Considering a BYOD strategy within your organisation? Adam Sivell looks at the risks, rewards and success factors.
Should you allow employees to bring their own devices (BYOD) into the enterprise? It’s a question that raises many others. Is the business data going to be at risk? Can the business save thousands of dollars a year through not buying devices? Will employees finally get the latest gadget they want?
The idea of employees using their own equipment at work is not new. Using private vehicles for sales representatives, couriers, and truck drivers has a long history in industry. Likewise, enterprise mobility is not new. Companies like Intermec and Motorola have developed fit-for-purpose mobile devices since the 1970s. What has changed and continues to advance rapidly are the sophistication of consumer mobile devices. These are now more powerful and feature rich than ever before. With the explosion of mobile device technology, early adopters immediately brought the latest devices into the workplace. Before the iPad was released in Australia, it was being used in Aussie workplaces to show videos, take notes, and access email. Therefore the big question for enterprises isn’t ‘should we allow BYOD’, but ‘how do we allow BYOD?’
BYOD strategy success factors
If we further explore the analogy of vehicles in the workplace, you will see some governing factors that ensure their successful use. Firstly there are situations (dare I say applications) where it may not be appropriate to use a private vehicle. For specialist fields like mining, police, health or where there is a need for branding, a company vehicle may be a better fit. Secondly, there are mature policies that outline how a private vehicle can be used. For example, bicycle couriers may get a fee per delivery, whereas taxi drivers must prepare and service their vehicle following strict guidelines. Another challenge to consider is that employees expect to be able to use their private vehicle in their own time for their own purposes. So what should the enterprise do to prepare for the BYOD that is already happening? A useful technique is to develop a BYOD strategy that encompasses the requirements, risks, policies, and technology.
Current usage of mobile technology
The first factor to consider is how your enterprise currently uses mobile technology. The most common answers are phone calls, emails and associated attachments, calendar, internet, and map services. These features may be low risk for most, however consider the specific risk to your enterprise and data. If a phone was found by a competitor, what data could they get access to? Could a malicious user release commercially sensitive information or compromise a government regulation?
Increasingly, enterprises already use or are planning to use mobile technology to access the corporate network and back-end systems like SAP. These uses of mobility warrant a closer review of the requirements and risks. Typically these applications fall into the category of either web-based or rich/native applications. Consider carefully what data and features the mobile applications enable. Could a malicious user download all of the customer data? Some rich mobile applications are akin to the police car in the vehicle analogy and require specific equipment to run properly (e.g. bar code scanning, a specific operating System, or utilise a printer). It may help to document each type of user and the features and applications they require.
Managing other risks and factors
While loss of IP and corporate data is of paramount importance, there are a range of other factors your enterprise should consider for BYOD, including:
• Cost of support: how will you handle problems on BYOD devices?
• Personal data: what if employee data is wiped or accessed?
• Who’s paying: for the device, data, calls, and support?
• Short lifespan: models change every six months, what will your upgrade plan be?
• Employees leaving: how do you clean up the enterprise data?
The right policies for your enterprise
This is a real ‘horses for courses’ question. I’ve worked with small businesses that love technology and utilise every feature, including geo-fencing and remote control of devices for support, but don’t require strict regulations on their data. At the other end of the spectrum, there are government-regulated industries that only use technology when they have to and every feature needs to be encrypted and locked down. In my opinion, sensible polices should protect the enterprise without hampering productivity and innovation.
When you have a good picture of your requirements, data, and risks, think about the policies that your enterprise would want to include in relation to mobile devices. These policies may in fact be appropriate for both BYOD and corporate devices. Most enterprises have an acceptable use policy for their desktops and/or the internet, and these may be a good starting point. Don’t just consider the technical policies (e.g. security, authentication, password strength, and data segregation), also think about the commercial (e.g. who pays for the data, calls, and support).
Managing the mobile fleet
I’ve seen a number of organisations where the mobile fleet is out of control and monthly fees are paid for dormant SIM cards sitting on a shelf. Consider all the device models, brands, and operating systems that you have out in the field. Do you have a mixture of old and new devices, iPhones for executives and ruggedized devices in the field?
Just because your enterprise will support BYOD doesn’t mean it needs support every type of consumer device. Look at the popular consumer device models and consider your enterprise requirements and policies. You can create a whitelist of devices that are suitable.
Supporting tools and solutions
Once you have a handle on the BYOD requirements and policies, you may need to consider a toolset like Mobile Device Management (MDM) to assist with the implementation of your strategy. Typical MDM features include:
• Application management
• Asset and lifecycle management
• Authentication, policy and security management.
An MDM solution can help segregate personal and corporate data, establish a standard operating environment (SOE), and support fleets of devices more easily. However, MDM solutions are reliant on the features provided by the operating system or hardware manufacturer. For example, you may be able to remotely view the screen on a Windows mobile device, but an Apple device might not support this feature. Likewise, some MDM products are offered as a hosted service, and others must be installed on your own hardware. To investigate the toolsets (for example, SAP’s Afaria), a good starting point is Gartner’s Magic Quadrant report for MDM. If you’re thinking about IOS, a great public resource is the Department of Defence IOS hardening guide.
Employees always want to utilise the best tools, and mobile technology is an area that continues to evolve. Be prepared so that your enterprise can cost effectively leverage the benefits of mobility. Develop a BYOD strategy that considers the requirements, risks, policies and technology. Consider that BYOD is happening but may not be suitable for every mobile enterprise need.
BYOD may suit:
• Phone
• Email
• Web-based applications
• Simple workflow-style applications
• Reporting and business intelligence
BYOD may not suit:
• Applications that rely on rich device integration like RFID, scanning, keyboard, or stylus
• Tasks requiring a specific operating system or API
• Scenarios where a rugged or IP rated device is needed
• Where the business process is wholly reliant on the device
Adam Sivell has worked in IT since the mid 1990s, and is currently Practice Leader for Mobility at Fujitsu Australia. He has an extensive background throughout Australia and around the world working on more than 30 SAP and mobile projects.
This article was originally published in Inside SAP Summer edition.
