Best practices in bring your own device (boyd) for the enterprise

An OVAT

BesEn

ION Wireless

st Practnterprise

Wo

s Managemen

ices in Be: Secur

orkforce

nt White Pape

www.ova

Bring Yorely Ena

e While A

er

ationwireless.

our Ownabling YAvoiding

.com

n DeviceYour Mobg the BY

e (BYODbile ConYOD Tax

1-866-207

D) for thennected x

-2111

e

An OVATION Wireless Management White Paper 1-866-207-2111

www.ovationwireless.com

Architecting your BYOD strategy

The evolution of enterprise computing has taken-on an entirely new face. Mobile form factors have dominated the enterprise computing landscape in recent years and this growth trend is not slowing. That fact that in the fourth quarter of 2011 Apple sold more iPads than any other manufacturer sold computers is a testament to the rapidly expanding mobile computing juggernaut. Consumerization of IT has been the catalyst for the proliferation of tablets and smartphones in the enterprise. Consequently, the growth of Apple iOS devices acquired by employees is driving the tidal wave of demand for IT organizations to adopt a BYOD program. According to a 2011 study by IDC, approximately 40% of corporate employees use personal mobile devices to access corporate networks and systems. When executives embrace personal iOS devices, and require that IT support and connect their devices to corporate systems, it fuels the trickledown effect and subsequent need for a BYOD program.

Therefore, it is no surprise that enterprises worldwide are facing increasing pressure to allow employees to bring their own devices into the enterprise and connect them to corporate networks and systems. In fact, according to industry reports, over 70% of enterprises have developed some form of BYOD program. The initial benefits, to the enterprise, of enabling BYOD include employees working longer hours, greater employee satisfaction and a reduction in the capital expense of mobility because that burden is shifted, in part or whole, to the employee. While the initial assessment of BYOD often reveals benefits of allowing employees to bring their own devices, more often than not there is a significant cost in letting them do so – the BYOD Tax – which is made-up of higher wireless service expenses, higher support costs, higher application development costs, higher security costs, higher regulatory compliance costs and higher administrative costs.

In order to avoid the BYOD Tax, enterprises need to architect their BYOD program with the right set of constructs that enables the appropriate degree of end-user preference resulting in increased productivity and satisfaction while ensuring that the total cost of ownership (TCO) of enterprise mobility is not negatively impacted.

As your IT organization assesses the impact of BYOD and plans for the future of embracing consumer preference and a mixed mobile IT ownership environment, this white paper will help you develop a programmatic approach to deliver an effective BYOD framework that enables choice while containing costs. The following best practices will help you take a holistic approach by addressing the key factors of your program framework and setup the appropriate governance model for your mobile connected enterprise.



Best Practice 1: End-User Segmentation

In order to align the best mobile IT resources for your workforce you’ll need to develop end-user segments based on criteria that will maximize end-user productivity while ensuring a secure and cost effective mobile enterprise ecosystem. In defining the end-user segments you should look for natural usage patterns, determine location requirements and review business requirements by segment including:

• End-user contribution to the bottom-line • Access/time sensitivity • Location • Value impact of mobility • Regulatory compliance • Data access • Systems access • Application usage • Voice/data usage

Typically five or six different segments are sufficient for developing an effective framework for your BYOD program to help define the technology portfolio that will be accepted into the program.

It is helpful to define end-user segments by location/type of worker:

• Task Worker: Day Extender • Knowledge Worker 1: VIP • Knowledge Worker 2: Home Office Worker • Power User 1: Field Sales Force • Power User 2: International • Power User 3: Field Force

When you’ve completed the end-user segmentation you’ll need to establish support levels, expense levels and governance parameters. Next, you’ll need to capture the application usage, systems access requirements and data access requirements in order to align the best technology portfolio with the user needs. For example, if there is a specific end-user segment that has access to highly regulated data or processes then your policy and security for that segment needs to ensure regulatory compliance. The end-user segments are the cornerstone for establishing the policies to help govern your BYOD program and ensure a secure and productive mobile connected workforce.



Best Practice 2: Defining Financial Liability by Segment

One of the most overlooked elements of BYOD programs is financial liability. When ignored, financial liability is the single biggest factor in driving up the TCO of the mobile enterprise and contributing to the BYOD Tax.

Financial liability is the process of establishing who contracts with the wireless carriers for the service plan. Corporate liability is when the enterprise establishes the carrier relationship and financial responsibility for the plan. Corporate liability, when managed correctly, can deliver the greatest efficiencies in wireless service costs. Individual liability is when the end-user contracts directly with the wireless carrier. Individuals are typically relegated to the plan du jour and in most cases purchase plans that are much less efficient based on their actual usage.

According to the December 2, 2011 Forrester report Consumerization Drives Smartphone Proliferation, “More than half of US information workers pay for their smartphones and monthly plans, and three-quarters pick the smartphone they want rather than accept IT’s choice.” The problem with information workers paying for their monthly plans and getting reimbursed by the enterprise is the loss of enterprise buying power and subsequent increase in the wireless service costs of up to 35% or more. When enterprises implement a flat stipend (Ex. $50 per month) then end-users will throttle their usage in order to prevent having to subsidize the wireless spend for the enterprise resulting in a reduction in the benefit of mobility. In addition, the administrative cost of processing the monthly payment ($25 to $45) often goes overlooked and is an additional contribution to the BYOD Tax.

When enterprises allow employees to purchase their own wireless plans then they also relinquish the decision of what services are selected to enable the end-user to be productive and efficient.

The changing landscape of rate plans is creating additional complexity. Verizon and AT&T’s introduction of shared data plans create a new management challenge in containing wireless service costs. Verizon and AT&T are attempting to stem the loss of revenue from applications that provide text and messaging capabilities over the data connection and circumvent the carrier text service. In addition, the unlimited data plans have virtually all but disappeared with a few exceptions.

Best-in-class enterprises that are driving down the TCO of mobility are implementing a hybrid approach to financial liability. For knowledge worker and power user segments that need data access it is important for them to fall under corporate liability in order to mitigate the risk of escalating costs of individual service plans. For task worker segments that simply extend their day and use email as the killer application then individual liability and a flat stipend is an effective method.



Best Practice 3: Technology Alignment and Device Choice

As you define the technology and services that best equip each segment with the capabilities that will drive productivity gains, it is important to take a future-proof approach and make sure that your enterprise mobility roadmap is in alignment with your overall IT roadmap. When it comes to BYOD and the portfolio of devices, operating systems, services and applications, best in class enterprises support end-user choice to a certain degree yet place some limits on what they’ll support in the BYOD program. Technology alignment by end-user segment is another area where the BYOD Tax can rear its ugly head.

The cost to develop and support applications across all mobile platforms contributes significantly to the BYOD Tax. You’re best served to create an environment that consists of approved devices that enable you to develop applications that work seamlessly with the user interface models of the device set. Taking this approach will also help reduce your maintenance expense which often makes-up over 60% of the mobile application expense.

Aligning the technology portfolio for each end-user segment is a critical step that should not be taken lightly. For example, understanding the location of operation of the end-user segment has significant ramifications. If the end-user requires global access then the technology portfolio for that end-user will differ greatly from a domestic end-user. Make sure that the technology portfolio delivers on the exact needs of each segment. Creating a matrix of devices, technologies, services, support and associated costs designated for each end-user segment is an effective way to define, communicate and manage the enterprise mobile technology portfolio. The enterprise mobility matrix should encompass all technologies including laptops to ensure complimentary technologies don’t break the budget.

In most BYOD environments, it is not just a device choice but other choices that need to be defined and approved. According to iPass’ Mobile Workforce Report, Q1, 2012 the average mobile connected worker is equipped with 3.5 devices. This is up from 2.7 devices during the same period in 2011. With a plethora of new mobile device introductions taking place over the next several months, this growth trend is expected to continue. Rumors abound of new tablet form factors that will likely become complimentary devices versus replacements. Therefore, it is important that you revisit the enterprise mobile portfolio matrix on a quarterly basis to keep up with the changing mobile landscape and ensure you’re supporting the best technology set. In addition, when employees in the knowledge worker or power user segments purchase these new devices, it is important that they understand that they’ll be required to activate them on the corporate service plans. When you equip an employee with 3.5 mobile devices on average, the corresponding service spend can quickly grow out of control. Your BYOD program must have the appropriate management controls in place to ensure that your wireless services spend doesn’t break the IT bank.



An additional requirement associated with BYOD programs is Mobile Device Management (MDM) applications. MDM applications ensure policy compliance of devices connecting to corporate IT infrastructure as well as eliminating security threats. In order for this to be effective, you’ll need an MDM solution with baseline functionality that generally includes asset management, encryption, password policy, remote lock/wipe, and email/Wi-Fi/VPN configuration. When enhanced mobile security and data protection is required, there are also MDM options that include functions like mobile anti-virus protection and point-to-point encryption.

Best Practice 4: Policy Development

A detailed enterprise mobile policy is an absolute necessity with any mobility program including BYOD. Because BYOD introduces some grey areas in terms of ownership and responsible parties, you need a policy that will limit your legal exposure and provide governance over your BYOD program.

With the recent issues over Carrier IQ’s diagnostic software providing the ability for carriers to track location and keystrokes, privacy advocates mobilized and Rep. Ed Markey (D-Mass.) drafted the Mobile Device Privacy Act. While this has not been passed into law yet, it is a sign of things to come. When you combine this with the Electronic Communication Privacy Act and the plethora of state and local government laws that govern distracted driving, you have to make sure that your enterprise mobile policy mitigates the legal risk of your BYOD program.

One of the most important elements of your BYOD policy is notifying employees that if they choose to participate in the program then they agree that the corporate IT department will be placing Mobile Device Management software on their device and that it will be monitored and managed in order to eliminate risks to the enterprise. It is very important that the employee sign an agreement accepting this policy.

In addition, you need to have the employee agree that they will not use their mobile device while operating a motor vehicle. If they do, then they’re responsible for the consequences. The employee needs to indemnify the enterprise to ensure that all accidents resulting from using a mobile device while operating a motor vehicle are the responsibility of the end-user.

The policy also needs to help mitigate the risks of nefarious acts conducted by employees with mobile devices. This can include governing the use of cameras, unapproved content and removable media.



In addition to the items we’ve addressed above, the BYOD policy should include criteria for the different segments based on:

• System access parameters • Data loss prevention • Corporate data management • Corporate or individual liability • Financial responsibility

It is not a bad idea to have all employees sign your enterprise mobile device usage policy. That will help you mitigate the risks of those devices that slip through the cracks. Some reports indicate that more than 40% of enterprise mobile devices are connecting to corporate systems without the knowledge of the IT department.

With the rapid evolution of mobile technologies and state, local and federal laws, you’ll need to review your BYOD policy on a frequent basis. Once a policy has been developed and implemented then it needs to be managed to ensure that it protects the enterprise and the end-user. End-users need clear and concise communication on what’s allowed and what’s not allowed as well as feedback on their compliance. This is an important task for the mobile governance center of excellence inside your organization. If your organization doesn’t have a mobile governance center of excellence, then it is important to establish one prior to BYOD program rollout. These organizations are typically made-up of end-users from each segment, line of business management and IT management.

Best Practice 5: Security

Security is the single greatest concern of CIOs when it comes to BYOD programs. There have been many high profile data breaches resulting from mobile device threat vectors. Each device is an endpoint that can become a security threat that varies based on the end-user segment and class of device. Therefore, making sure that you implement an MDM solution that provides for a granular level of policy definition is very important for mitigating risks. According to the 2011 study on IT security practices, laptop or mobile device theft was the second most common type of security incident and was reported by over 20 percent of organizations



In order for the BYOD program to be successful, it is important that your MDM, Data Loss Prevention (DLP) and Mobile Device Security solutions deliver:

• Asset and identity management • Storage controls • Network access controls • Application policy controls • Permissions • Authentication • Password settings • Move, add and change management • Unauthorized usage alerts • Web and messaging security

Best Practice 6: Support

Supporting end-user segments is another element of BYOD programs that can exacerbate the BYOD Tax. The end-user segment and the value that they deliver to the corporation via mobility should be a key parameter in defining the support level.

It is also important that your BYOD policy is clear on device replacement processes and financial liability to ensure that the correct expectations have been set when these incidents arise.

For end-users that require high availability and are highly time sensitive in performing their job, then you’ll want to consider a service level that provides for issue resolution typically within two to four hours. In some instances onsite support is warranted in order to drive rapid incident resolution and employee productivity.

For task workers that are not performing mission critical tasks with their mobile devices, then self-service support through the carrier support line should be sufficient.

These examples are the opposite ends of the spectrum of support that can be required for BYOD programs. It is critically important to set the expectation of support levels with each user and establish the process by which they communicate incident requests.

Support costs are a significant component of end-user operations and corporate operations expense. Defining the supported technology and the appropriate levels of support are critical for containing the TCO of BYOD programs

An OVAT

Conclus

Avoiding enabling support tbest pracembraceconnecte

For more

Visit: ww

Or call: 1

ION Wireless

sion:

the BYOD Tchoice with

to enhance pctices outline technologic

ed workforce

e informatio

ww.ovationw

1-866-207-2

s Managemen

Tax ultimatethe appropr

productivity wed above, yocal innovatioe.

on:

wireless.co

2111

nt White Pape

www.ova

ely means acriate financiawhile mitigatou’ll be deven while deliv

m

er

ationwireless.

chieving a leal controls, teting risks to

eloping a holvering a satis

.com

evel of compechnology cthe enterprislistic approasfied, produ

romise with controls, govse. By incoch to BYODctive and se

1-866-207

employees vernance andrporating the

D that will ecure mobile

-2111

by d e 6

e