B, C or H?
Employees continue to bring personal devices into the workplace and access corporate networks, applications and data. While there are gains available in the form of increased staff morale and productivity, the security and compliance risks are causing enterprises to think hard before implementing an own-device policy. And, with a choice of three approaches currently available, they are also asking what level of control and management they need in order to enjoy the benefits.
Bring your own device (BYOD) first appeared as a concept nearly half a decade ago as workers began taking personal smartphones and tablets into the workplace, and the practice has evolved ever since.
BYOD was seen as both a blessing and a curse. It brought benefits to companies, such as more flexible, energized workers who were able to work anywhere on their own mobile devices. But it also raised concerns about dramatically escalating network costs and the security of data on employee devices. Not to mention the whole new approach to technical support to which the IT department would have to adjust.
To minimize risk, organizations need policies that enable choice and improve productivity but do not compromise fiscal or data security needs. In short, they need more control. As Peter Glock, Solutions Director at Orange Business Services, puts it, “The market has moved on rapidly. It’s now much more about a professional versus personal ethos, irrespective of who is actually providing the device.”
In order to exert greater levels of control over their employees’ device use, some organizations have looked to curb BYOD. This has led to the rise of “here’s your own device” (HYOD) and “choose your own device” (CYOD), which are both structured variations on the core BYOD theme.
HYOD is essentially modeled around the traditional way in which companies provided staff with work PCs. The organization provided the worker a computer that was traditionally defined by their job grade and the level of mobility they needed.
The evolution of mobile devices prompted a change in this dynamic. Where previously the IT department controlled laptop configuration and imaging centrally, suddenly the mobile devices allocated by procurement or business units had become fully-fledged computing platforms in their own right.
“We in ICT were a bit slow in treating smartphones and tablets as computing devices – they were still seen simply as phones to begin with,” says Andrew Cross, Marketing Director for Orange Mobile Enterprise. “And once iPhone and Android devices hit the procurement ‘list’ offered by providers, the game really changed.”
HYOD provides a framework for users to both take the devices out of the office and use them for their own personal use. It has proven popular with workers because they don’t have to use their own money for the devices and can, in theory at least, go directly to corporate IT support with any problems.
CYOD is the third option and falls between the “free-for-all” of BYOD and the company-mandated device of HYOD. Essentially, companies create a list of devices from their preferred supplier and the employee can choose from those. There can be qualifiers within the company policy as to which staff members can have what, based on job duties and seniority, but the idea is to provide user choice.
This approach allows IT to limit the range of devices it supports to keep overhead in check. Support is a key factor: the heterogeneous nature of Android devices means that there are more device and OS variants for corporate IT to support. Gartner has said that although Android devices might be the largest consumer device platform with seventy per cent global share, it is Apple’s iOS platform that dominates in the enterprise.
controlling the device
“Within the ‘own-device’ discussion, it is very much about security, but not in the traditional sense,” says Peter Glock. “It’s about management and control. Loss of data and compromises to security are of course part of it, but it’s about IT no longer being in control of the platform and procurement not being in control of the contract. So enterprises are attempting to put controls back on devices they didn’t specify in the first place.”
Companies need to look at two key areas to control the information and cost flows around their own-device programs. Expense management is one area, where mobile workers can risk running up huge data roaming bills if their devices are not properly controlled, while mobile device management (MDM) policies are essential to partitioning devices for business purposes.
“Companies need some control points and also need to be able to audit against those control points. It is about security, but more than that, it’s a control issue, and there’s even psychology involved – IT people don’t like being told by business people that a $0.99 app does the job better than an expensive software development project,” Glock continues.
what is right for my company?
Choosing a device approach depends largely on your type of company and attitude to risk. For example, a young, agile start-up company in a less-regulated industry is probably better suited to BYOD. Conversely, a more traditional, highly-regulated corporate entity, such as a bank or airline, may want the control provided by HYOD.
Most important is to put the right controls in place, irrespective of the device approach you choose. Use tools and processes such as containerization, progressive MDM solutions, firewalled app development, etc. to address regulatory requirements and ensure data security.
“Companies need to solve data compromise issues and potential regulatory challenges before deciding on which own-device approach to take,” says Glock. “We currently work with organizations that have addressed these issues and are now reaping the benefits of an own-device scheme within a structured framework.”
They must also consider human resources and tax implications on a per-country basis before considering which own-device policy is right for a global structure. This means that they need to ignore the platform and device and concentrate on the enterprise apps required to make the company more productive and effective.
Because, as Cross concludes, “It’s the app that’s important, not the platform. Companies need to ask ‘what’s the best way of rolling it out?’ If you only need calendar and email, then ActiveSync does the job, and you just need the platform. But for accessing vital data on a device that can be left in a taxi, you need a different approach. There are potential legal and regulatory requirements that vary on a combined local and global basis.”