Vox Mobile can help your business vision through strategic consulting which defines your mobility blueprint and how our on-going support and services can enable complete enterprise mobility.
7 Ways to Secure Data on Employee Devices | 2015-01-27 | Security Magazine http://t.co/2egOItuWJK
First a caveat: We are not lawyers and we are not accountants. The commentary below is not intended as legal or tax advice. Clients must always check with their own legal, HR, and accounting department on any policy-related matters.1. Legal discovery of personally owned devices With most BYOD programs, this topic is usually not overlooked by clients. However, the implications are rarely thought through. Many organizations default to a stance where they have the right to seize an employee’s personal smartphone, or tablet, in the event of a legal matter. While this may be technically true (again, not a lawyer), it’s important to think through the resulting impacts. First, is it consistent? What about an employee that uses Outlook Web Access from a home computer? They can save attachments to their home computer. Does the organization have the right to seize their home computer? Isn’t this the same situation as a personal smartphone connecting to corporate email? Secondly, is it necessary? A majority of corporate data on a smartphone would have gone through corporate servers with evidence of that communication stored there. Technical measures can be put in place to ensure that corporate data stays in the corporate container of a smartphone. If absolutely necessary, technology can even be deployed to backup other forms of communication, such as text messages. Finally, is it counter-productive? It is in the best interest of an organization to encourage BYOD adoption amongst employees that currently do not have corporate-issued smartphones. For more details on this matter, I suggest our whitepaper “The 5 Best Reasons for Adoption of BYOD” (Click Here) Overly harsh policy measures will blunt adoption of a BYOD program. 2. Taxable benefit of reimbursements A vast majority of organizations that explore BYOD must also explore the matter of reimbursement, stipends, or allowances. This will often necessitate some degree of financial modeling. If an organization decides to provide a flat reimbursement to BYOD-enabled employees on a monthly basis, let’s say $40, it’s important to determine if this is a taxable benefit. If it is deemed a taxable benefit and a $40 gross payment is maintained, the benefit to the employee is substantially reduced and adoption will be negatively impacted. If it is deemed a taxable benefit and a $40 net payment is maintained, the corporate cost of the program would be significantly higher than anticipated. Unfortunately, there isn’t a clear answer on this matter and our clients take varying stances based on direction provided by their corporate accounting team. However, the following notice from the IRS from 2011 should shed some light on the matter for your accounting department: http://www.irs.gov/uac/IRS-Issues-Guidance-on-Tax-Treatment-of-Cell-Phones;-Provides-Small-Business-Recordkeeping-Relief. Just remember, if the corporate objective of a BYOD program is a net reduction in mobility spending, getting this matter wrong could shatter your plans. 3. Overtime implications Caution and due diligence is absolutely required when enabling smartphones to employees that are overtime eligible. What constitutes overtime eligibility can vary significantly state by state in the United States. In some cases, explicit approval from the manager would be required in order to qualify for overtime. However, in other cases, an implicit approval may be construed by the context of the situation. For example, let’s assume a manager is accustomed to sending emails to his/her staff in the evening expecting action to be taken during business hours the following morning. Little does this manager realize that a BYOD program has been put in place and the staff now receives those emails in the evening. If the staff takes action on those emails immediately, are they eligible for overtime? This situation is not hypothetical. In Allen v. City of Chicago, members of the Chicago Police are suing for overtime due to their use of BlackBerry: Lawsuit Against Chicago Police for Blackberry Overtime. 4. Privacy expectations in various use cases Concerns around employee privacy are increasingly important and complex, with or without BYOD. Most organizations have, formally or informally, permitted personal use of corporate devices for a very long time (COPE). While organizations would prefer to indicate that there should be no expectation of privacy, it’s usually not that simple and certainly not realistic. Even if an organization did want to observe non-corporate communication, such as a personal email account, it wouldn’t normally be possible unless you seized the device (see above). Due diligence by your legal department will be required here. Remember, from a productivity perspective, you want to encourage adoption of BYOD or the use of a single device by employees. Therefore a realistic, and perhaps softer policy, should be put in place. Regardless of the policy that is put in place, the greater challenge is communication to the employees and the identification of what constitutes private or not. For example, if an employee expects that browsing on their personal tablet is private, they would be mistaken if that tablet was attached to the corporate WLAN environment. Map out the various scenarios and take a thoughtful approach. 5. Personal information recovery upon exit This particular policy topic is actually only applicable in the case of corporate-owned devices. As mentioned several times already, many organizations have enabled Corporate-Owned Personally-Enabled (COPE) policies, either formally or informally. It’s very likely that your employees are using corporate equipment for personal activities such as taking photos and videos. If the employee is asked to leave the organization, and the smartphone is confiscated, what do you do if they want their personal information back? I typically ask organizations what they do today in case an employee needs to recover personal information from corporate computers. Most don’t have a set policy but will make exceptions. Chances are that this would be a far more pressing matter with mobility, as employees will use their corporate smartphones much more for personal activities. Many organizations will instinctively indicate that a corporate-supplied device should not be used for personal matters but that is no longer realistic. Some type of policy and exit procedures should be put in place to accommodate the out-going employee’s request. An Enterprise Mobility Management (EMM) solution can actually help here. Nearly all EMM solutions have a feature that will allow the corporate data to be wiped from a smartphone but leave the personal information intact. The most common use of such a feature is in the case of an employee exiting with personally-owned equipment. However, it would also be very helpful in this case of corporate-owned devices. Even though the device is corporate-owned, this feature could be used to wipe only corporate data before giving the employee a certain amount of unsupervised time to recover their personal information. The device can then be taken and the remaining content wiped. It’s a more straight-forward and less cumbersome process than, for example, having someone from security watching them. Final Comments The above represents only five of the many policy topics that organizations must explore or re-explore. While there are some traditional policy topics that are no longer relevant, the net direction is towards increased complexity. What makes policy even more challenging for an organization is that the preparation of a robust document is only part of the battle. Every organization must also address the lifecycle management of the policy. How is it being presented to end-users? How is their acceptance being captured? Is there a plan to keep the policy up to date? We’ll save that discussion for another day. While the benefits of mobility are extraordinary and transformational, managing enterprise mobility has become difficult and that difficulty is accelerating, especially for those that choose to do it themselves. If you think you could use help, give us a call.
Apple products play a prominent role in so many lives, redefining the ways that people approach day-to-day tasks like hailing a cab or turning off the lights. It isn't surprising that those people also want to use these devices at work. This phenomenon isn't exclusive to iOS devices, but it is more prevalent. Apple smart devices carry more apps than their Android counterparts, are used more often, and consequently consume much more bandwidth. The Mobile Thought Leaders' recent survey found that even the organizations that don't allow iPhones or iPads admitted that they probably have some people using them for work purposes without permission.
- Enterprise Mobility is not about choosing which device to have your email on. You need to let go of the “one device to rule them all” mentality and begin to see that screens and interfaces are proliferating and your real choices are to embrace them and find value in them or put your head back in the sand and let them become security holes and the places where your competition eats your lunch
- People are buying technology faster than the enterprise. Consumers are lining up at Apple Stores, bringing home big boxes from Best Buy and Costco and having daily shipments from Amazon chock full of technology that blows away what we were giving our workers only a few years ago (or maybe even today). You aren't likely to have the budget to keep up with the technologies that your employees are investing in and getting comfortable with - but you can think about security, access, and privacy in scalable ways so that you can take advantage of both the hardware and your employees' competencies with them. The tools and expertise exist to make this pool of resources an addressable asset. Spend time getting good at that (or hire us) rather than spend time playing mobile device whack-a-mole
- The cost of the devices and systems are cheap compared to the benefits that are returned. Most company's have been budgeting devices in one department but reaping the benefits in another with no linkage between the two. As operational parts of the business have begun deploying their own solutions that include devices, software, systems and support they find, appropriately, that the device cost is a tiny part of the overall picture and that ROI is brisk. If you want to get things moving, find an operational part of you business that wants to improve a process and suggest they consider a mobile app. We ALMOST NEVER see this process get hung up on device costs or proliferation of operating systems. The operational benefits are what is important and everything else is an issue that can be addressed in support of the business goal.
Before, the BlackBerry had enabled businesses to control all aspects of the device in terms of features and security. Now, organizations are forced to write down policy, perform end-user training, and…brace yourself…trust their employees.
Before, the BlackBerry had limited appeal, or use, as a consumer or personal device. Now, organizations have to deal with dozens of apps being installed on each corporate-owned device along with personal data such as photos and videos.
Before, low-cost BlackBerry smartphones were available and all of them were built from the ground up to limit data consumption. Now, expensive hardware, new service plans, and data overages have exploded mobility costs.
Before, with an end-to-end BlackBerry solution, the device could be activated and operational for end-users with relative ease. Now, nearly every single employee needs help when activating or switching their smartphone.This loss in business-friendly attributes is compounded even further by one-time projects and other long-term changes in the mobility and IT landscape. Projects, such as a mass migration off BlackBerry, building a BYOD program, or standing up an EMM solution, are draining valuable resources and seem to be occurring one after another. Other changes are more systemic, such as the increased diversity of platforms and form-factors, the entry of personal hardware and applications, the dramatic rise of mobile use-cases in the organizations, a decentralization of IT costs, and an increasing segmentation of mobile workers with varying needs and differing security exposures. Most analysts and industry experts will tell you that this is all very positive and will transform the way we do business. They’re right, but there’s a problem. Without the familiar BlackBerry, IT organizations are struggling to even maintain the level of service and cost control they were once providing. Some organizations have attempted to leverage existing resources or parties that manage workstations and laptops. This is ineffective as smartphones and workstations vary too significantly in terms of management and support. A few organizations have ramped up IT spending dramatically with a surge in hiring and training. This is not cost effective as organizations have to constantly hire and train due to the ever-changing mobility landscape. So what’s the answer? An increasing number of organizations have outsourced tactical and time-consuming activities to an External Service Provider (ESP) and re-focused internal personnel on mobile strategy and transformation. While some personnel costs could be reduced, in many organizations, highly capable staff could be utilized to help shift IT from a functional organization to an enabling or even transformational group. There is a reason that the worldwide number of mobile devices to be placed under management by ESPs will grow by more than 75% in 2014 (Gartner Magic Quadrant for MMS). More and more organizations are realizing that it is not their responsibility to be experts in mobility operations, especially as the mobility landscape continues to shift at an accelerating pace. Let’s be clear, the opportunity for transformation is extraordinary. Workers are more knowledgeable, software development is becoming more accessible, hardware is becoming more powerful in terms of processing power, screen resolution, and bandwidth, sensors such as gyroscopes and magnetometers are becoming more available and precise, and cloud capabilities are increasing. Oh and let’s not forget the amazing accessories that are becoming available such as Heads-Up Displays, Smartwatches, NFC Rings, and even muscle sensing armbands. Transformation is taking place, typically with small innovative organizations and “rogue” teams within large organizations. But why hasn’t it taken hold? Why hasn’t IT transformed your business? Well, they’re busy. And they sure do miss BlackBerry.
1. Understand the scope of the organization’s mobile collaboration needs: The first step toward a strong mobile collaboration management strategy is to understand what people are doing with mobile collaboration tools and what kind of data is being shared. A key part of understanding the scope is to assess the risks involved, both from a monetary perspective and liability exposure point of view. Once these questions are answered, it’s possible to develop a solid business case that aligns IT initiatives with target business outcomes.
2. Implement controls: When the scope of the company’s mobile collaboration requirements is clear, the next step is to implement controls to protect data and other company assets. As the enterprise survey indicated, people are already using collaboration tools such as Dropbox, so the IT team will need to develop a solution to manage document access and protect enterprise data. An enterprise-level version of Dropbox or collaboration solution such as SharePoint can enable greater security and control.
3. Deploy collaboration apps: In the absence of a comprehensive mobile collaboration management strategy, it’s likely that employees are using a range of unauthorized apps on their local devices, and it’s impossible for IT to control what happens to documents that are accessed via the app. To get app use under control, companies can deploy collaboration apps via an app store, making sure they designate apps that meet all of the end users’ needs while enabling centralized control and integration with applicable enterprise systems to eliminate data silos and ensure access to current information.
4. Assess the mobile app environment: On an ongoing basis, IT professionals should evaluate the mobile app environment, determine what kind of apps are being used and identify business purposes. One company that evaluated its mobile app environment determined that about 20% of its employees were using document scanning apps, some of which stored data in the cloud. The company didn’t know which apps were being used, which meant they couldn’t be certain that their data was secure. A comprehensive mobile collaboration and app management solution dramatically reduced risks and restored control.
5. Collaborate with users: Enabling collaboration has to be a collaborative process in its own right, both at the outset of mobile collaboration management policy development and in the ongoing process of adjusting the policy to meet emerging needs. It’s important for the IT team to understand business requirements and develop a process by which employees can request approval to add new collaboration apps. It’s also critical for the IT team to have the toolset it needs to analyze apps and identify where data is stored.Mobile collaboration management is a process rather than a destination, and IT teams that want to address enterprise risk and enhance productivity must be prepared to engage for the long haul. The risks are real: Approximately 80% of app developers generate revenue by scraping data for third-party use. Sometimes the uses are completely benign, but there are unscrupulous players in the mix, and with an app that is used for business, it’s vitally important to know that sensitive information won’t fall into the wrong hands. By creating a mobile collaboration strategy that addresses the scale of company activities, uses sensible control solutions, empowers employees with authorized apps, continuously evaluates app usage and seeks user consensus, IT leaders can effectively manage mobile collaboration. Ongoing collaboration with all stakeholders in policy development and implementation is the key to enabling users to work efficiently with colleagues, clients and partners in the mobile age.
-- Watch our most recent Executive Roundtable: The 2014 MQ on MMS: An Executive Perspective - Watch Here --The 2014 Gartner MQ on MMS portrays a very different industry and market than the 2013 edition. Gartner estimates that the worldwide number of corporate-liable and individual-liable devices to be placed under management by ESPs will grow by more than 75% in 2014. Driving this rapid adoption is the fast commoditization of EMM software service prices, and the recognition that enterprises require third-party IT services to better manage their mobile estate. The criteria grew aggressively in 2014. According to Gartner, two of the seven inclusion and exclusion criteria include: Providers must have at least 400,000 smart mobile devices under management and providers must support at least 15% of their installed base outside their home geographies. Because of this, I am even more proud of our inclusion and placement with organizations like AT&T, IBM, Deutsche Telecom, DMI, Enterprise Mobile, Fujitsu, HP, Motorola Solutions, Orange, Tangoe, Telefonica, Vodafone, and Wipro. We believe that this extraordinary growth means that we will most likely see an even more diverse representation of providers in the 2015 version of the Gartner MQ. The challenge for Vox Mobile this year goes beyond simply being included and having a niche position in the 2014 Gartner MMS Magic Quadrant Report. We need to continue to be inventive and understand that we can leverage our legacy capabilities to meet the market's explosive growth, invest in talent and technology to extend our service catalog capabilities, and build-out partnerships that complement the requests for non-core mobility services. Only when we exceed expectations and deliver on our promise of Complete Enterprise Mobility, for our clients that are living 'Connected Lives', will we have distinguished ourselves in an industry positioned for unparalleled growth. It will happen fast in the coming months and we will have even more exciting news related to the Gartner MMS MQ and beyond. Stay tuned!
This graphic was published by Gartner, Inc. as part of a larger research document and should be evaluated in the context of the entire document. The Gartner document is available upon request from Vox Mobile. Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.
Gartner Magic Quadrant for Managed Mobility Services, Eric Goodness, Gianluca Tramacere, Katja Ruud, 24 July 2014
The Court of Appeal in Cochran v. Schwan's Home Service stated:
"We hold that when employees must use their personal cellphones for work-related calls, Labor Code section 2802 requires the employer to reimburse them. Whether the employees have cellphone plans with unlimited minutes or limited minutes, the reimbursement owed is a reasonable percentage of their cellphone bills.” [Read the CIO article here]Despite my heavy consumption of Judge Judy and Law & Order (hotel room TBS), Vox’s legal counsel insisted I open with a disclaimer that I am in no way providing legal advice. K? That is out of the way… Here is how I view things: When I drive my car to work, I expect Vox to pay me for its use. Vox Mobile maintains a BYOD strategy and I expect them to pay me for using my device for business purposes. Conversely, they could always give me a car and a corporate phone (I’m open to discussing this car option further @KrisSnyder). What I feel happened here is that California told businesses to pay their employees a reasonable amount if they use their device for work. Not surprisingly, their mandate met with some resistance and it ended up in court. This isn’t complicated, I promise, but first I need to give you your new corporate BYOD plan. You’ve spent a year on it, but I can deliver it in 4 easy steps.
1) If you are using an MDM, employees have to agree to a full wipe of their personal device at any time.
2) Employees have to consent to the fact that their phone may be held for e-Discovery. This has not happened at your organization, ever, but if it does you will give them a “loaner” phone.
3) You will give them a stipend through payroll. If your finance team decides it is taxable, you will give them a higher amount to make up the difference. You will tier the amount: Voice Only, Data Only, Voice and Data.
4) Hourly Employees will not be given DataApply these rules and segment your user base. That’s it, your plan is complete! If you don’t want to take my advice, email me and I’ll come out and throw down all kinds of consulting for you and your CIO. Finally, buy Vox Choice, Now! [contact us] You’re undoubtedly skeptical so I’ll give you some reasons:
• When you try to run your BYOD stipend through T&E, you’re going to Fail. This strategy will add hundreds, or even thousands, of dollars’ worth of processing time, each month, to your program. Also, cost center managers and the finance team will begin cursing your name behind your back.
• You will invariably create a “simple form” for someone to sign and submit. I don’t have a lot of characters left so I will simply ask: Why did you stop doing that for laptops, licensing, pens, pencils and everything else you buy? (Answer: It doesn’t work).
• You will compile a really simple spreadsheet for finance, each month, detailing who to pay a stipend. EPIC Fail. I see so many organizations try this. So many problems: You are not informed when someone changes jobs and is no longer eligible. You forget who is allowed to have 1 connection, voice only, data only etc. and it turns into a management disaster. Some will even forget to check their MDM to see who is actually connected. Rita, that chic in marketing that always brings in doughnuts, will get paid every month for an iPad that hasn’t checked in on the MDM for over a year and a half!
• Time. This is simple. Your team has the time to do this. You already know that you don’t.This brings me back to Vox Choice. Vox Choice manages all of this for you, and more! It automates your corporate policy to prevent the request before it even starts. If the user is eligible, it routes for approval. Once approved, it will auto-provision into the MDM. Every month it checks who actually connected to the MDM and builds a payroll file. No longer eligible, no problem: it compiles a user feed every night. An employee exits? Boom – it wipes the device. “But I have a Hybrid environment!” No worries. Choice handles that too. Choice can accommodate split billing for features and rate plans. It slices, it dices and it can split hardware charges any way you can think of: upsize to bigger storage, ineligible replacement etc. In summary, California’s latest ruling on BYOD is not one of the 20,000 ways your everyday life could kill you. I over-simplified your plan, but you will inevitably fall into the traps I described if you choose to venture-forth alone. Implementing a BYOD strategy is a difficult journey and, without guidance, could fail miserably. However, once you have your strategy, Vox Choice can automate your regulatory adherence and compliance, including the details specified in this ruling.
1.) Outline a formal acceptable use policy. The first step organizations can take to reduce BYOD risks is to create an acceptable use policy, often referred to as a mobile policy. The policy should provide rules and protocols that govern BYOD deployment company-wide, setting standards for users. IT managers can take the lead by kicking off stakeholder discussions about BYOD rules now and into the future and designating a committee to promote and control mobile policy. It’s a good idea to require program participants to review the company’s mobile policy and acknowledge that they’ll abide by it via a signature.
2.) Identify users and create program participant segments. A crucial step in developing the organizational policy is to define BYOD users and identify various categories of program participants. This exercise gives the mobile policy committee the opportunity to think about any device type restrictions that may be needed, application restrictions and content issues. It also provides an opportunity for committee members to think through the financial implications of establishing a formal BYOD program, including user stipends or business expense rules applicable to employee devices.
3.) Select and deploy an enterprise mobility management platform. After the mobile policy is in place, committee members should assess their options and choose an enterprise mobility platform, keeping in mind their current technology and security needs and planning for future requirements. With technology evolving rapidly and employees choosing their own devices, it’s critical to think ahead and select a platform that can accommodate emerging technologies while keeping up with user demand and protecting corporate assets. The platform should feature strong network access controls.
4.) Plan to provide support for user-owned devices. Some company policy-makers mistakenly believe that BYOD means they no longer need to provide device support. This is a mistake that can lead to security breaches and decrease employee job satisfaction. Instead, companies should develop support protocols to manage all phases of BYOD, from device procurement and provisioning through decommissioning. By providing support and helping employees manage assets, technical professionals will gain valuable opportunities to ensure BYOD policies are followed, identify emerging vulnerabilities and help employees comply with safe practices.From an enterprise IT perspective, BYOD is one of the most significant workforce technology trends ever. That means it’s absolutely essential to manage it proactively. By establishing a formal acceptable use policy, identifying policy decision-makers and user groups, selecting a management platform and providing ongoing support, IT professionals can maximize the benefits of BYOD and minimize the risks.
- Best Practice: Short articles on best practices as gleaned from our consulting group, Vox Architect, and from our R&D teams working on various technologies.
- Webinar Abstracts: We produce a number of web events and recorded presentations, usually lasting between 30 and 60 minutes. The abstracts will give you a better sense of what is covered in the full event so you can decide whether it is the right resource for you.
- New Products: Overviews of new products that may be of interest to our clients, including hardware, systems, apps, and services
- Tutorials: Step-by-step instructions on technical or policy concerns that require some attention
- White paper Abstracts: We will provide some of the key take-aways and the most interesting info graphics from our research and reporting so you can find the right white papers more easily and so those with short attention spans can learn a few things
- Mobile Thought Leaders surveys and results: The Mobile Thought Leaders program (MTL) is helping hundreds of organizations fro around the globe to share their stories, insights and concerns about enterprise mobility. Throughout the year, MTL sponsors market and technology research projects. We will use the blog as one of the many places you can keep up with the opportunities to participate or access MTL research.
- Event recaps: Not everyone can attend all the industry events, like Mobile World Congress, AirWatch Connect, Gartner Symposium, to name a few. As our team members take part in these events, they will attempt to bring back some notes on the experience, the themes and the lessons learned.
As I said, the list of materials and information is extensive, but we see this kind of information sharing as a critical part of our mission:
We empower our clients to achieve their business vision through Complete Enterprise Mobility. [learn more]I look forward to sharing with you and welcome your thoughts and feedback.