Setting sensible policies to cope with consumerisationBY TIM HARRIS
What began as a trickle of smartphones, tablets and other mobile consumer devices into the workplace has surged to a flood, with no crest in sight. These devices seem to seep through every crack in IT protocols and controls.
But there’s no beating back the tide as employees continue to push, pull and smuggle their own choice of technology into work. Every large organization must face the reality of the situation: accept what is happening and start to lead.
This is the time to stop worrying and start developing policies and practices that will allow you to enjoy the benefits of consumerisation while keeping your network and data secure.
Companies that have not yet addressed this trend may have no idea of the security, liability and compliance risks to which they are being exposed. Yet on the flip side, there are advantages to employee use of their preferred devices: greater productivity, business continuity, and improved talent attraction and retention. While no one policy will fit all organisations, here are some questions you should consider as your organization deals with the rising tide.
Procurement and liability
In setting policy it is important first to segment your workforce to identify different types of users and determine the best ownership model by user type. This involves defining the range of applications employees need access to, from simple Internet browsing and email access to the full corporate environment.
For employees who absolutely need mobile access to corporate applications, or who hold or access sensitive data (such as senior executives, legal staff and others), a model of corporate provision and corporate liability is advisable. This lets you impose the highest levels of corporate security and provides a fast-track route to restore any faulty devices and minimize downtime for key people, by completely wiping a lost or stolen device and rebuilding the replacement.
For occasional mobile users whose main mobile requirement is access to corporate email, a personally owned device with employee liability may be appropriate, as long as it fits with the company’s strategic goals, regulatory requirements and overall mobile policy.
Your organisation’s mobility policy should accommodate both corporate and employee-owned devices, and clearly define ‘acceptable use’. It is good practice to review the policy annually.
Many organisations lack adequate security to protect mobile devices and corporate data: only 50 percent enforce a password policy for mobile devices, according to Forrester, and as many as 21 percent of employees let their family use their work laptop to access the Internet, according to a BT study. A formal, enterprise-wide and process-driven approach is needed, which includes educating users about their responsibilities and the risks of non-compliance with mobile security policy and practice.
Questions to consider include:
• How do users know how to protect their device/data?
• How do we enforce acceptable use?
• How do we secure confidential and sensitive data?
• How do we protect devices?
• How do we prevent downloads of unauthorized apps/illegal downloads?
• How do we support different classes of user?
• What happens when someone leaves the organization?
Cost management and control
Even if employees are bringing their own mobile devices to the workplace, cost issues remain. In fact, spending on mobile services is now greater than landline voice expenditures for most organisations. But simply implementing strong corporate mobility policies and tools that actively reduce usage can typically deliver savings of between five and 20 percent. Third-party telecom expense management services can deliver improvements in mobility strategy that generate savings of up to 30 percent.
Some questions to consider in determining your policy and controlling costs:
• Who pays for hardware and monthly service? The organization? The employee? Is an allowance given to the employee to defray the cost? How is this managed?
• How do you know that users have the right hardware and service for their needs?
• How do you ensure that billing is accurate?
• How do you define reasonable usage?
• How do you separate personal from business usage costs?
Stemming the flood
There is still a lot to learn as we attempt to fathom this new environment. While it’s clear that policies must be established and supported by education and training, a light touch may be advisable at first, as opposed to draconian measures. Build floodgates to regulate the flow, not levees to keep all the water out. In the end, the organization should strive to encourage good practice and aim for user self-management.