The BYOD conundrum

The trend for employees to bring their own mobile devices into work is gathering pace, as we discuss in the Ovum report The BYOD Gap: trends, strategy, and the state of mobile device management. Enterprises facing an influx of consumer devices will need to make plans to embrace or, at least, cope with BYOD, as it is happening whether they like it or not. However, implementing a BYOD policy throws up a lot of challenges, and the solutions are not simple.

Drawing up a BYOD policy requires careful consideration, and there is no set path that a business should take, as every organisation will have specific requirements. However, there are some common themes emerging: all enterprises will need to consider the cost implications of employee-owned devices, the contractual implications with mobile operators, questions over who owns the device and SIM, the requirements and obligations of both employer and employee, and the measures needed to ensure that corporate data and devices remain secure.

Make sure you understand the cost and service implications of moving to consumer contracts

Some IT departments see benefits in shifting the burden of cost (including the cost of the connection as well as the cost of the device) to the employee. But they should recognise that, while it may bring other benefits, it may not be the most cost-effective solution for the enterprise in the long term, if that cost is eventually billed back to the company in some way. And, equally importantly, there could well be customer support issues to contend with, too.

When it comes to mobile voice and data tariffs, there is a big difference in cost between consumer and corporate contracts – large enterprises can negotiate excellent deals with mobile network operators on large contracts. If an organisation chooses to let the corporate deal with an operator go, and ends up paying for individual employee contracts instead, it can cost a lot more – up to five times as much per month, according to some users. It is also very likely that the company would get reduced levels of service, since employees would be getting standard consumer service instead of the corporate-grade support typically provided under a large managed services deal, or even under a standard business contract. This could work out well for the mobile network operators' (MNOs), as their cost per user in supporting an enterprise contract is not much higher than when supporting an individual consumer.

Furthermore, with employee contracts spread across different MNOs, internal calls (which, in many companies, represent the bulk of all voice calls) will undoubtedly become more expensive. Enterprises which have spent years implementing converged solutions and negotiating closed user group (CUG) tariffs could see these benefits seriously undermined.

Some enterprises believe that giving employees a monthly allowance and allowing them to pay for their own contracts will be a simple solution to the mobility problem. But this so-called “simple solution” of letting the employee buy the device and pay for the contract (and therefore own the SIM) out of the employer-paid allowance is actually not so simple, after all. Firstly, there is the roaming issue – if an employee goes over their allowance while working abroad, they could be left with a large bill, and questions would emerge over whether they, or the company, are responsible for it. While the employee may claim that their employer should pay any work-related bills, they will need to provide evidence that their data usage was not personal – and, legally, the user does not have to disclose details about data usage to anyone if the contract is in their name.

Secondly, if the user owns the SIM, then they also own the number, and this can have a negative business impact if they leave the organisation. Sales and marketing personnel are some of the most likely to be mobile workers, and if they use their personal number at work, then there is a risk that they will take their corporate contacts and leads with them when they leave the company.

Thirdly, paying out allowances and establishing whether they are benefits in kind or expenses is likely to create difficulties in terms of tax and VAT compliance. Inland Revenue services in every region will be watching with interest as new methods of employee benefits and payments are rolled out. Finally, users paying for their own contracts can lead to higher usage and costs on the corporate WiFi network – users are far more likely to use data via WiFi if it is available, than through the mobile network.

So, one way for a company to run a BYOD policy and still keep control of its mobile costs is to retain ownership of the SIM. Companies may wish to support BYOD by allowing employees to bring the device of their choice into work, but owning the SIM gives the employer greater management of, and control over, expenditure, contract negotiation, tax compliance, data usage, and security requirements. While it is possible to manage data security on personally owned devices, preventing costs from spiralling out of control is a more difficult challenge. And such a policy is not likely to upset employees – people care about the UI and capabilities on their device, rather than forming attachments to a specific phone number.

Define requirements and obligations

BYOD policies need to be very clear about the requirements and obligations of both the employer and employee. There needs to be a certain amount of give-and-take on both sides: companies should appreciate that employees will not want their personal data to be interfered with, while employees must realise that their employer cannot afford to lose corporate data and will require a degree of management of, and control over, the device.

Questions over who owns and manages devices and data can be a legal minefield, so making employees fully aware of what they are signing up to – and ensuring that they sign a policy before enrolling their device on the corporate network – is an important step in any BYOD rollout. Such obligations on the part of the employee may include allowing GPS tracking, password policy enforcement, application and call monitoring, application installation, and, perhaps most significantly, the potential for their device to be fully or selectively wiped of data and applications.

The employer also needs to take responsibility for clearly defining what constitutes sensible or reasonable usage of data. For company-owned SIMs, the employer needs to ensure that employees know what the limits on personal usage are, and if there is any type of content that should not be accessed, even on personal time. Again, this can become a minefield for the employer to manage, and it may prove hard to enforce limits on personal usage. Where it gets trickier, from a cost point of view, is when the user takes their phone or tablet abroad and makes use of data or voice roaming services. This can rack up huge bills and usage needs to be tracked – otherwise, how does the employer know if the user has been accessing data for personal or work purposes? Ideally, any employer would only want to support the cost of business usage while the user is abroad. One option is to cap roaming usage, and telecoms expense management systems are a useful tool in helping to keep track of spending and to decide when to cap usage if necessary. Simply instructing users to turn data roaming off before they go abroad may prevent bill shock, but it will also prevent staff from doing their job properly, so tracking and managing usage are important things to get right.

Secure corporate data on the network and the device

When it comes to endpoint device usage, for any organisation, the most valuable thing that must be protected is corporate data. While most large companies can bear the brunt of the cost of losing single pieces of hardware worth several hundred dollars, loss or theft of customer details or other sensitive corporate information can be disastrous. There have been numerous cases of data loss damaging a company’s reputation and bottom line, one high-profile example being BP’s loss of a laptop in March 2011. The laptop, which was password protected but not encrypted, contained personal details of 13,000 people in Louisiana who had filed compensation claims from BP following the Gulf oil spill of 2010.

To enable users to access corporate data and applications from their personal mobile devices, while also ensuring that the data remains secure, technologies such as cloud storage, secure VPN, and mobile virtualisation can help. Coupled with security policies that do not allow content to be stored locally, these technologies ensure that users can only ever access corporate data when connected to the secure corporate network, and the data will remain safe, even if the endpoint device is broken, lost or stolen.

Third-party mobile device management (MDM) providers are often in the best position to roll out and manage such technologies and services for the enterprise. They have the specific expertise and required tools, and can implement their services quickly. Typical security functionalities for personal mobile devices offered by MDM providers include: remote wipe and partial wipe, activity logging, GPS tracking, real time reporting and alerts, document control, password policy enforcement, auto-discovery of devices on the network, and auto-quarantine for any devices suspected to be infected with a virus or carrying malware. And because no company wants to be the poster child for data loss through the use of insecure personal mobile devices, organisations of all sizes and across all verticals are flocking towards MDM or mobile virtualization vendors. As a result, the enterprise mobility services market, especially MDM, is in a real bubble, with many vendors seeing huge growth. So long as the trend for BYOD continues, and as more and more organisations look to secure their data no matter what devices it is being accessed from, this growth is set to continue. The number of vendors in the market is bound to shrink as consolidation takes place, but the demand will remain.

Richard Absalom is an analyst with the Ovum Consumer IT practice based in London.