When it comes to mobile device policies, one size DOESN’T fit all

one size does not fit all

The thesis of the TechRepublic article Avoid using a one-size-fits-all BYOD security policy is that you shouldn’t use a single BYOD policy for everyone in your company. While a single policy is the simplest to implement, it fails in the way that a blunt tool used for every purpose does, and fails to balance the needs of information security with the people’s productivity needs.

  • Spell out your expectations for how corporate data should be handled on BYOD devices. Talk about the needs of corporate security and recognizing that BYOD devices help people be more productive, and how you plan to balance those needs. If you explain the “why” behind a BYOD policy, the sort of compliance you want to have, and the values you’re trying to promote, you’ll get more buy-in.
  • Set clear boundaries demarcating what’s corporate and what’s personal on BYOD devices. For certain types of apps and data, it’s easier to tell which is which: the company-sanctioned email client and company- and industry-specific apps are corporate, music and photos are personal. It’s tricker with apps that blur the line between the two worlds; for example, people use Dropbox for both business and personal uses. You’ll have to make those calls, and it will largely depend on the security needs and culture of your organization.
  • Set clear guidelines to promote good information hygiene habits. Like any successful society, BYOD works best when participants actively “police” themselves. Specify document-handling practices for BYOD users — the example in the article says that users who edit a company document on a BYOD device should delete it from the device once it’s been edited and sent. User who use cloud storage (Box, Dropbox, Evernote) should tag any work-related items as such so that they’re easily identified and accessible.
  • Calibrate your BYOD policies to users’ level of access. Some people are content to use their personal tablet as a “second screen” for reading and may simply want access to the company wifi. Others may want to use theirs for work-related email. I’ve seen a number who use them as email and note-taking devices at work. And finally, there are those who’ve decided to travel light and use their tablets as their primary work machines. These are different levels of access to corporate data and resources, and they call for different policies.

In InformationWeek, Paul Waterhouse compares BYOD to Botox. He points out these similarities:

  • Both are naturally occurring. BYOD naturally arose from people with clout demanding to use their favorite devices for work and people with tech-savvy sneaking in their favorite tools under IT’s nose.
  • Both have therapeutic value. BYOD can re-energize a tired IT department using old, out-of-date practices.
  • Both can be used cosmetically, to disastrous results. BYOD without much forethought or preparation  usually leads to half-baked implementations. Like Botox treatments done the same way, the result isn’t pretty.
  • Both have side effects if not supervised by someone who knows what they’re doing. Like Botox, BYOD has side effects — security and risk, additional telecom expenses, and “allergic reactions” from infrastructure that’s not ready to handle all those different personal devices.

Like Botox, BYOD is powerful and can be poisionous, so it has to be applied judiciously.

BYOD itself doesn’t fit all corporate scenarios. If your line of work:

  • in an a heavily-regulated industry where security concerns are paramount,
  • requires mission-critical tasks to be performed on a mobile device, or
  • is as an executive and you’ve got high service requirements,

….then you may be in a situation where BYOD may not be a suitable option, and corporate-owned devices might be more appropriate.

copeCOPE — short for Corporate-Owned, Personally Enabled — is a term coined in 2012 by Philippe Winthrop of the Enterprise Mobility Forum. “COPE is the mirror opposite of BYOD,” said Winthrop in the TechTarget article BYOD alternatives emerge as tablets outship PCs. “It’s taking the benefits of the consumerization of IT … while retaining the flexibility for the employer.”

The COPE approach to mobile devices is modelled after the way many companies already provide laptops for their employees. COPE devices are provided by the employer, with the understanding that the device will be used not just for work, but also for personal use: web browsing, games, music, photos, video and so on. If the devices are seen as desirable, they’ll be considered perks. As company property, there’s usually less resistance to the installation of management tools and software.

Just as one approach to employee devices doesn’t fit all, one device isn’t likely to fit all needs. Microsoft’s Surface Pro tablet comes close to covering the bases of both tablets and computers, but the tiled-UI apps don’t feel as polished as their Android and iOS equivalents, and the Windows experience on Surface still feels unsatisfyingly netbook-like. For the next little while, it looks as though different use cases will call for different devices.

this article also appears in the GSG blog