by Leigh Merz, Project Analyst
With changes to the tax code the past few years increasing the work required to account for company managed mobility plans, Bring Your Own Device policies are becoming fashionable. To paint the program with a broad brush, BYOD policies swap corporate-managed mobility offerings and devices for employees using their own personal devices. In practice, there are a number of issues to consider in the development of a BYOD policy. If your organization is interested in implementing one, it helps to have an idea of what is involved.
Determining the proper BYOD policy to implement: Many companies see BYOD as a cost-savings opportunity — wiping out the mobility budget in one fell swoop. Others see it is a productivity measure, offering their employees the chance to use the devices with which they are most comfortable. In both cases, there are fundamental questions that require consideration. Will the company be paying for the devices in addition to the voice and data and other work related features, or will the employees buy the device? Should the policy enacted be true BYOD and allow for any mobile device, or should they implement a limited BYOD policy allowing for any device on a certain platform or only those devices approved by IT.
The answer to these questions will vary at each organization. A decision on them should be made only after bringing all affected departments – finance, IT, etc. – determining the desired results, and identifying which elements of a BYOD policy should be implemented to provide a mutually beneficial solution.
Developing a Stipend Program: While the savings that come from wiping out a budget item – here, a corporate-managed mobility program — are alluring, most organizations cannot get away with requiring employees to use their devices for business purposes for free. There will likely need to be some sort of stipend. Stipends can be cost neutral or actually cost more in the end, if not planned accordingly. Stipends should be a reasonable reimbursement of expected user cost. The problems come from determining what “reasonable use” is. And, as part of “reasonable use”, how many devices per user are considered reasonable?
When we work with clients in developing their own BYOD policies, we analyze voice and data usage by department and by team as well as features like GPS and messaging, splitting users into several stipend categories based on work performed and stipend amount needed. For example, sales teams are commonly on the road and are likely to consume more voice & data on their phone and also require a data-equipped tablet or laptop. This category would therefore need a larger stipend than someone working primarily from an office would.
When determining the stipend amount, remember that corporate-liable plans generally offer considerable savings over a personal plan. Planning a stipend around corporate rates could short-change users and create problems. The data from corporate-liable plans, however, can be useful when determining the average usage of particular groups in determining stipend amount, especially when concerning the percentage to reimburse in terms of a user’s family plan.
Device Restriction: The primary allure of BYOD, for users anyway, is the ability to use any device they choose. Getting the device in hand, however, requires a number of decisions by the organization.
- Will the user purchase the device or will the company purchase, in full or in part?
- Will there be any controls on the purchase – minimum device requirements? Price limits? OS restrictions?
- How often can a user purchase a new device?
Usage Restrictions: Another perk for users in a BYOD system is that only one device is needed for work and personal life. There is no longer a need to carry two devices around. There are dangers inherent in this, and the company can be compromised through illicit use of the device or a security lapse resulting in lost IP.
For our clients, we can help analyze their usage and needs to develop a security protocol for their BYOD plans. In some cases, this is as simple as locking devices with a password or PIN. In other cases, a separate corporate environment may be established within the phone itself using special “container” apps like AirWatch or Divide, providing corporate-controlled applications and access to corporate data behind a secondary security measure. In extreme cases, where sensitive data or valuable IP is more readily available, IT will want to lock the devices down and manage exactly what applications and features can be used through a Mobile Device Management (MDM) platform.
Another concern here, which is still a gray legal area, is the extension of corporate liability to users and what constitutes “corporate use” of a user’s device in relation to torst. For example, can a company be liable if a user causes an accident while checking corporate email from their device while driving? There is no presiding doctrine here, so administrators should play it safe and actively caution against or penalize such activities in their BYOD policies.
Support Structure: Another instance where IT’s input is needed is in the decisions on provided device and service support. Regardless of the owner, users are still going to require support for their devices regardless of what they are using. If support is internal, can the team handle all platforms on the market? If support is outsourced, what is required to adapt support services to the new devices? There may be additional hardware support required as part of a BYOD implementation as well, depending on the types of devices allowed.
Much like the stipend rules, different user groups may require, or be given, different levels of support depending on their role in an organization.
A policy is only as good as its implementation. Management is key with any BYOD policy. Creating the policy is the first step, but we recommend our clients audit their policy at least twice a year (we often perform this audit for them) to ensure employee and carrier compliance from device, plan, and stipend standpoints.