Educate Employees on Mobile Security Policies
How to Understand Corporate-Liable vs. Individual-Liable Mobile Assets
As the adoption rate of mobile smartphones continues to rise and these devices become essential tools for the enterprise work force, IT departments are often tasked with managing and supporting hundreds, if not thousands, of mobile devices. Since the economic downturn, however, businesses have been pressured to make immediate, cost-cutting decisions regarding communications budgets. Many businesses have decided that significant money can be saved by having employees own their mobile devices.
They have, therefore, adopted what is known as an individual-liable (IL) program-employee-owned devices-to cut enterprise mobile costs and avoid the tax compliance tracking requirements associated with company-owned or corporate-liable (CL) mobile devices. In fact, according to a recent survey, 34 percent of respondents with a CL program indicated that they are considering switching to an IL program.
Some argue that migrating from CL to IL does more than just save the company money. Many believe that giving employees the ability to choose their own device based upon their own needs and preferences can boost productivity.
While the IL option can garner some immediate savings for the enterprise and achieve a higher level of productivity on the part of some individual workers, it is not without its corporate risks. Not all devices are created equal in their ability to be managed by the enterprise; short-term cost and time-savings can mask logistical and security vulnerabilities.
Organizations that adopt an IL approach without being properly prepared in terms of technology and management strategy may be left to sort out a complicated enterprise mobility scheme that could be costly on many fronts. That is because, in the long run, the issue of ownership is secondary to what happens when a mobile device is connected to the corporate network.
The IL vs. CL Debate
The IL vs. CL debate
Here is how the debate generally seems to rage: If an employee is responsible for the purchase and monthly fees associated with a standard cell phone (aka, a "dumb" phone), the enterprise has no claim on the device type purchased and the device has no data connection to the enterprise. If, however, the employee wants to access the enterprise data stream (e-mail and applications) via a self-owned or IL smartphone, the organization is well within its rights to require the use of a preferred smartphone equipped with corporate-selected data and network security software.
Put simply, a device connected to the corporate network will be monitored and managed by IT. Without that control, the device will not be granted access. While the employee owns the phone, the enterprise owns the corporate data and applications that reside on the device.
What about "the iPhone factor"? That is, should an organization allow users access to the corporate network on a device of the consumer's choosing in the name of productivity and perceived cost savings despite the disparity in security, data and network administration?
To reiterate, not all smartphones are equal when it comes to enterprise management and policy administration (as evidenced by the gap between BlackBerry and iPhone devices). Yet, the desire on the part of the user to drive choice-the "consumerization" of devices-has and will continue to pressure enterprise support. Companies will be increasingly challenged to deal with this growing demand while still protecting the corporate network and proprietary data that belongs to the organization-without exposing themselves to security, support and data loss vulnerabilities.
Is there a middle ground in the IL vs. CL debate? Yes, if organizations are smart about aligning their mobile device strategy with corporate-wide technology and budget requirements. The best approach is to go in with eyes wide open, weighing the pros and cons of each scenario. Here are six recommendations for businesses caught in the crosshairs of this heated and growing debate:
Educate Employees on Mobile Security Policies
Recommendation No. 1: Educate employees on mobile security policies and deploy technologies to assist with policy compliance
Whether a business is managing a corporate, individual or hybrid mobile environment, it's important to align mobile polices with mobile device management strategy. Start by having all users agree to and sign off on corporate policies, terms and conditions of use. In particular, IL users should know that if they link to corporate data, they are allowing the enterprise a certain level of control over the device. If the device is lost or stolen, the enterprise has the right to wipe the device clean of all data by the company's central mobile management system in order to protect its assets.
Likewise, when an employee decides to leave the company, they may take their device with them (but not until after it has been wiped of all enterprise data and applications). In addition, all employees-no matter what device they are using-should have access to mobile device management tools that allow them to self-manage and self-support their devices, or engage IT when troubleshooting is required.
Recommendation No. 2: Don't pay consumer rates for corporate spend
With an IL program, there are no enterprise volume discounts for usage other than those offered as a standard rate plan to the consumer. If employees are being reimbursed by the organization for mobile device expenses (as many employees are), the enterprise will most likely experience an increase in mobile usage costs. CL programs enable enterprises to take advantage of corporate volume discounts and optimized rate plans geared specifically towards the enterprise use of pooled plans.
Recommendation No. 3: Don't get sidetracked by tax issues
Transitioning to an IL policy might absolve the organization of any taxes for personal use of employer-paid devices, but the time, resources and IT budget an organization spends attempting to manage, secure and track personal devices can far outweigh the savings on tax compliance.
Strive for a Homogenous Environment of CL Devices
Recommendation No. 4: Strive for a homogenous environment of CL devices
Having the highest level of control over all corporate devices is the best way to ensure the protection of sensitive company data and avoid unnecessary security exposure. In a CL environment, businesses can better align mobile device management technology with mobile policies, allowing IT to distribute applications, track invoicing, and handle security issues seamlessly and efficiently.
A homogenous environment also reduces the costs and complexities of managing and supporting the smart device infrastructure. With consistent operating systems and hardware configurations, the ability to remotely deploy applications and provide user service can be greatly enhanced, thereby lowering costs, maximizing support capabilities and minimizing user downtime.
Recommendation No. 5: Hybrid mobile environments can work with more effort
While a hybrid mobile enterprise comprised of a mix of CL and IL devices can create a complex environment for business to manage, it is possible for enterprises to mitigate these complexities with adequate mobile device management software and policies. Businesses taking this route must ensure that they closely monitor and track non-corporate devices in order to manage data access and security compliance, as well as application and invoice tracking, alongside the organization's corporate-issued devices.
Recommendation No. 6: Foster a closer relationship between IT and finance
IT and finance need to be aligned so that a mobile billing policy is tightly connected to a corporation's mobile usage policy. This is necessary whether that means tracking personal versus corporate calls, or ensuring that applications are downloaded, billed (if necessary) and tracked properly. If corporations have the right mix of process, technology and departmental collaboration, the odds of long-term savings and optimal corporate control over the mobile infrastructure is greatly increased. In addition, aligning appropriate policies and capabilities between finance and IT can mitigate, or even eliminate, the significant risks and cost exposures of lost or stolen corporate data.
There are many considerations and actions organizations must consider in order to minimize both the costs and risks associated with managing mobile devices in such a rapidly changing environment. The good news is that there is a plethora of services and technologies available to assist enterprises in their IL versus CL considerations. Ultimately, the more an organization can anticipate trends, evaluate options and set clear guidelines for what devices have a place in the corporate network (and how they will be owned, operated and managed), the better they will be-no matter what course they take.
Albert Subbloie is founder, President and CEO of Tangoe. Albert is recognized as a telecommunications technology and Internet pioneer. Prior to Tangoe, Albert was among the first to develop and market voice and data solutions for integrated sales, marketing and customer service activities. Albert founded Information Management Associates (IMA) in 1984 and guided the company's growth to more than $50M in sales and 300 customers in seven offices worldwide. Albert is credited with one of the patents for reverse auction theory, the leading Internet paradigm in most shopping Websites today. Albert received a degree with honors in Economics from Trinity College. He can be reached at firstname.lastname@example.org.