In the consumerization of IT,
BYOD is a phrase that has become widely adopted to refer to employees who bring their own computing devices – such as
smartphones, laptops and PDAs – to the workplace for use and connectivity on the corporate network.
Today, employees expect to use personal smartphones and mobiledevices at work, making BYOD security a concern for IT teams. Many corporations
that allow employees to use their own mobile devices at work implement a BYOD security policy that clearly outlines the company's
position and governance policy to help IT better manage these devices and ensure network security is not compromised by employees using their own devices at work.
BYOD security can be addressed by having IT provide detailed security requirements for each type of personal
device that is used in the workplace and connected to the corporate network.
For example, IT may require devices to be configured with passwords,
prohibit specific types of applications from being installed on the device or require all data on the device to be encrypted.
Other BYOD security policy initiatives may include limiting activities that employees are allowed to perform on these devices
at work (e.g. email usage is limited to corporate email accounts only) and periodic IT audits to ensure the device is in compliance
with the company's BYOD security policy.
- It's the "new big thing" they're all rapping about
Workers want to use their personal
iPhones, iPads and Android devices instead of company-issued BlackBerry smartphones and PlayBooks to get their jobs done.
It's part of a growing trend called BYOD, or bring-your-own-device......
While CIOs might gloat at BYOD's perceived cost savings--no more
BlackBerry purchases!--they'd be wrong to do so. Aberdeen Group found that a company with 1,000 mobile devices spends an extra
$170,000 per year, on average, when they use a BYOD approach.
"Organizations that simply say BYOD is about productivity and have
completely ignored the cost structure are playing with a blank check," says Aberdeen analyst Hyoun Park.
This is a splash of cold water on the hot
was supposed to get CIOs out of the vicious hardware-buying cycle, or at least offset costs.
Case-in-point: Cisco's cost savings from BYOD is in the neighborhood
of 17 percent to 22 percent. "We don't pay for it, and our users are happier," Lance Perry, Cisco's vice president
of IT, customer strategy and success, told attendees at the Consumerization of IT in the Enterprise Conference and Expo in San Francisco last month. "Isn't that a good thing?"
But Cisco is the exception, not the rule.
BYOD's dirty little secret is that most CIOs aren't seeing cost savings. In fact, mobile BYOD often costs more in the long
run than company-owned mobile devices.
So where's the money going? Here are five hidden costs in mobile BYOD.
Hidden Cost: The Monthly Premium Hit
Traditionally, CIOs haven't had much to do
with mobile devices. But mobile devices have become strategic lately and thus have fallen into the CIO's purview. This means
many CIOs are probably not familiar with a wireless expense management cost structure, which is extremely complicated.
"They approach BYOD from a limited perspective,"
A company can
purchase hundreds or thousands of smartphones and receive a volume-discount rate, including some free replacements. Under
a BYOD program, a company doesn't get these benefits. However, this isn't a big deal since employees are paying out of pocket
for the hardware anyway.
problem really comes into play with the wireless service. A company that chooses to own mobile devices can buy services in
bulk from a single carrier and increase its discounting power, whereas a consumer signing up for a two-year plan pays a much
research shows that a company
seizing a volume-discount rate and optimizing plans for certain employees spends an average of $60-per-month for a smartphone's
wireless voice and data services. Whereas the average BYOD reimbursement for a smartphone is $70-per-month.
Cost: Expense Reports
As mentioned earlier, many CIOs aren't on the wireless management ball. These companies spend an average $80-per-month
for a company-owned smartphone, or $10 more than a BYOD smartphone. At first glance, this seems to prove BYOD's cost savings,
You'll have to tack on the hidden cost of reimbursing BYOD employees. Typically, an employee files
a monthly expense report for their wireless bill. A single expense report costs about $18 to process, says Aberdeen. Suddenly,
the cost of a BYOD smartphone bill runs around $90 per month.
It should be noted that an employee who files an expense report
with multiple expenses, including the wireless bill, will still only cost the company $18 to process. That is, mobile BYOD
expense reporting will incur this hidden cost only if the expense report was filed solely because of the wireless bill.
BYOD employees often expense their entire
wireless bill rather than itemize it. "There's absolutely no visibility into what's personal and what's corporate,"
Park says. "Even though companies may say they take care of this by putting in a ceiling or fixed expense amount, it
doesn't mean they've optimized the cost structure. It just means employees know how high they can go."
Hidden Cost: Security, Management, Data Loss, Oh My!
When a company buys mobile devices in bulk, it can set up a process
to automate deployment and management in a scalable way. In a BYOD scenario, an IT person has to input each individual device
into a system, punching in phone numbers, IMEIs (international mobile equipment identity), and employee information.
Aberdeen doesn't provide
a cost to this labor-intensive practice. Nevertheless, "It's a pretty realistic pain-point for a company dealing with
BYOD on an ongoing basis," Park says.
Then there's a boatload of security and compliance costs associated with mobile BYOD. Typically,
BYOD brings iOS iPhones and iPads into BlackBerry shops. This means CIOs will have to invest in a multi-platform mobile device
management solution and other software, maybe even a VPN (virtual private network) layer.
"The cost of compliance--ensuring governance,
risk management and compliance--is also more difficult when devices must be chased down individually," Park says.
One can see how BYOD
could become a nightmare for
CIOs. Avanade, a business technology
services firm, which surveyed more than 600 IT decision makers late last year, discovered something rather alarming: More
than half of companies reported experiencing
a security breach as a result
of consumer gadgets.
Hidden Cost: Who's Helping the Help Desk?
Then there's the hidden cost in help desk
With BYOD, IT departments are caught between the proverbial rock and hard place:
IT doesn't control the actions of the carrier or the devices, yet is still being held responsible to support BYOD employees,
even if IT
isn't getting additional resources
to do so.
flip side is to unload BYOD support onto employees. The thinking goes, they are on the hook to repair their own personal devices.
Got a problem with your iPad? Head to the nearest Apple Genius Bar.
As BYOD becomes more pervasive and mission-critical, this kind
of self-service won't hold up. "You don't really have control of the device and data if employees are solely responsible
for managing the device," Park says. "At that point, the company has abdicated control of some of its assets."
Bottom line: CIOs will
have to invest in help desk support for BYOD.
Hidden Cost: Multi-Platform, Multi-Department
Let's face it, mobile
BYOD means more platforms to develop apps for and support. Sure, many CIOs don't allow reportedly leaky Android devices into
their BYOD programs. Nevertheless, BYOD may eventually lead to internal, native iOS app development for both the iPhone and
cost of internal app development can rise dramatically with BYOD. Companies that "go native" must invest in each
platform in the BYOD portfolio.
BYOD not only requires multi-platform support but multi-department support, too. "BYOD requires significant
cross-departmental overhead to ensure that everyone involved in employee administration, from HR to IT to security, is on
the same page," says Rainer Enders, CTO Americas for NCP engineering, a VPN solutions provider.
When a BYOD employee gives notice or is terminated,
HR and IT must work quickly to de-provision the personal device off the corporate network, Enders says. This process is much
easier if the company owns the device. Another cross-departmental concern arising from BYOD is when a part-time employee or
contractor wants to connect their device to the network.
It's likely a company will have to invest in, say, a liaison or some other
multi-department communication process to handle BYOD issues.
(hidden) High Cost of BYOD
All tallied, BYOD doesn't look pretty from a cost perspective. A typical mobile BYOD environment costs 33 percent
more than a well-managed wireless deployment where the company owns the devices, according to Aberdeen.
"Despite all the talk about BYOD being cheaper, that's
not what is actually being deployed," Park says.
rapid-fire spread of mobile devices being used by enterprise employees can be a huge boon for businesses in productivity and
customer service gains, but those advantages don’t come without a price.
The inherent flexibility and freedom to get business done anywhere, anytime, also
makes it much harder to maintain the security and control of corporate data when employees are accessing and storing business
information on their smartphones, tablet computers and other mobile devices. And the rush of new devices never seems to end,
making it hard to stay out in front of innovations.
Enterprises must plan now for the mobile devices of the future that they don’t even know of yet,” says
Kevin Benedict, principal analyst at Netcentric Strategies LLC in Boise, Idaho. “So you build an infrastructure that
says it doesn’t care what devices are on the end of it and you have a framework that you just plug into.”
Getting there isn’t easy, however.
One approach that can make implementing a mobile workforce easier — or at least consistent — is through mobile device management (MDM) strategies that can help enterprises address all related mobile issues in a top-to-bottom approach.
Among the challenges that an MDM strategy
can help with: Which mobile devices to support,
whether to allow employees to choose and bring their own devices into work, and how to handle security for mobile devices,
including whether to have remote data wiping capabilities for lost or stolen devices.
Policies about devices
One of the first decisions to make with
an MDM strategy is to figure out which devices your employees will use and whether the individual or the company will pay
At New York-based
Edelman, the global PR firm, most of the 3,800 employees use RIM BlackBerries, unless they have a compelling work-related
reason to use something else, says John Iatonna, the vice president of information security. Those cases are decided individually
by business managers -- workers can be allowed to use iPhones or iPads
if needed for the work they do, but RIM devices are Edelman's enterprise standard mobile devices.
There are two reasons Edelman prefers
using corporate-owned BlackBerry devices, says John Iatonna, the PR firm's vice president of information security. First,
the firm can negotiate more competitive pricing through its relationship with its enterprise phone carrier and second, it
can maintain tighter management and security compared to other devices.
Two reasons Edelman prefers using corporate-owned BlackBerry devices: The firm
can negotiate more competitive pricing through its relationship with its enterprise phone carrier and it can maintain tighter
management and security compared to other devices. "It's much easier to get hold of and track your BlackBerries than
it is [other types of] smartphones," Iatonna says. "We do have an Apple and Android population, but those
devices weren't designed with an enterprise environment in mind."
"BlackBerry Enterprise Server (BES) is a much more developed and mature enterprise
MDM system than the other smartphone MDM vendors," Iatonna said. And even though RIM has been losing market share to
other vendors, its products and enterprise-level security capabilities still offer the best answers for Edelman's needs, he
For its part, SAP
AG, the Germany-based software vendor, began its mobile workforce project in 2010, says global CIO Oliver Bussmann. At the
time it included some 14,000 SAP-purchased Apple iPhones and iPads, and personal iPhones or iPads for another 500 users, who
The first employees to be brought into the mobile strategy were workers in the development organization, followed by executives
and the entire global sales force, he said.
The reason for that specific order of rollout, Bussman explains: "We made the development teams that were building
the apps test them as part of the process." Then, "executives demanded solutions quickly after that and then drove
direction to focus on sales and other field resources."
Starting this past January, SAP expanded the program to also include more than 500 SAP-purchased
Samsung Android Galaxy SII smartphones and Galaxy Tab 10.1 tablets, with more to be deployed by
employees who request them based on a compelling business reason.
"Our strategy is to be device
agnostic," Bussmann said, "The IT organization has to be in the driver's seat. If the CIO doesn't embrace the mobile
trend, then the business organization bypasses the IT organization and that's not a good thing. Then it's being done without
control and security and that can have an impact potentially on the company."
Centreville, Va.-based Carfax uses a blended approach, with some workers using
company-issued iPhones and iPads and others using their own Android devices, says CIO Phil Matthews. "We allow other
employees to use a BYOD (bring-your-own-device) approach where it works better for them or where they want to keep their device
on their personal mobile plan."
The company's 400 field workers use devices that are company-provided or paid for through reimbursements. "We
actually wanted people to have a consistent experience, so we chose iPads and iPhones as our main devices, but some people
wanted Android devices" and are allowed to use them, he says. Workers previously carried laptops and printers along with
BlackBerry devices, but productivity rose with the iPads and iPhones, he explains. "Our sales reps can complete more
activities with the iPads and iPhones and we can provide them with mobile applications that allow them to collaborate much
more easily than in the past."
Jacobs Engineering Group buys the devices for employees but requires workers to
pay for their own monthly data plans, says Cora Carmody, Jacobs' senior vice president of information technology.
Cora Carmody, the senior vice president
of information technology at Pasadena, Calif.-based Jacobs Engineering Group, says her company looked at mobile devices from
a different angle -- that of expense management. As the recession took its toll, Jacobs continued to look for ways to cut
costs until finally the cellphone bills of some 45,000 workers became an enticing target, she says.
The company had acquired several other businesses and was
bringing in new users who all had different mobile vendors and devices, so the IT group decided to look at it and find better
ways of making it work.
answer was what Jacobs calls "wireless divestiture" -- in other words, buying the devices for workers but then requiring
workers to pay their own monthly bills. Workers are given calling cards for travel and can also expense extraordinary calls
if needed, Carmody explains.
has saved about $15 million annually since reorganizing its mobile device strategy, Carmody says.
At first there was some grumbling about the new strategy,
Carmody admits. But the company met with mobile vendors to work out good deals for employees when they signed up for new service
contracts, so because the financials were in their favor, employees started gradually accepting the new arrangement over time.
"You can expect some
complaints and backlash at the start," she says, "but we are also pleasantly surprised that some people recognized
the new choices that they had" in terms of different types of service contracts -- "and appreciated that."
Jacobs worked up front
with mobile vendors to obtain discounted rates to allow employees to move to whichever carrier and plan fit their usage and
travel patterns best, according to Carmody. "Previously employees were carrying two devices; one for Jacobs support and
one as their own personal device." By consolidating to one device, employees' mobile situation has been simplified considerably.
Keeping company data safe
Security at Edelman includes requirements
for passwords that are secure as possible, Iatonna says. That means that all smartphones and tablets must use passwords that
are complex and include a minimum number of characters, along with mandatory data encryption. After a certain number of unsuccessful
passwords are entered, the device automatically resets and erases all data. This situation hasn't happened yet, he says.
Another piece of advice, from Jacobs'
Carmody: Be prepared to confirm for users that any devices they are considering can meet both the security and work needs
of the business. "That gives people the freedom to do what they want to do while protecting company security," she
says. "It's one of those building blocks for the idea of bringing your own technology to work."
In general, the company allows Jacobs email to be viewed
on personal devices, while all other key corporate applications can be accessed only via the Jacobs corporate portal. "This
provides a high measure of security for managing corporate data and eliminates the need to help end-users manage data volumes
on their personal devices," Carmody explains. "We, of course, also employ stringent cybersecurity practices that
guard against access should a device be lost or stolen. Finally, we have a robust process for reporting lost or stolen assets
that ensure immediate response to protect data in those situations."
At Carfax, access to corporate data is controlled through application privileges
and passwords; users have access to corporate data and applications based on their job need and role in the company, Matthews
At Jacobs Engineering, employees are
required to sign consent forms that allow the company to perform remote wiping of all data if the devices are lost or stolen,
even personal data personal email, photos and games. The agreement says the company will delete it all if a device is lost
The need for
remote wiping has happened a few times, Carmody says.
"In those cases all data is lost," she explains. Jacobs works hard to educate the user population about
its corporate policy and conditions governing end-user device use. "We also go the extra step and educate end-users about
backing up and protecting their personal data" in case it has to be remote-wiped someday, Carmody says.
Some MDM tools allow devices to store
critical business data in a special, secure "container," says Chris Hazelton, an analyst with The 451 Group. Business
data is not retrievable outside of the container, and can only be accessed through rich passwords and other access protocols,
making it much more secure. It can also be removed remotely by the business if the device is lost or stolen, without removing
a user's photos, contacts and other personal information.
Both Edelman and SAP use this technique; Edelman uses AirWatch to perform selective wiping
of enterprise data, while SAP uses its own Afaria application, which can wipe just the corporate data and leave the personal
information alone, according to Bussmann.
A sampling of MDM vendors
The list of vendors in the MDM marketplace is ever-changing
as companies continue to roll out features and new products to help make mobile tech both easier to manage and more secure.
Here is a sampling of some of the major commercial vendors that are making noise in the emerging field of mobile
device management, according to industry analysts interviewed for this story.
Apperian Mobile Application
-- Mobile, secure application
Mobility Management -- promises "centralized, automated control of all mobile devices and tablets"
Citrix Receiver -- Access to corporate data from "any computing device," Citrix says, along with
an enterprise app store.
Good Technology -- A suite that includes access to email, calendar and intranet-based
apps, as well as the means to build an internal applications store.
Kaseya Mobile Device Management --
Policy-based management tools for mobile devices (phones and tablets).
Mobility Management -- Discovery, inventory
and the ability to remotely wipe devices.
-- Multiplatform device management with security
that works even on employees' personal phones, the vendor claims.
Mocana Mobile App Protection (MAP) -
Shuts down virus and malware attacks against smartphones, the vendor claims.
Novell ZENworks Endpoint Security Management -- Encryption, the ability to disable removable storage devices and firewall features in
Nukona -- Now part of Symantec, this product promises to securely deploy and manage both
Web-based apps as well as native smartphone software.
PartnerPedia Secure Mobile App Management
-- Allows corporate IT to control the publishing, distribution and management of approved applications to end-user devices.
One of the biggest support challenges for Edelman's
IT team, Iatonna says, is when employees do get permission to use personal iPads or iPhones for their jobs. The difficulty
then becomes educating users that their personal photos, emails and other data could be lost in the event a remote wipe is
needed on those devices.
"You have to make sure that the level of support is defined so that you are not responsible for personal data
loss," Iatonna explains. "The way that we've tried to mitigate that is that if you want Edelman data on your personal
device you have to agree to have the MDM software installed on it and you need [to sign] a waiver as well."
Edelman employees weren't used to that
level of control and they were uncomfortable with it because it involved their personal devices, he says. "People said,
'Well it's my phone and you can't expect me to enter a password and have a screen lock after five minutes.' It was always
discussions like that."
meant getting users to come around to accepting a new sensitivity about the data on their phones, he says. "It's a balance
of privacy versus the company's security. People are very unaware of the risks that are posed with the smartphones right now,"
including hacking, data capture and other security threats with smartphones. Users are typically not thinking about those
kinds of risks when they use the devices.
Remote wiping and similar security measures are also used at Carfax, Matthews says, and employees are notified that
data wipes can be performed if the devices are lost, stolen or used inappropriately. At the same time, he says, the company
also wants to give its workers some freedom to use their devices responsibly.
For instance, Carfax allows employees to use the devices for non-work-related things
like watching videos on the road, he said. "People will definitely do the right thing" and not abuse their freedoms
with inappropriate behavior and usage, he says. "You just need to give them some guidelines and that's what we've done
One of the biggest
pain points when it comes to MDM is time pressure because, with mobile devices, there is always something new and different
to cope with, says SAP's Bussmann. And there can be a lot of need for IT support.
When SAP began its mobile deployment project in 2010, demand from workers was already
high, starting with the first controlled deployment of 1,500 devices, he explains. To cope with this, the company decided
to provide the initial user support for those first devices via Web 2.0 using wikis and online help portals. This was a method
to reduce demands on the IT teams and give users the help they needed on demand, he said.
It was just the right approach.
"We had only two or three months to enable those devices
so we didn't have time for setting up traditional support," Bussmann says. "You look at the Apple devices. There's
no big menu there to operate them; they're very intuitive. This approach is similar to that."
At first, Bussmann admits, he wasn't sure that users would
accept this non-traditional help system. "To be honest, I told my guys that I'm not sure the users are going to go for
that. But there's been a change of user behavior, definitely."
At Edelman, one of the biggest challenges
of the MDM strategy has been that the target is constantly moving, Iatonna says. "It's not possible to have a solution
for every smartphone out there because there are so many models. You can't have the resources for all of it." Their answer
is found in AirWatch, which covers the bulk of the devices on the market and reduces the company's risk to an acceptable level,
at several different MDM vendors before choosing AirWatch, he says, but one of the biggest lessons he learned was that the
marketplace is relatively immature. "There's a ton of people rushing to market right now. Often times what I was seeing
from vendors was a significant gap between what is promised and what is actually available as a real feature in a product.
Maybe that's a reflection of how quickly the handset market is changing."
When employees do come in with their personal tablets or other devices and want
to use them for their jobs, it's also important that workable policies are in place for things such as support expectations.
Users may want device support in areas where the a company isn't able to provide it, so those things have to be discussed
ahead of time, he said. "The waters are still very muddy," Iatonna says.
MDM lessons learned
Examine how your MDM usage policies will be viewed wherever your company does business,
from state to state in the U.S. and in other nations, says Jacobs' Carmody. By asking employees to pay for their mobile bills
or devices, you might be affecting changes in employment contracts that could require further reviews with labor unions or
other agencies, she explains. If it's not in an existing contract as part of their employment, then you have to follow the
contract as it is, she says, especially in locations including Europe, where contract changes are harder to complete.
Another good idea: Put policies into
place that lay out which applications will be
approved and permissible on employee devices
so users can get support as needed, Carmody suggests.
In the larger scheme of things, your MDM deployment could even help you as IT moves more toward the cloud and the possibility of virtual desktops for workers, Carmody
says. The lessons you learn -- especially about mobile security -- today can help you with such future initiatives, she explains,
so be sure to share that information broadly within the IT team.
At Carfax, one unexpected benefit of the move to more productive mobile devices has been
that some workers are now using them instead of their previously issued laptops, Matthews says. "This year I expect that
some workers will tell us that they don't need their laptops anymore," which will have the side benefit of simplifying
maintenance and support for the IT staff, he explains.
One lesson has become very clear, according to Matthews. "Don't let your fears keep you from trying things,"
he says. "You will see different ways to reach out to customers that you wouldn't have seen if you didn't look at these
example, he says, "We have created mobile sales and marketing applications that allow our field reps and customers to
have much more valuable conversations with more real-time information," including customer-specific data. "This
allows our reps to be much more effective and efficient in how they manage their activities and customers."
In addition, make sure you have a real
long-term strategy and understand your needs before you start the project, Netcentric analyst Benedict says. "Don't even
bother to implement mobile technology if you don't have a mobile management strategy -- it will be totally wasted."
The way to do that is to become fully
educated in what's possible, Benedict says. "Go to big conferences, view webinars, read books and bring educators in
to teach and show what's available. Don't build a strategy based on your limited knowledge." Learn about what is possible,
MDM can still get better
management applications have come a long way in the last year or so to help enterprises, says the 451 Group's Hazelton, but
there's still more that can improve.
Today, the big needs are managing the devices and handling email, but enterprises are already looking ahead to provide
custom provisioning of applications and data to the right people in their organizations so the entire mobile environment can
be more secure and more easily managed, Hazelton says.
One other enterprise need that's seeing progress is the creation of private application stores that are providing
analytics apps and management tools for mobile enterprise applications, Hazelton explains.
"There's definitely a lot of demand for MDM," he
says. "It really answers a pressing pain point for IT departments." But so far, only about 20 to 25% of the marketplace
has such strategies in place for iOS and Android devices, based on his research. The numbers are certainly higher for BlackBerry
users, he explains, because those devices have been around longer and use RIM's enterprise-ready applications.
"It's most exciting," he says.
"You have all this energy around smartphones and enabling them. Enterprise mobility is here for the rest of our careers."
Overall, Carfax's Matthews says, "we
tell our employees that it's all one life and you can manage it however you want to do work and your personal stuff. We get
a lot more out of employees that way. I think they're happy personally because they don't see this device as tethered to them
and they can do other things in between work assignments."