Every organization needs a mobile device strategy for its employees. With the continuing crisis of COVID-19 and the advent of telecommuting, mobile devices in the corporate environment is here to stay. There is no way around it and there is no way to avoid it. Your organization must develop a clear policy for how your employees will use mobile devices to interact with your IT environment. Having no policy is no longer an option as it will open up your firm to exposure from so-called ‘Shadow IT’ as users will circumnavigate your IT infrastructure and e-mail documents over non-sanctioned channels so they can continue to work on their own devices. Granted, a fully implemented mobile device policy may not eliminate these risks entirely, but it will go a long way toward reducing your organization’s overall risk exposure to a potential data breach. The first step of developing this policy is to answer a not so simple question; will your firm issue its own devices to employees or allow them to Bring Their Own Device (BYOD)?
There are two potential mobile devices program strategies; BYOD and Corporate Owned Devices (COD). Since every organization is unique, we do not intend to make a recommendation as to which strategy might be better. Our intent is to examine both polices and help you identify if one might be a better fit for your organization. Before either of these programs is implemented, your organization will first need to invest in Mobile Device Management (MDM) software. MDM is a crucial element to centrally manage and monitor any mobile devices that interact with your infrastructure. Your MDM must be in place before any device is allowed access to your network. Let’s now look at the two mobile device polices available starting with COD.
With COD your firm issues devices to your employees for corporate use and completely disallows the use of non-corporate device within your corporate infrastructure. Your firm takes responsibility for the devices’ setup, maintenance, and troubleshooting. While this policy does increase the setup time to make an employee fully ‘active’ within your IT setup, it allows for complete control of the hardware and associated software that is allowed within your firewall.
This setup has the advantage of having the lower overall security concerns of the two polices. You can choose every feature that is allowed on the device, right down to personal logons, and the actual applications allowed on the device. Since your organization owns the devices, they will already fall under any established guidelines the firm may have for governance of IT assets and thus minimize or eliminate the need for any extra work from your legal department to govern employee behavior.
While COD does allow for increased security and governance, it also has an overall higher price tag as your organization will be required to own every part of the mobile devices’ lifecycle – right down to maintaining a relationship with a cell phone provider to provide data services for the devices. As a result, the COD approach has the highest cost outlay between the two polices. COD will also have a higher cost to internal IT resources as they will be called upon to maintain the device inventory, train the users if needed, troubleshoot, reclaim the devices from departing employees, and repurpose them for the next user as you would with any other end user IT assets. This is time that your IT department could be dedicating to other activities so you will have to decide if you want to add this responsibility to their overall workload.
BYOD, as the name states, allows your employees to add their own devices to your corporate infrastructure. This approach eliminates many of the costs listed above, such as the outlay needed to procure and maintain devices of your own along with the need to maintain data plans for the devices. However, given the variety of handsets available to users in today’s market your organization will have to spend more time setting up the actual policy to ensure your firm maintains a secure environment before actually rolling it out to your employees.
Beyond setting up the MDM, you will need to decide which devices, operating systems, and setups you will allow in your BYOD program. For example, you may be willing to allow iPhones and Samsung handsets into the program without additional security enhancements but may require other Android based handsets to be encrypted before allowing them onto your BYOD program. You will have to designate a team to continuously evaluate new handsets as they reach the market to see what setup changes might be needed to allow these devices onto your program.
In addition to researching and choosing the allowed hardware policy, your firm will also have to establish the BYOD onboarding policy for each individual device operating system to be distributed to the users once they agree to join the BYOD policy. Your IT department will have to assist the users in onboarding the device and will have to continue to troubleshoot issues such as connectivity to corporate services such as e-mail. Finally, it will be necessary to establish a legal framework beyond your regular IT policy to define the parameters in which your company can monitor and administer the personal devices allowed onto your BYOD policy. Most companies accomplish this by working with their legal department to draw up an agreement to be signed by the user that establishes the rights of the company to monitor, administer, and if need be, completely wipe the device using the MDM.