Executive Summary .................................................................................................. 2 Corporate Liable, BYOD, CYOD, CLEO, COPE Defined ...................................... 2 Key Challenges ...................................................................................................... 3 Recommendations ................................................................................................. 3 Dont Ignore BYOD .................................................................................................... 4 Do Consider Legal Matters for BYOD ....................................................................... 4 Dont Think in Absolutes ............................................................................................ 5 Dont Expect to Save Money ..................................................................................... 6 Do Budget for Additional Complexity and Security Costs ......................................... 7 Why Are Costs Rising? .......................................................................................... 7 Do Consider What Capabilities You Need ................................................................ 7 Enrollment, Program Management and Expense Control ..................................... 8 Security .................................................................................................................. 8 Applications ........................................................................................................... 8 Policy Enforcement ................................................................................................ 9 Next Steps ............................................................................................................. 9 Conclusion ................................................................................................................. 9 Research Notes ....................................................................................................... 11 Recommended Reading .......................................................................................... 11 About TEMIA ........................................................................................................... 12
Copyright 2013 TEMIA P a g e | 2 www.temia.org Executive Summary
Consumerization of enterprise IT promises to lower costs, increase agility and produce other benefits. Increasingly, consumer technology sets the agenda for the workplace. This trend is driving employees to demand Bring Your Own Device (BYOD), Choose Your Own Device (CYOD), Corporate Liable Employee Owned, (CLEO), and Corporate Owned Personally-Enabled or COPE programs.
Corporate Liable, BYOD, CYOD, CLEO, COPE Defined
Corporate Liable with this approach, the employer is responsible, or liable, for the expenses on the bills. While this paper focuses on BYOD and other approaches some employers are seeking to maintain the integrity of corporate liable strong programs. Upgrading an existing system would include call tagging so employees can identify their personal and corporate calls and contacts. This information can be used for employee payroll deductions and reimbursement. Call tagging is critical for Value Add Taxes (VAT). It is necessary for firms to show demonstrable auditing that personal use is not permitted and private calls must be accurately demonstrated so that they can be deducted from VAT reclaim. Another option is using a dual SIM device one for personal and one for corporate, on the same device. A dual persona configuration can distinguish between corporate and personal use.
In the context of telecommunications, BYOD is any device (smartphone, cell phone, tablet, notebook or PC) or application (mobile app, cloud based application or ) that accesses corporate networks through the use of telecommunications services. The corporate network includes corporate internets, corporate intranets and carrier services purchased by the corporation, local networks, guest networks or core networks with SIP or VoIP services that are controlled by enterprise, ISDN or next generation MPLS services.
Choose Your Own Device or CYOD is similar to BYOD, but it implies that employees can only use devices and applications from a list that their employer has approved.
Corporate Liable Employee Owned or CLEO is an IT business strategy where employees own devices, which are paid for by the employer. Ultimately, the employer is responsible or liable to pay the contract for monthly services.
Corporate Owned Personally-Enabled or COPE is the opposite of BYOD. Instead of making corporate functions work on personal devices, COPE enables personal use of company devices for personal activities including social sites, e-mail, calls, etc. Employers provide employees with devices and applications and the company maintains ownership. It is able to leverage volume discounts for purchase of the devices, services and management. The employer also has more control to secure devices.
Copyright 2013 TEMIA P a g e | 3 www.temia.org Of the four alternatives to corporate liable, BYOD is the most widespread and impossible to ignore. TEMIA members report that 48% of their clients have adopted it and another 20% are evaluating it. BYOD also presents a contradiction. It would appear to release employers from expenses providing and managing devices and applications, but it doesnt. TEMIA members have found that for clients that implement a BYOD strategy, 69% report that costs are either rising or about the same.
Key Challenges Internal politics create an environment where it is difficult to properly address BYOD challenges. Most organizations will have more mobile devices that access their corporate network than PCs. BYOD programs present new challenges for security, employee privacy, legal considerations and lost productivity as employees deal with technical problems and runaway expenses.
Recommendations Control is still necessary, but an all or nothing approach is not possible. Employers must update their mobile policy to specify: who is eligible, what devices and applications are permitted to access the network, when, where and what data employees can access with BYOD. TEM, WEM and MDM programs can help manage BYOD programs by automating efforts to determine eligibility, program enrollment, tracking devices, applications that employees want to use and sign-off to abide by BYOD policies. With constantly changing consumer technology, managing BYOD isnt a one- time job. Companies need a combination of technology and resources to identify when employees fail to comply with BYOD rules.
This paper provides insights into the challenges of BYOD for telecommunications devices and applications with a prescription of dos and donts. Readers will gain knowledge of the specific recommendations for managing expenses, security, privacy, employee productivity, technical issues and more.
44% 25% 25% 6% spending on mobile telecom services are rising costs are about the same unable to track BYODs impact on costs costs going down 69%
Copyright 2013 TEMIA P a g e | 4 www.temia.org Dont Ignore BYOD
Employee demand for BYOD is identified by 45% of respondents as one of the primary reasons for implementing it. The other key drivers reported in TEMIAs survey include desire to reduce costs, with 43% of enterprises seeking to reduce hardware and service costs and 13% of enterprises seeking to reduce mobile support and staff hours. With employees demands, ignoring BYOD is not an option.
Employees may simply bypass official corporate policy and use shadow technology that has not been approved. Managers cannot ignore threats from security risks, theft of intellectual property and runaway expenses from BYOD. Everyone is an expert at thwarting corporate policy. So managers need to learn the ways which employees at different locations or divisions are circumventing corporate policy to use personal devices and applications at work.
In addition, employers are ultimately responsible for protecting intellectual property. The United States, Australia, Britain, France, Germany, Ireland and Spain either have or are developing stiffer enforcement and penalties for breaches resulting in exposure of personal information. Spain can impose fines up to !600,000. Frances cap on fines is !150,000 for a first offense, plus five years in prison. German data fines can reach !250,000 and in the United Kingdom, fines are unlimited. Japan imposes fines of 300,000 yen and up to six months in prison. Google and Facebook face fines up to $1.1 million and other sanctions for privacy lapses under Australian privacy laws.
BYOD programs raise new concerns for CEOs and CFOs of public companies that need to attest to the adequacy of their U.S. Sarbanes Oxley internal controls. Financial and medical records also have special safety protections. BYOD programs also raise issues for firms with employees that may have health care records on their devices. The Department of Health and Human Services is conducting audits for compliance to HIPAA and HITECH. Massachusetts General Hospital settled a patient-privacy complaint for $1 million after an employee left patient records on a subway car.
Violating data privacy law imposes costs beyond financial penalties. Firms face damage to their reputation and loss of business for data breaches.
Do Consider Legal Matters for BYOD
Legal Matters Blurring of personal and private information on employee owned devices and applications raise new legal matters. What happens if the IT staff needs to get corporate data from an employees personal device and they discover intellectual property employees should not have? What if there is evidence of a crime or inappropriate photographs? Does the IT team have permission to conduct e-discovery on personal data? Are findings admissible in court? Is this a violation of employees privacy rights? Is the company responsible if a terminated employees personal data is deleted when their device is remotely wiped?
Copyright 2013 TEMIA P a g e | 5 www.temia.org Getting legal counsel involved in the planning stages of BYOD policy updates and throughout the roll-out address legal issues. The right approach balances risk and convenience with corporate culture and willingness of executives to support it. Mobile policy must define what employers are allowed and not allowed to do, and what happens if employee owned devices have inappropriate material.
BYOD policy should also clearly identify who is eligible, what devices and applications are permitted to access the network, where and when they can access it and what data employees can access. Managing BYOD programs requires technology and people to identify when employees fail to follow the rules and the consequences. This can range from ending employees BYOD eligibility to termination.
Dont Think in Absolutes
BYOD does not have to be an all or nothing proposition in which all or no employees are eligible. TEMIA members report that for clients that implement a BYOD strategy, 88% have adopted a hybrid approach with some employees that continue to have a corporate liable program and some that are eligible to use their own device under an individual liable, CYOD or CLEO program. Only 12% of enterprises are transitioning all employees to a BYOD or CYOD program.
There are three primary reasons for these hybrid programs. First, corporate ownership with a common platform and standardized applications provides better control for employers that need to protect critical intellectual property or sensitive customer material on employees devices or applications. Second, corporate ownership may also avoid the perceived blurring of personal and private data ownership with these employees. Finally, employers are also adopting hybrid programs because they want to offer flexibility to those employees who have not been eligible for corporate paid devices and are not likely to have sensitive material on their devices that may benefit from BYOD programs. At the same time, these employers are recognizing that BYOD, CYOD and COPE, CLEO programs may lead to higher costs.
12% 88% All employees moved to BYOD program Hybrid some corporate liable and some BYOD
Copyright 2013 TEMIA P a g e | 6 www.temia.org Dont Expect to Save Money
Justification for BYOD programs usually start with cost savings from shifting costs to employees for devices, carrier service charges, applications, management of security and help desk functions. These savings are proving to be elusive. TEMIA members find many enterprise clients are actually spending more after implementing BYOD programs.
First, in most organizations, only a select group of employees is eligible for corporate liable or employer paid services and devices. These are typically executives, field service personnel, sales people and other road warriors that need mobile devices to do their jobs. With BYOD, people who previously were not eligible to have a corporate paid device are receiving reimbursements or stipends for their expenses.
A second development is the shift of charges back to employers on expense reports. Since the monthly charge is small, no one questions when employees slip it into an expense report. Mobile expenses in BYOD programs do not have the oversight of a TEM or WEM program. Corporate managers that sign off on expense reports lack the tools, expertise and time that are needed to effectively scrutinize mobile expenses.
For enterprises that implement a BYOD strategy, TEMIA members report that only 5% of firms do not reimburse employees for their monthly service fee expense. The majority, 95% either provide a fixed stipend (63%) or allow employees to be reimbursed through an expense report (32%).
A third reason for rising costs with BYOD programs is an increase in the charge per employee. Many employees are selecting more expensive plans with unlimited or bigger allotments of voice and data services to avoid overage charges. These plans are more costly compared to corporate pooled plans and plans with smaller allotments, which are more appropriate for employees business needs. Employers are also likely to incur higher expenses when employees travel internationally because they may not proactively obtain the best service plans or they dont have the knowledge to do it ahead of time.
63% 32% 5% Employee receives fixed stipend Employee is reimbursed via expense report Employee is NOT reimbursed for monthly service fees 95%
Copyright 2013 TEMIA P a g e | 7 www.temia.org Do Budget for Additional Complexity and Security Costs
Additional complexity from more devices, operating systems and security risks present new challenges that managers at all organizations need to plan for in their budgets. Malware and viruses on smartphones are increasing. Spyware can steal personal information and send it to third parties, malware dials premium 900 numbers and viruses plague devices. Costs to provide security and help desk support are higher than expected as more employees use a wider range of devices and applications. Trying to solve BYOD problems with endpoint protection software, policy enforcement, data leak prevention software and runaway expenses may work for most corporate IT, but it doesnt work with telecommunications. BYOD programs for telecommunications present thousands of variations of smartphone operating systems and applications.
Why Are Costs Rising?
Do Consider What Capabilities You Need
Common misconceptions for BYOD mistakenly promote the belief that enterprises are free from managing expenses, security and policy enforcement. When employees use devices and applications for work, it is natural for them to charge the costs back to employers on expense reports. In addition, there are security risks when employees connect their own devices and applications to corporate data and access it anywhere.
Employers can try to mitigate security risk by limiting what employees may access and providing dedicated servers for BYOD e-mail. They may also try to limit the BYOD program to employees who are unlikely to access intellectual property or sensitive customer data. Ultimately, the old approach of creating a wall around corporate data is dead. Employers can also expect loss of employee productivity when employees BYOD devices or applications are exposed to security threats and they have technical problems.
50% 60% 30% 0% 50% 100% More complexity, more diversity with devices, iOS New and increasing security challenges UNRELATED to BYOD Additional security challenges with BYOD More devices to manage
Copyright 2013 TEMIA P a g e | 8 www.temia.org The BYOD phenomenon creates problems which require consideration of new capabilities, which can be grouped into three main categories: enrollment, program management and expense control security policy enforcement
Enrollment, Program Management and Expense Control TEM, WEM and MDM programs can help manage the transition to a BYOD program and on-boarding of new employees. Deployment of new devices isn't a one-time job. A web portal can automate the process for tracking employee eligibility, program enrollment, applications, devices, and sign-off that they will abide by BYOD policies.
Employers gain better visibility for all telecom expenses with stipend reporting when TEM WEM and MDM programs are integrated with BYOD programs. Interfaces with accounting systems can gather information from employees expenses to identify what is allowed and what cannot be expensed.
Employers may also wish to consider a system that alerts employees and telecom managers when consumption of a data or voice plan is close to its monthly allotment or other capabilities to manage international roaming charges. Finally, look for reporting that can identify when new devices are provisioned, apps which are out of compliance and devices that have not checked in after an extended period of time.
Security Smartphones and tablets like PCs, and data that resides on those devices, must be protected. There are a several areas of vulnerability. One is the physical loss of equipment, when an employee leaves it somewhere or it is stolen. The second security risk includes spyware, malware and viruses. This can result in a network of devices programmed for malicious activity such as stealing data (customer credit cards, patient records etc.) or crashing a corporate network.
Every device manufacturer supports encryption, but the levels differ. Some MDM providers have the ability to encrypt specific files, folders or company data. Also, providers can now place corporate data and applications in a secure environment or sandbox. Partitioning allows employees to separate work and personal items.
Some MDM providers are offering browser security. Mobile web browsing can be filtered to lower the risk of attack on a device. Web filtering tools can block access to potentially dangerous or non-work-related websites. Intrusion-prevention software tools can block network access for noncompliant devices. In addition, some security now helps screen devices for malicious apps.
Applications Some apps every employee should have. Others must be banned. Application filtering with white lists and blacklists can control this process based on the device and operating system. Enterprises may want an application store for in-house custom apps and preferred apps, In addition, Apple's and Google's approval processes might take too long or there may be reasons to avoid releasing an app in a public app store that competitors can view. MDM support for installing custom apps and setting up a company app store experience will be important as well.
Copyright 2013 TEMIA P a g e | 9 www.temia.org Policy Enforcement Before managers update their mobile policies, it is necessary to learn the ways which employees at different locations or divisions are circumventing the program. An enforceable policy can help secure corporate data on personal devices. This may require a policy to lock devices after several failed attempts at a password and a kill switch that can remotely wipe the data if a device is lost. Some MDM providers are introducing data monitoring capabilities that provide reporting on what data is moving to and from the device.
Location capabilities with Geofencing, can detect when devices leave certain geographic areas and take action to secure them (such as locking or remotely wiping data on the device). In some cases, a camera can be locked when employees are in the office or other locations and released for personal use when they are home. Unfortunately, privacy laws add complexity for firms in some countries that prohibit location tracking and use of these features.
Next Steps Decide how many forms of BYOD that you will support Determine the device scope: Will the BYOD program support tablets, smartphones, PCs, applications or a combination of these items? Will the BYOD program apply to a secondary device, or is it for users primary devices as well? Consider the benefits of supporting a mix of enterprise-liable, bring-your-own and hybrid models. Determine when, how, and how much you will subsidize business use of personal devices. Working with HR, your legal department and your corporate risk organization, understand how tax, privacy, legal liability and labor relations impact the program. Determine who qualifies for a usage subsidy and how it will be paid (allowance, stipend, voucher or reimbursement program).
Conclusion
Where does your company stand on BYOD today? If you do not define a BYOD policy, employees will bring their personal devices and applications to work. A SANS Institute IT Survey identified that 91% of respondents were not fully aware of mobile devices on their network. Tools are necessary to ensure that employees do not bypass official corporate policy and use shadow technology that has not been approved.
Mobile devices and PCs are often considered together for BYOD considerations, but the challenges and how they are used are quite different. PCs can function as stand-alone devices that are not networked, while mobile devices are part of a dynamic, real-time collaborative ecosystem. Nearly all of their value comes from connectivity.
Copyright 2013 TEMIA P a g e | 10 www.temia.org The lifecycle for smartphones and tablets is a relatively short period of 12 to 18 months. With the flood of new consumer devices coming to market and short lifecycle, implementing BYOD is not a one-time job. Each new product needs to be tested to determine its security risks. Managers must define their security controls, management controls and provisioning and de-provisioning or retirement process.
It is easy to get distracted in reviewing new offerings, or other functionality that might be cool and interesting. Keep these in mind, but begin with your specific users because new features and offerings may solve completely different needs and goals for other users. Determine what problems or needs you need to solve. Invest in a sustainable user- centric approach.
Balance strategic and experience objectives. Also, consider the potential economic impact (both positive and negative) in adopting a BYOD policy. Consider the use case and how employees will use different devices, data and apps. As TEMIAs survey found, most organizations are using a hybrid model for individual libel and corporate liable rather than an all or nothing approach.
Managers should also be sure to factor all the costs to support multiple platforms. Placing limits the number of devices and applications that employees can use will help limit the security risks and costs of the program. This is where a CYOD program that limits the number of approved devices and platforms may be more realistic compared to a free ranging BYOD program that allows employees to bring any device. The key is to find a balance between employee demands for choice, freedom and privacy with corporate concerns for control. Too much control will lead employees to circumvent the system and limit its effectiveness.
A smart BYOD program will find the right balance while addressing security, concerns for theft of intellectual property and runaway expenses. These risks may be lower for employees who are less likely to have valuable information on their device. The incremental costs of BYOD for these employees may be lower than it would for executives and other employees who require higher levels of security. This sort of calculation is the basis for determining which employees should be eligible to participate in a BYOD program. These considerations can also help determine standards for which personal devices and applications they can use.
Once these decisions are made, create a policy and determine the capabilities that are needed to manage the program. BYOD policies should not be overly restrictive. They must align with corporate culture. To address the challenges, include education, mobile policy, and technology that is backed by subject matter experts. In addition to understanding how it will work, employees need to recognize the consequences if they fail to comply with policies. They should also know that tools are in place to help enforce mobile policy and monitor compliance.
TEM, WEM and MDM programs can help manage BYOD programs by automating efforts to determine eligibility, program enrollment, tracking devices and applications employees want to use, and sign-off to abide by BYOD policies.
Copyright 2013 TEMIA P a g e | 11 www.temia.org Financial executives need to see beyond the hype and recognize the true costs of supporting BYOD, managing compliance, security risks device and monthly service plan reimbursements and rogue expensing of charges. All of this may make a BYOD program more expensive. After BYOD is debunked as a cost saving initiative, managers may find that there are still compelling reasons to move forward with the program for some employees. Some organizations may want to give their employees more freedom and others may see increased worker productivity.
One of the biggest surprises is that organizations need to budget for BYOD programs. As these programs evolve, organizations are beginning to realize that they need to plan for the extra effort that BYOD, CYOD, and CLEO programs require.
Research Notes
The TEMIA research findings in this paper came from a survey of members which was conducted in December 2012 through January 2013. TEMIA members are well positioned to provide insights because they manage over $61 Billion in telecom spend for thousands of global organizations.
We welcome your feedback on this document, at info@temia.org.
TEMIA has authored this paper. TEMIAs mission is to raise awareness and knowledge of the benefits of Telecommunications Management solutions, to improve the quality and value of solutions through the development and promotion of open industry standards, and to cultivate shared industry knowledge among Solutions Providers, business partners, telecom service providers, and enterprise clients. TEMIA is a nonprofit association, which receives its funding primarily from Solution Providers.
Recommended Reading
Readers can access TEMIA reports online: www.temia.org/resources/download-reports.
Adoption of Telecommunications Management as a New Industry Term
TEM RFPs - Guide to Evaluating TEM Solutions
A Call to Action: Overcoming the Conundrum of Telecom Invoices and Electronic Billing
Your Exceptional TEM Program: Best Practices for Sourcing Using TEM Metrics to Improve Performance
Your Exceptional TEM Program: Best Practices for Enterprises and Suppliers that Raise TEM Performance through Key Performance Indicators and Industry Standards
Copyright 2013 TEMIA P a g e | 12 www.temia.org
About TEMIA
TEMIA is the authoritative voice for Telecommunications Management, Telecom Expense Management, TEM, Wireless Expense Management, WEM, Mobile Device Management, MDM, Mobile Security, Mobile Content and Mobile Applications Solutions Providers.
In 2006, many of the largest Telecom Expense Management (TEM) solution providers established The Telecom Expense Management Industry Association (TEMIA). TEMIA has redefined itself with a broader mandate to focus on Telecommunications Management. TEMIA's ongoing mission is to raise awareness, to improve the quality and value of solutions and to cultivate shared industry knowledge for Telecommunications Management, Telecom Expense Management, TEM, Wireless Expense Management WEM, and Mobile Device Management, MDM, Mobile Security, Mobile Content and Mobile Applications. TEMIA seeks to do this through the development and promotion of open industry standards, and industry knowledge among solutions providers, business partners, telecom service providers, and enterprise clients. Further, TEMIA members subscribe to a Code of Ethics, which clearly differentiates their level of commitment to their clients.
For more information about TEMIA, please visit, http://www.temia.org, contact info@temia.org, or call TEMIAs Executive Director, Joe Basili at 973 763-6265.