By Troy Fulton, Director, Product Marketing, Tangoe
According to Forrester Research, 23 percent of Bring Your Own Device (BYOD) workers claim their mobile device is not IT approved. With the number of devices moving in and out of organizations and the potential security risks at stake, all devices on an employer’s network should be approved by IT before gaining access to corporate e-mail and/or IT infrastructure. While on one hand mobile devices can help employees and companies increase productivity, they also can be disruptive to an entire enterprise. These risks can be eliminated through implementation of a mobile device management policy and establishing a mobile monitoring service, but it’s important to know where to begin.
HR’s main priority is to protect the company’s IT data and infrastructure, and mobile devices are an extension of the organization and its valuable data. As such, it has become a part of HR’s job to implement tools that improve employee productivity and, as of late, these tools have included mobile devices and tablets. And while the increased productivity and even the perks around mobile expense reimbursement have been beneficial, HR needs to play an active role in creating terms and conditions for employees using these devices to ensure there is a clear understanding of how the mobile devices are to be used. These acceptable use policies must balance corporate culture, common sense, and business objectives, and limit potential risks to the enterprise. To be effective, it’s important that HR and IT are seated together at the mobility strategy table. Doing so ensures that the IT department, which is procuring, provisioning, and enforcing policies for these devices and managing enterprise mobility risks, is mindful of HR’s goals of improving employee productivity and satisfaction levels.
Creating a Plan
The first step to managing mobile devices in a company is to create a plan. To be effective, HR and IT departments need to join forces to understand what functions are required of a mobile device for an employee to work efficiently, what they want their employees to use their devices for, and what device applications support these goals. Applications that can be distracting or pose a threat to a device or network integrity should be banned from an employee’s mobile devices.
Once there is a general understanding of how employees should use their mobile devices, a mobile device management policy can be established. This policy should include all rules and regulations associated with mobile devices owned by the company and all devices owned by employees that access company data or use the corporate network. Here are some questions to ask while developing the policy:
- Which mobile platforms, and models, can be enrolled for business use?
- What minimum business and security requirements must the device satisfy?
- What applications are required and which are prohibited?
- How will you monitor and enforce these apps?
- Which corporate networks, services, applications, and data are they permitted to access? How will you secure corporate data?
- What rights must the employee grant the employer?
- How will you monitor and control device settings, applications, and data to mitigate business risk?
- Will you allow mobile VPN? If so, for what platforms do you trust most or least?
Application Management
With more than 500,000 device applications available in the Apple Store, it’s critical that the mobile device policy clearly addresses application management. Applications can be very dangerous for networks and devices as they can be an entryway for hackers to access private data and can distract employees from their job responsibilities. Application restrictions reduce the risk of an application harming a device or network. One hacked mobile device can be an entry point for malicious activity that can affect the entire origination.
Policy Must-Haves
- Ownership: Establish written policies for multiple scenarios to indicate who is responsible if the device is lost, broken, or stolen. It’s important to outline who will be responsible for the cost of a device if it is lost or stolen. It should be made clear that all employees must report missing devices immediately to allow HR and IT to take the necessary steps to secure the device and its data. The device needs to be remotely wiped to limit the risk of company data being exposed.
- Device Trust Model: Make it clear that devices distributed by the employer are trusted, while BYOD devices have limited trust. IT needs to communicate what devices are allowed access to what company programs—e-mail, VPN, apps, etc.—and if the employer will service the device. Establishing a list of devices at the outset that will not be allowed on the network will help enforce these policies.
- Mobile Software: Choose mobile software packages every employee is required to have loaded and updated on their device. MDM can help define and deploy packages, as well as resolve platform, memory, and application dependencies. Define how deployed packages will be maintained to eliminate user pain or failed updates. Ensure there is secure communication to each device. Lastly, make sure the apps you deploy utilize the data protection APIs for iOS, and for Android platforms, the apps must not allow access to the native data on the device by other apps.
- Device Control: Know your device capabilities to encrypt and protect data, applications, and network access to limit the risk of data being inappropriately accessed or changed. If the device becomes compromised, you need to be able to wipe the device, remove the iOS Exchange Payload (and the certificates for hardware authentication and VPN communication), or block network access points such as Exchange ActiveSynch. Schedule over-the-air backup from remote handhelds to a central location by authorized users or administrators. If necessary, maintain an audit trail of corporate data copied to and from mobile devices.
With 78 percent of companies permitting employees to use their personal devices for work-related activities, there is a need to address the risks associated with BYOD. BYOD devices need to be monitored and managed just like company-owned devices. These devices also can be harmful to an enterprise if they are not monitored correctly.
In order for mobile devices to be useful for employees while not introducing unnecessary costs and risks to the enterprise, HR and IT need to work together to develop a mobile device management policy that clearly outlines the regulations associated with BYOD for employees to understand the risks and restrictions. Additionally, this policy also must be enforced. With so many employees using a variety of mobile devices, and even more new technologies on the horizon, IT and HR representatives need to work in concert to enable employee productivity without introducing unnecessary risks for the enterprise.
Troy Fulton is director of Product Marketing at Tangoe, a global provider of Communications Lifecycle Management (CLM) software and related services to a range of global enterprises. He is responsible for guiding product concepts and leading the strategy and execution efforts to deliver seamless mobile solutions to enterprise customers. Fulton has more than 25 years of experience in the enterprise technology industry and nearly 10 years of experience in senior management positions with mobile companies such as Nokia and Motorola Mobility. He has launched enterprise solutions on a global level and led the creation of user experiences and product requirements for apps, user interfaces, security, and video and hardware/software on tablets and smartphones.
