Best Practices For BYOD

By Brian Albright, Field Technologies magazine

While BYOD can save money, an improperly designed policy can erode productivity and compromise data security.

Companies and their employees are eager to reap the benefits of “bring your own device” (BYOD) programs, in which employees can use their personal mobile phones or tablets for enterprise applications. Despite the potential cost and benefits, both groups have concerns. While businesses and their IT departments want to maintain security, employees are worried about preserving the convenience they need in order to work with their own mobile device and the privacy they expect for the personal information on the device.

Without a formal program or strategy in place, companies may leave themselves open to security breaches as employees circumvent the existing IT structure and access the corporate network with their own technology. Even companies that aren’t planning to explicitly endorse BYOD should have formal rules on the use of personal mobile devices on the network.

“BYOD is happening whether organizations like it or not,” says Ojas Rege, VP of strategy at MobileIron. “Even companies that don’t have formal BYOD programs have a large number of employees going around IT and using their personal devices for, at minimum, corporate email access. When demand grows, as it has with BYOD, and ownership is not clear, tactics have a tendency to overwhelm strategy. Building a comprehensive BYOD strategy is critical for long-term success.”

Companies have to balance operational convenience with security when developing these plans. “The biggest challenge that BYOD represents in the enterprise is ensuring employee enablement is the primary focus while providing security of data to IT,” says Blake Brannon, senior research engineer at AirWatch. “Joining forces with an enterprise mobility management [EMM] provider offers a streamlined approach to mitigating business risks, while giving employees a variety of device options and maintaining their privacy.”

Is BYOD Right For Your Organization?
When deciding whether or not to adopt a BYOD policy, the most critical considerations are the business usage justification for the devices and whether or not bringing personal devices into the mix will enable employees and create value. Whatever devices are used, they have to help the employees do their jobs faster or better.

For companies in certain industries like healthcare or defense, BYOD may not be an option because of regulatory issues, privacy and security requirements, or the risk of exposing the company to security vulnerabilities. BYOD can also pose problems when it comes to compensating hourly employees — if they access the corporate network during off hours, will you owe them overtime? Different countries also have different rules regarding employee privacy that may make BYOD impractical for certain regional offices.

Cost is another key consideration during the evaluation process. Crunch the numbers to see if reimbursing employees for their devices or airtime will save the company money. How much will you save by avoiding the cost of buying new mobile devices every 24 months? How broad a mix of devices will you need to support, and what affect will that have on your help desk?

The size of the workforce and type of application involved will also influence this decision. For corporate road warriors that are migrating off the BlackBerry platform, BYOD can provide a cost-effective option. “Most BlackBerry devices were corporate-owned, but if fast replacement is essential, many IT organizations will not have the capital budgets to buy 10,000-plus new smartphones immediately,” Rege says. “BYOD can help accelerate the rollout.”

BYOD programs also typically require a robust mobile device management (MDM) or EMM software solution to help IT monitor devices, deploy and update application software, and manage security issues. “Seek out EMM vendors who not only provide back end solutions to address security and management of devices, but also provide professional services for projects like BYOD programs,” says Paul DePond, VP of business development at GLOBO PLC.

Making The Plunge Into BYOD: Next Steps
If you decide to move forward with a BYOD program, create a project team that includes members from the various affected departments to help determine if you should fully launch with BYOD or potentially adopt a hybrid policy that uses a mix of personally and company-owned devices or a “corporate-owned, personally enabled” (COPE) strategy.

Survey employees to find out what devices already exist among the user population. In many BYOD deployments, employees take care of their own wireless plan and are reimbursed using a monthly stipend or some other method. Make sure this will work in your company. Also evaluate the potential loss of group rate bargaining power with the wireless carriers if you shift to a BYOD program.

Assess your risk tolerance when it comes to mobile devices. “A risk tolerance assessment will help identify special areas of concern or focus for your organization,” Rege says. “It will also give you a good idea of your company’s tolerance for employee flexibility, range of devices, IT involvement, and security policies.”

You will need to set some boundaries on what devices, operating systems, and applications will be supported. Those boundaries should be flexible enough to accommodate future device requirements.

“You also have to discuss potential end-user issues,” DePond says. “Who is responsible for replacement when a BYOD end user loses or breaks their device? What happens if the end users cannot afford to replace their device? Who will negotiate with a wireless carrier in the event the company has to replace the end user’s device?”

Define usage policies and help desk policies for BYOD devices, and determine how the organization will limit functionality of a personally owned device to businessfocused usage during working hours, while loosening that control during nonworking hours.

If there will be multiple operating systems in play, make sure your applications can support those platforms and also preserve the native-user experience for each device. “If your BYOD program compromises the employee’s personal experience on the device, it will fail,” Rege says. “For example, employees won’t adopt the program if they are forced to use a third-party email app, if certain apps are shut off, if their battery keeps draining, or if passwords are too complicated to type. If the BYOD program is too restrictive or lacks support for the right devices and apps, participation will drop, and you will waste time, money, and employee goodwill.”

Establish accountability within the program; IT cannot drive the entire policy. Human resources, for example, should be involved in determining who can participate in the BYOD program, while the business unit should manage enforcement of policies among employees.

“Leadership should stress the benefits of BYOD [flexibility, convenience, freedom to choose your own device] to increase employee adoption,” Brannon says. “An organization should invest in the communication and promotion of their internal BYOD program. Employees will need guidance to help them decide whether to participate and what kind of device to use. IT should provide detailed information and documentation clearly outlining their rights, the responsibilities that come with bringing a personally owned device into the workplace, and the rights of the organization.”

Make sure your policies fit within the regulatory framework governing your industry and geographic region. There are privacy laws in different regions of the world governing the distinction between public and private data and rules for device tracking. Some industries, like healthcare, require encryption for email and file transfers.

Set usage expectations for employees, and make sure security systems are in place that include granular detail for all BYOD device end users. If possible, separate corporate and private information as much as you can on the device. Some MDM/EMM solutions provide this type of functionality, as do some mobile device vendors.

MDM/EMM tools have expanded beyond basic device management and now offer a lot of tools that can aid a BYOD deployment. Look for solutions that can provide selective data wipe, enterprise-specific data monitoring, secure email management, BYOD device designations, certificates to authenticate users without reentering passwords, multi-OS support, data loss prevention, and app tunneling that allows users to securely tunnel enterprise data from only enterprise apps on the device.

Reaping The BYOD Benefits
Just because you’ve launched a BYOD program doesn’t mean you’ll automatically see cost or labor savings. Put a structured program in place to measure the benefits you are receiving, and allow employees to provide feedback. Don’t assume that simply providing BYOD as a cost savings measure will fully justify the implementation of the program. Keep track of hardware savings, overage charges, the cost of service plans, productivity gains, and help desk costs.

If there are changes to the policy, make those transparent to end users so they can take advantage of new ways to utilize their devices during the workday. “Constantly explore new applications, functionality, access to new areas of corporate messaging/data infrastructure, and process automation that integrates with these mobile devices,” DePond says.

Make sure user policies are well-defined and thought out and that all employees are aware of their rights and responsibilities. “By providing transparency on legal and privacy issues, outlining terms for content and app management, and differentiating between personal and corporate data, workers can make an informed decision and know exactly what they are signing themselves [and their devices] up for,” Brannon says. “Transparency between employer and employee will also help drive BYOD adoption by shifting the tone of the conversation from one of corporate management to employee empowerment.”

Avoid changing the culture of the company just to fit a BYOD policy. These programs may bring new and more stringent security controls and systems into the workplace that can negatively effect employee/management relations as well as employee productivity.

“A sustainable BYOD program starts with user experience,” Rege says. “If BYOD policies are overly restrictive, lack adequate support for employees’ preferred devices, or are too complex and confusing, employees will either circumvent the policies or end their participation altogether. While cost and security concerns are important issues to manage, BYOD program sustainability depends completely on delivering a consistently positive user experience over the long haul.”