How to Enable BYOD Users to use Office 365 without Compromising Corporate Security and Employee Privacy
There is an alarming trend underway – users are downloading Office 365 apps to a personal device using their personal Apple ID. Company data is being exposed in unmanaged apps on personal devices. The impact is a complete loss of control over corporate data on BYO devices. Is this happening in your company?
BYOD is in 70% of Companies
The BYOD trend took off in 2007 when a BlackBerry user decided to buy an iPhone and configure email for work. That was me. Not just me of course, there were millions of people like me. Fast forward to the present and BYOD is no longer a cool rebellious thing to do. BYOD is mainstream and over 70% of companies have some form of program enabling it.
On one hand we are employees wanting to be productive and on the other hand we are also consumers and we like shiny new objects. We live in a world that has become mobile-first and cloud-first and we naturally expect to use our apps and cloud services on any smartphone, tablet or laptop – regardless of who paid for the device.
How do you strike the right balance between corporate security and employee privacy? How do you ensure that BYOD is cost effective and user friendly? How do you turn BYO from being a liability to a benefit?
Office 365 on BYOD is now Business as Usual
Office 365 is the world’s most popular productivity suite and needs to be enabled on BYO mobile devices. What is the best way to keep employees secure and productive without putting your company at risk? There are 5 building blocks in any successful BYOD program:
- Security & Privacy
- User Support
- Reimbursement & Incentive
BYOD policy needs to balance two competing forces: 1) security and 2) privacy. This may require some compromises. Anyone can write a basic BYO policy but the creation of a good and sustainable policy needs collaboration from IT, HR, Finance and end-users. Without the involvement of all four stakeholder groups, the policy is likely to be lopsided and will eventually fail. This could manifest as a corporate data breach, an employee privacy breach, unexpected hidden costs, or increased staff attrition.
The goal of a successfully policy is to achieve enterprise-grade security, while assuring employees that their personal data remains private. the company must assure employees that the company cannot see an employee’s text messages, photos, location, browsing or social media activity.
Eligibility criteria need to be clearly defined in the policy and may include hours of work, hardware specs, OS version, security posture, safe driving, and more. For example, your policy might say an eligible device must have the latest OS and recent patches to avoid known vulnerabilities. Or that work hours are to be strictly followed to avoid overtime claims checking email.
We get 320,000 attacks every day, mostly by email and many of those come through BYO devices
Your company cannot secure data in unmanaged apps that are downloaded from a public app store using personal credentials. If an employee reports a breach the only blunt instrument available to IT is to wipe the entire device, which rarely happens as it is a massive invasion of employee privacy. Even worse, in the event of a security breach or lawsuit, the company cannot issue a court order for a device it does not own. Consequently, it is likely that company data is exposed unless the right policies, security and governance are in place.
Companies can secure their BYO environment in three ways: 1) by enrolling the device in a mobile device management system, 2) managing the apps used on a BYO device and 3) enrolling the user with work profile or user enrollment (available since iOS13).
All three methods have their merits and provide IT with different levels of control, monitoring and governance. At minimum, you should deploy all work-related apps (e.g. Office 365 apps) as managed apps. This links the apps to the users’ company identities and apply policies to protect company data. Ideally, BYO devices are treated exactly the same as corporate devices with multiple layers of security.
Once work-related apps are secured, it is important to protect against bad actors by blacklisting malicious apps, requiring OS updates and app updates, and carefully managing security credentials.
On average 12% of mobile users require support each month for a technical issue, change of device, broken screen, etc. In a BYO scenario, employees are left on their own, usually without IT support. BYOD users must resolve issues by calling their carrier, going to a retail store, or finding a repair shop. A competent Service Desk solves these issues in 15 minutes, whereas it takes an hour or more to solve a similar issue through a consumer channel.
The impact to the company is wasted time for 12% of the workforce each month while employees deal with BYOD issues through consumer channels. In a business with 1,000 employees that is 120 hours lost per month!
BYO users are not second-class citizens and need to be treated with the same support as corporate users. This means having access to technical support and short-term replacement devices. When BYO users lose or break a device, they should receive a replacement device on loan so they become productive again within minutes, not hours or days.
Stipend & Incentive
The financial drivers of a BYO program are often not well managed. In some cases, a BYO stipend is paid to people who should not be eligible at all. In other situations, the stipend is not charged to the relevant cost center and reconciled with payroll.
The employee incentive for BYO can take multiple forms such as: a) a monthly stipend, typically ranging from $10 to $100 per device, b) access to a corporate data plan with lower rates or c) not having to carry two smartphones or two laptops. We recommend a stipend and/or access to a corporate data plan as the correct incentive model.
Stipends and incentives need to be managed by defining the eligibility criteria, monitoring device compliance, providing a monthly report to each cost center, and generating a reimbursement report to the Finance department for the stipend payment process.
We are always amazed how some companies sweep BYO issues under the carpet, treat BYO users with lower security standards and abdicate support to the user. This is usually not a deliberate decision but rather an abdication of responsibility as the device does not belong to the company. However, the company data on the device has value and the employees’ time has value so it pays to ensure the data is secure and the employee is supported.
BYOD program management is complex and can be highly emotive when issues occur. Mobile Mentor embraced BYOD in 2011 and supports enterprises and government entities to manage their BYO program so they have a scalable and sustainable model for future growth.