Android, effectively defeating the very security IT was counting on the BlackBerry to provide.
As users began requesting their companies provide more modern and functional mobile devices – or just permission to dump the BlackBerry and use their personal devices for business – IT went into a justifiable panic. With a little research they quickly found security vulnerabilities in both iPhone and Android and insisted that security could be compromised on those devices.
As the security problems were worked out, first with iPhone and now finally with the new 4.0 release of Android, CFOs and IT directors started to look at the advantages of BYOD. In particular, if the device belonged to the user, the company could ask them to pick up all or part of the cost. Of course, that can get touchy if the company insists that the user have a cell phone and now changes the rules governing who pays for it.
Having revisited the necessity of cell phones for different job categories, a number of companies have taken the position that having remote email access is more of a convenience than a necessity for many positions and are now taking back thousands of company-provided smartphones.
If users want mobile email, these companies will have a list of approved devices and software that must be used to access email and other corporate applications.
How BYOD Can Bite You
The other major cost issue is support. Some organizations have taken the position that if it’s the employee’s own phone, the employee should be responsible for it and not call IT to help resolve problems.
But this is the worst motive for going BYOD. As mobility is one of the most important developments in IT today, it’s hard to imagine why IT professionals would not want to stay engaged with users on it. From the company’s standpoint, having a user blow the better part of a day trying to resolve a problem with this device that helps them do their job more effectively is probably not a good use of their time.
While some IT departments use BYOD as an excuse to abdicate all responsibility for mobile devices, most are starting to figure out how to increase the range of mobile devices employees can use but define policies that ensure corporate information remains secure and that users get the full benefit out of their mobile technology.
IBM recently announced that they have begun a BYOD program that will roll out to 200,000 IBMers by next year, roughly half of IBM’s worldwide work force. Users will be required to install IBM's agent software on their devices for secure access to email and other IBM systems, and while the users will pay for the devices themselves, they will get guidance and technical support from the company. IBM subsequently announced they would begin offering a mobile device security management service for customers supporting Android, BlackBerry, and iOS devices.
5 Tips to Do BYOD Right
BYOD can deliver powerful benefits, if done correctly. Here are five tips to keep you out of trouble:
1. Get Your Ducks in a Row: Before you begin a BYOD program have a plan and a policy in place describing how you will address issues of security, management, reimbursement and support along with user responsibilities. That will include having systems and procedures in place to manage every step of the device lifecycle from adding and deleting users, tracking device inventories, help desk and support, handling lost or stolen devices, converting users to a new device and the rest. If you’re not sure where to begin or what issues to address, The Enterprise Mobility Forum publishes a template for developing a mobility policy. It even provides language to cover the major options.
2. Reach Out: There is no one policy that will be right for all organizations. The requirements will vary based on the type of business (e.g., regulated or unregulated), the sensitivity of the information and the overall management philosophy. As such it is essential to involve other departments in the development of that plan, including human resources (for tax and employee satisfaction issues), legal (for liability and corporate compliance issues) and of course security. The important thing to recognize is that mobile policy issues involved go beyond IT’s purview, so it is key that all relevant departments be brought in on developing the plan.
3. Set Your Boundaries: Identify what device ecosystems (down to the OS version) will be supported and on which devices. That can begin with a survey of user preferences/requests followed by a technical review to ensure that the company’s security and management requirements can be met on those devices. Some organizations have defined two categories of devices where different levels of applications and user support are provided based on the device model the user chooses; this is more of an issue with Android and Windows Phone devices as those are made by a number of different manufacturers.
4. Define and Publish the Rules: This would include the definition of acceptable use, user responsibilities and penalties for non-compliance. Adequately securing corporate information on personal devices might require the installation of a mobile device management client or other software on the user’s device. Further, a strong power-on password will likely be needed. There is also the matter of whether IT should be allowed to see what applications are on the user’s device and what type of data wipe (whole or partial) will be done if the device is lost or if the employee leaves the company. The policy should also specify if the mobile number stays with the company when the employee leaves.
5. Institutionalize: BYOD requires an ongoing management system; it is not a one-time event. You must have procedures for new employees and for employees who leave the company. Further, there will be an ongoing parade of new devices, security concerns, applications, operating system upgrades, and you will need a system to evaluate and certify those new devices and potentially upgrades to your support tools to incorporate them. Finally, the policy itself must be overseen by a defined mobility manager, and should be revisited and possibly modified on a regular basis.
BYOD represents a new paradigm for IT, but the core mission of providing and supporting technologies that help users work better and more efficiently while maintaining management, compliance and security remains unchanged. IT simply has to figure out how to do that in this new environment. 
Michael Finneran is an independent consultant, industry analyst, and writer who focuses on wireless technologies, mobile UC, and fixed-mobile convergence. He wrote the book “Voice Over Wireless LANs - The Complete Guide” (Elsevier, 2008), though his expertise spans the full range of wireless technologies including Wi-Fi, Cellular, WiMAX, and RFID. Contact Michael at mfinneran@dbrnassociates.com. | 
