There is no stopping the bring-your-own-device (BYOD) movement. Enterprises increasingly embrace this strategy, which allows employees to use their personal mobile devices for work-related communications. While BYOD has a place in some organizations' mobility plans, however, those in regulated industries have strict requirements that may prevent BYOD use, including information tracking and storage responsibilities.
As stipulated by Dodd-Frank, organizations in the financial industry are responsible for retaining all transaction-related communications, including voice and written messaging. Other regulated industries, such as health care and insurance, are subject to similar rules that require archiving text messages, instant messages and phone conversations for later use in compliance audits.
Further complicating this situation, many of the smartphones and tablets flooding the enterprise market are designed for consumer use and lack the capabilities to meet rigid compliance requirements. For instance, several popular smartphone devices do not support text message archiving.
According to a 2013 report from Osterman Research, content retention and management is a fundamental risk of BYOD. Corporate information stored on personal mobile devices can be inaccessible to a company's administrators, subjecting businesses to severe risks, including hefty financial penalties.
With so much on the line, CIOs at regulated businesses cannot rely on a risky BYOD strategy. They must choose an alternative solution that can provide workers with the sense of personal freedom associated with BYOD without exposing the organization to the risks of compliance rule violations.
The best way to maintain this delicate balance is to deploy a corporate owned, personally enabled (COPE) enterprise mobility model. COPE and BYOD share a central objective: to fortify workers with a mobile device that can be used securely and simultaneously for both work and personal communications. The difference between the two models is how they approach this goal.
A BYOD approach centers on extending the use of a consumer device to the work realm. COPE, by contrast, starts from a work-first perspective, with IT carving out, or pre-configuring, a portion of the device for personal use. From a management and security perspective, it is easy to understand why COPE is increasingly viewed as an attractive alternative to BYOD. Consider the following:
Corporate control and end-user appeal: COPE offers a solution to the never-ending struggle of IT departments to find the perfect balance between mitigating risk, enabling business and satisfying users. It provides a compromise between the loosely governed BYOD option and the locked-down corporate model known as COBO (corporate owned, business only), in which the organization owns employee devices and strictly dictates how they can be used. COPE-governed enterprise mobility plans give end users the ability to choose from a selection of approved, corporate-owned devices, which most likely have been pre-configured with separate work and personal environments. COPE is a mechanism for achieving the prime directive of the IT department-protecting corporate information against unauthorized access, malicious malware and leakage-without putting restrictions on the types of mobile devices and applications available to the mobilized workforce. With COPE, IT departments can increase user satisfaction and also rest assured that communications assets are secure and within the control of the enterprise.
Flexibility and adaptability: A COPE-based approach delivers a much broader spectrum of implementation variations, empowering IT with a "dial" that can be adjusted as needed. Organizations subject to rigid auditing or compliance requirements, for example, may dial up the controls to impose stricter rules around network access or data sharing. Those not subject to compliance rules can dial down the level of control, bringing their enterprise mobility policy closer to a traditional BYOD program. Compared to COBO and BYOD solutions, COPE provides an ideal amount of flexibility.
Centralized oversight: COPE policies create a streamlined management environment more conducive to adhering to company policies than BYOD. With BYOD, separate business units within an organization may require distinct policies. COPE enables standard policies and governance rules for the entire organization, while also helping reduce costs related to management complexity.
Compliance is only going to become more challenging as consumers adopt new technology at a faster pace than IT can react, and governments impose additional regulations.
While the BYOD movement will continue forward, it is critical to remember that BYOD is not for everyone. Regulated industries must acknowledge the immense risks of BYOD and choose an alternative enterprise mobility model to ensure that sensitive data is protected. Ultimately, a COPE strategy can provide the best of both worlds for companies subject to compliance rules: greater control over communications assets and increased end-user satisfaction.
Building a Better BYOD Strategy
|