The days of IT Departments being the driving force behind technology are starting to fade as employees look to trade old work-issued devices and obtain the latest in cutting edge technology such as MacBooks and iPhones. At first glance, it seems like a good idea for employers to allow their employees the flexibility to work when and where they want, thereby acknowledging the value of the ability to work remotely and on the go. However, there are risks involved.
A new Trend: 'consumerization' of new technology
Two of the most common approaches contemplated by employers when developing Mobile Device Management ("MDM") policies are Bring Your Own Device ("BYOD") and Company Owned, Personally Enabled ("COPE") plans.
With BYOD, a separate, secure area for work data and activity is created on an employee’s personal device. In COPE, a separate area for personal data and activity is created on an employee’s otherwise securely protected work device. These are the concepts at the heart of MDM policies and there are advantages and disadvantages with both concepts.
BYOD - Bring Your Own Device
BYOD generally shifts cost to the user. With the worker paying for most, if not all the costs of the hardware, employers are able to save a lot of money. Another significant benefit with BYOD is that it gives workers satisfaction to use their own device. Workers would rather use the devices they choose than be stuck with laptops and mobile devices that are selected and issued by their IT department. Lastly, the devices employees purchase seem to be more cutting edge, so the organization gets the benefit of the latest technological advances, features, and capabilities.
However, there are concerns with BYOD. If an organization embraces BYOD, it loses much of the control over the IT hardware and how it is used. Employer-issued devices usually come with an acceptable use policy, and are protected by company-issued security that is managed and updated by the IT department. Telling an employee what is, or is not, an acceptable use of his or her own laptop or smartphone can be a thorny issue.
COPE - Company Owned, Personally Enabled
In COPE the employer owns the devices and provides the cellular plan. The employer allows the employee to install the apps, music, video, and to use the “nonwork” portion of the device for personal purposes. Additionally, the organization usually provides a pre-determined selection of devices, which can make life easier for the IT department.
However, there are many questions raised by the COPE approach. For instance, how do you charge employees for personal use on company devices. What happens to an employee's personal data when he or she leaves the company? How do the company's technology-use policies apply to the personal use of the employee? How do companies distinguish between personal and work use?
What's the solution?
Unfortunately, there is no one size fits all MDM solution for any organization. There are risks and costs that must be assessed when implementing the policy. When making decisions regarding a solution, be it BYOD or COPE, employers should create a clearly defined policy that outlines rules of engagement and identifies expectations. At a minimum, employers should:
- Enable employees to work as flexibly as possible with their devices;
- Minimize access to sensitive data without strict password and encryption controls in place;
- Be able to quickly block access or wipe data from a lost or stolen device;
- Mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources; and
- Have a policy in place that governs how data is retrieved from the personal laptop or smartphone.
An employer's Mobile Device Management Policy should accommodate the daily changes and advancements in technology while fully protecting an employer's business interests and needs. A well designed policy should allow seamless implementation of either the BYOD or COPE approach, regardless of the device or its platform.