It may not come as a surprise, but most workers treat their corporately owned phones differently than their corporately owned desktops and laptops.
Our mobile phones are never far away from us and we use them as cameras, books, gaming consoles, calculators, banking tools, etc. Even if the phone has been provided by the company they work for staff all too regularly see their work phones as a personal tool, and are horrified at the idea that someone in their IT department could see what apps they have loaded or browsing history – regardless of device ownership.
Due to the blurred lines of these ownership structures, restrictions are often regularly violated. Unauthorized apps and private messages are being downloaded and transferred on phones without the IT security team’s knowledge. In result, companies are finding that their phones are leading to critical vulnerabilities and even compromising the security of sensitive data.
However, those attempting to rectify this situation in their organisations are finding that the challenge lies within putting the cat back in the bag. Corporate phones have been in the Wild West for too long and IT departments are finding that applying restrictions is seen as a violation to staff who have long enjoyed the freedom of use on these devices.
Selecting one ownership model over another is also a highly contested debate within organisations. Some view the situation as rectifiable through specific modern device management tactics for BYO devices, while others insist the path forward is to assign corporate-owned devices for hybrid and remote employees.
So, how can organisations tackle the issue and secure phones before it is too late? There are a couple of schools of thought to consider when weighing the topic.
Phone ownership models
1. CORPORATELY OWNED BUSINESS ONLY PHONES (COBO)
This first option is to embrace Corporately Owned Business-Only phones. It is a difficult path from a cultural perspective and may require your employees to carry two devices – a corporate and a personal phone.
In this scenario, a company issues a corporate device that is intended for work purposes only. The device will only allow access to IT-approved work apps and a handful of quality-of-life apps (i.e. weather, news bus timetables, etc.)
If a device is too locked down staff may not use it and the device could end up in a drawer, the sim card may be taken out and put in a personal device.
Personally, I view this as less than ideal. Speaking from prior experience, it is annoying to have two devices. Additionally, it is an unnecessary use of resources from both an environmental and cost perspective.
Fortunately, there are other options.
2. CORPORATELY OWNED, PERSONALLY ENABLED DEVICES (COPE DEVICES)
This alternative ownership model leverages the use of Corporately owned and Personally Enabled (COPE Devices). In this instance, the employer owns and supplies the employee’s phone. The device is distributed with IT-approved work applications but it is also enabled to download external apps. The caveat is that the employee will have to use their personal Apple ID or Google ID to complete the download and access the app.
COPE devices also allow for basic personal functionality like text messaging, voice calls photo back up, and personal email. The IT department, however, is at the wheel in terms of management. If any application on a COPE device jeopardises corporate data, IT ultimately reserves the right to shut it down. The downside to COPE devices is that personal enablement often leads to the rise in data costs for organisations.
3. BYO DEVICES
BYO ownership models allow employees to use their own personal devices for work purposes, but also allows IT to secure company data through the management of specific apps. In my opinion, it provides the best of both worlds. If done correctly, your employees should feel that their personal information is secure and separate from the eyes of the company and corporate data should remain secure.
Bear in mind that if you choose the BYO model, you will likely need an experienced architect to build the desired policies in order to ensure that email and company data are adequately protected.
Who should decide what method to choose?
In my experience, this answer largely depends on company culture. I’ve witnessed instances where deciding on an ownership model has been influenced by IT, Finance or Operations. Whatever department packs the most punch tends to dictate the decision.
The reality of the matter is that the choice should be a group effort. Stakeholders across the organisation should weigh in with their operational needs and preferences to drive a decision. After all, there is much to consider in terms of budget, security, and employee experience.
Moving forward with a plan
When considering a path forward in terms of phone ownership models, I frequently encourage clients to look at the decision as if it pertained to the usage of a company car. When an employee is issued a corporately owned vehicle, they tend to use it for more than just work purposes. Often, it is used as their sole method of transportation and a tool to run errands, escort families, or tow the boat.
If you were to impose new rules restricting an employee from using that vehicle for anything non-work-related, it would be significantly disruptive. Not only would that employee be inconvenienced, but they would also likely need to purchase an additional car and toggle the two depending on the purpose. In my opinion, that simply seems unnecessary.
Now relate this to a phone, if staff have had full use and have personal information, photos, personal contacts, and documents stored on that device, how will they feel if you take that away from them?
Whatever ownership model you choose, I would advise you to act swiftly. The longer employee phones go unmanaged, the larger the chance of breach becomes. Cybercriminals are becoming increasingly more sophisticated, and the cost of a breach is often financially devastating and a blow to the reputation of any organisation.
Make a decision on which model of ownership suits your organisation, amend your policy and communicate that decision to the organisation and explain why.
Before Implementing a more locked-down ownership model give staff the time to get personal information off the device, they may need help and instructions on how to do this. Be prepared for questions.