BYOD: Dos and Donts

Copyright 2013 TEMIA www.temia.org

Table of Contents



Executive Summary .................................................................................................. 2
Corporate Liable, BYOD, CYOD, CLEO, COPE Defined ...................................... 2
Key Challenges ...................................................................................................... 3
Recommendations ................................................................................................. 3
Dont Ignore BYOD .................................................................................................... 4
Do Consider Legal Matters for BYOD ....................................................................... 4
Dont Think in Absolutes ............................................................................................ 5
Dont Expect to Save Money ..................................................................................... 6
Do Budget for Additional Complexity and Security Costs ......................................... 7
Why Are Costs Rising? .......................................................................................... 7
Do Consider What Capabilities You Need ................................................................ 7
Enrollment, Program Management and Expense Control ..................................... 8
Security .................................................................................................................. 8
Applications ........................................................................................................... 8
Policy Enforcement ................................................................................................ 9
Next Steps ............................................................................................................. 9
Conclusion ................................................................................................................. 9
Research Notes ....................................................................................................... 11
Recommended Reading .......................................................................................... 11
About TEMIA ........................................................................................................... 12





Copyright 2013 TEMIA P a g e | 2 www.temia.org
Executive Summary

Consumerization of enterprise IT promises to lower costs, increase agility and produce
other benefits. Increasingly, consumer technology sets the agenda for the workplace.
This trend is driving employees to demand Bring Your Own Device (BYOD), Choose
Your Own Device (CYOD), Corporate Liable Employee Owned, (CLEO), and Corporate
Owned Personally-Enabled or COPE programs.

Corporate Liable, BYOD, CYOD, CLEO, COPE Defined

Corporate Liable with this approach, the employer is responsible, or liable, for the
expenses on the bills. While this paper focuses on BYOD and other approaches some
employers are seeking to maintain the integrity of corporate liable strong programs.
Upgrading an existing system would include call tagging so employees can identify their
personal and corporate calls and contacts. This information can be used for employee
payroll deductions and reimbursement. Call tagging is critical for Value Add Taxes
(VAT). It is necessary for firms to show demonstrable auditing that personal use is not
permitted and private calls must be accurately demonstrated so that they can be
deducted from VAT reclaim. Another option is using a dual SIM device one for
personal and one for corporate, on the same device. A dual persona configuration can
distinguish between corporate and personal use.

In the context of telecommunications, BYOD is any device (smartphone, cell phone,
tablet, notebook or PC) or application (mobile app, cloud based application or ) that
accesses corporate networks through the use of telecommunications services. The
corporate network includes corporate internets, corporate intranets and carrier services
purchased by the corporation, local networks, guest networks or core networks with SIP
or VoIP services that are controlled by enterprise, ISDN or next generation MPLS
services.

Choose Your Own Device or CYOD is similar to BYOD, but it implies that employees
can only use devices and applications from a list that their employer has approved.

Corporate Liable Employee Owned or CLEO is an IT business strategy where
employees own devices, which are paid for by the employer. Ultimately, the employer is
responsible or liable to pay the contract for monthly services.

Corporate Owned Personally-Enabled or COPE is the opposite of BYOD. Instead of
making corporate functions work on personal devices, COPE enables personal use of
company devices for personal activities including social sites, e-mail, calls, etc.
Employers provide employees with devices and applications and the company maintains
ownership. It is able to leverage volume discounts for purchase of the devices, services
and management. The employer also has more control to secure devices.



Copyright 2013 TEMIA P a g e | 3 www.temia.org
Of the four alternatives to corporate liable, BYOD is the most widespread and
impossible to ignore. TEMIA members report that 48% of their clients have
adopted it and another 20% are evaluating it. BYOD also presents a contradiction. It
would appear to release employers from expenses providing and managing devices and
applications, but it doesnt. TEMIA members have found that for clients that
implement a BYOD strategy, 69% report that costs are either rising or about the
same.



Key Challenges
Internal politics create an environment where it is difficult to properly address
BYOD challenges.
Most organizations will have more mobile devices that access their corporate
network than PCs.
BYOD programs present new challenges for security, employee privacy, legal
considerations and lost productivity as employees deal with technical problems
and runaway expenses.

Recommendations
Control is still necessary, but an all or nothing approach is not possible.
Employers must update their mobile policy to specify: who is eligible, what
devices and applications are permitted to access the network, when, where and
what data employees can access with BYOD.
TEM, WEM and MDM programs can help manage BYOD programs by
automating efforts to determine eligibility, program enrollment, tracking devices,
applications that employees want to use and sign-off to abide by BYOD policies.
With constantly changing consumer technology, managing BYOD isnt a one-
time job. Companies need a combination of technology and resources to identify
when employees fail to comply with BYOD rules.

This paper provides insights into the challenges of BYOD for telecommunications
devices and applications with a prescription of dos and donts. Readers will gain
knowledge of the specific recommendations for managing expenses, security,
privacy, employee productivity, technical issues and more.


44%
25%
25%
6%
spending on mobile
telecom services are rising
costs are about the same
unable to track BYODs
impact on costs
costs going down
69%

Copyright 2013 TEMIA P a g e | 4 www.temia.org
Dont Ignore BYOD

Employee demand for BYOD is identified by 45% of respondents as one of the
primary reasons for implementing it. The other key drivers reported in TEMIAs
survey include desire to reduce costs, with 43% of enterprises seeking to reduce
hardware and service costs and 13% of enterprises seeking to reduce mobile
support and staff hours. With employees demands, ignoring BYOD is not an option.

Employees may simply bypass official corporate policy and use shadow technology
that has not been approved. Managers cannot ignore threats from security risks, theft of
intellectual property and runaway expenses from BYOD. Everyone is an expert at
thwarting corporate policy. So managers need to learn the ways which employees at
different locations or divisions are circumventing corporate policy to use personal
devices and applications at work.

In addition, employers are ultimately responsible for protecting intellectual property. The
United States, Australia, Britain, France, Germany, Ireland and Spain either have or are
developing stiffer enforcement and penalties for breaches resulting in exposure of
personal information. Spain can impose fines up to !600,000. Frances cap on fines is
!150,000 for a first offense, plus five years in prison. German data fines can reach
!250,000 and in the United Kingdom, fines are unlimited. Japan imposes fines of
300,000 yen and up to six months in prison. Google and Facebook face fines up to $1.1
million and other sanctions for privacy lapses under Australian privacy laws.

BYOD programs raise new concerns for CEOs and CFOs of public companies that need
to attest to the adequacy of their U.S. Sarbanes Oxley internal controls. Financial and
medical records also have special safety protections. BYOD programs also raise issues
for firms with employees that may have health care records on their devices. The
Department of Health and Human Services is conducting audits for compliance to
HIPAA and HITECH. Massachusetts General Hospital settled a patient-privacy
complaint for $1 million after an employee left patient records on a subway car.

Violating data privacy law imposes costs beyond financial penalties. Firms face damage
to their reputation and loss of business for data breaches.

Do Consider Legal Matters for BYOD

Legal Matters
Blurring of personal and private information on employee owned devices and
applications raise new legal matters.
What happens if the IT staff needs to get corporate data from an employees
personal device and they discover intellectual property employees should not have?
What if there is evidence of a crime or inappropriate photographs?
Does the IT team have permission to conduct e-discovery on personal data?
Are findings admissible in court? Is this a violation of employees privacy rights?
Is the company responsible if a terminated employees personal data is deleted
when their device is remotely wiped?

Copyright 2013 TEMIA P a g e | 5 www.temia.org
Getting legal counsel involved in the planning stages of BYOD policy updates and
throughout the roll-out address legal issues. The right approach balances risk and
convenience with corporate culture and willingness of executives to support it. Mobile
policy must define what employers are allowed and not allowed to do, and what happens
if employee owned devices have inappropriate material.

BYOD policy should also clearly identify who is eligible, what devices and applications
are permitted to access the network, where and when they can access it and what data
employees can access. Managing BYOD programs requires technology and people to
identify when employees fail to follow the rules and the consequences. This can range
from ending employees BYOD eligibility to termination.

Dont Think in Absolutes

BYOD does not have to be an all or nothing proposition in which all or no employees are
eligible. TEMIA members report that for clients that implement a BYOD strategy,
88% have adopted a hybrid approach with some employees that continue to have
a corporate liable program and some that are eligible to use their own device
under an individual liable, CYOD or CLEO program. Only 12% of enterprises are
transitioning all employees to a BYOD or CYOD program.


There are three primary reasons for these hybrid programs. First, corporate ownership
with a common platform and standardized applications provides better control for
employers that need to protect critical intellectual property or sensitive customer material
on employees devices or applications. Second, corporate ownership may also avoid the
perceived blurring of personal and private data ownership with these employees. Finally,
employers are also adopting hybrid programs because they want to offer flexibility to
those employees who have not been eligible for corporate paid devices and are not
likely to have sensitive material on their devices that may benefit from BYOD programs.
At the same time, these employers are recognizing that BYOD, CYOD and COPE,
CLEO programs may lead to higher costs.


12%
88%
All employees moved to BYOD
program
Hybrid some corporate liable and
some BYOD

Copyright 2013 TEMIA P a g e | 6 www.temia.org
Dont Expect to Save Money

Justification for BYOD programs usually start with cost savings from shifting costs to
employees for devices, carrier service charges, applications, management of security
and help desk functions. These savings are proving to be elusive. TEMIA members find
many enterprise clients are actually spending more after implementing BYOD programs.

First, in most organizations, only a select group of employees is eligible for corporate
liable or employer paid services and devices. These are typically executives, field
service personnel, sales people and other road warriors that need mobile devices to do
their jobs. With BYOD, people who previously were not eligible to have a corporate paid
device are receiving reimbursements or stipends for their expenses.

A second development is the shift of charges back to employers on expense reports.
Since the monthly charge is small, no one questions when employees slip it into an
expense report. Mobile expenses in BYOD programs do not have the oversight of a TEM
or WEM program. Corporate managers that sign off on expense reports lack the tools,
expertise and time that are needed to effectively scrutinize mobile expenses.

For enterprises that implement a BYOD strategy, TEMIA members report that only
5% of firms do not reimburse employees for their monthly service fee expense.
The majority, 95% either provide a fixed stipend (63%) or allow employees to be
reimbursed through an expense report (32%).




A third reason for rising costs with BYOD programs is an increase in the charge per
employee. Many employees are selecting more expensive plans with unlimited or bigger
allotments of voice and data services to avoid overage charges. These plans are more
costly compared to corporate pooled plans and plans with smaller allotments, which are
more appropriate for employees business needs. Employers are also likely to incur
higher expenses when employees travel internationally because they may not
proactively obtain the best service plans or they dont have the knowledge to do it ahead
of time.


63%
32%
5%
Employee receives fixed
stipend
Employee is reimbursed via
expense report
Employee is NOT
reimbursed for monthly
service fees
95%

Copyright 2013 TEMIA P a g e | 7 www.temia.org
Do Budget for Additional Complexity and Security Costs

Additional complexity from more devices, operating systems and security risks present
new challenges that managers at all organizations need to plan for in their budgets.
Malware and viruses on smartphones are increasing. Spyware can steal personal
information and send it to third parties, malware dials premium 900 numbers and viruses
plague devices. Costs to provide security and help desk support are higher than
expected as more employees use a wider range of devices and applications. Trying to
solve BYOD problems with endpoint protection software, policy enforcement, data leak
prevention software and runaway expenses may work for most corporate IT, but it
doesnt work with telecommunications. BYOD programs for telecommunications present
thousands of variations of smartphone operating systems and applications.

Why Are Costs Rising?


Do Consider What Capabilities You Need

Common misconceptions for BYOD mistakenly promote the belief that enterprises are
free from managing expenses, security and policy enforcement. When employees use
devices and applications for work, it is natural for them to charge the costs back to
employers on expense reports. In addition, there are security risks when employees
connect their own devices and applications to corporate data and access it anywhere.

Employers can try to mitigate security risk by limiting what employees may access and
providing dedicated servers for BYOD e-mail. They may also try to limit the BYOD
program to employees who are unlikely to access intellectual property or sensitive
customer data. Ultimately, the old approach of creating a wall around corporate data is
dead. Employers can also expect loss of employee productivity when employees BYOD
devices or applications are exposed to security threats and they have technical
problems.


50%
60%
30%
0% 50% 100%
More complexity, more diversity with devices,
iOS
New and increasing security challenges
UNRELATED to BYOD
Additional security challenges with BYOD
More devices to manage

Copyright 2013 TEMIA P a g e | 8 www.temia.org
The BYOD phenomenon creates problems which require consideration of new
capabilities, which can be grouped into three main categories:
enrollment, program management and expense control
security
policy enforcement

Enrollment, Program Management and Expense Control
TEM, WEM and MDM programs can help manage the transition to a BYOD program and
on-boarding of new employees. Deployment of new devices isn't a one-time job. A web
portal can automate the process for tracking employee eligibility, program enrollment,
applications, devices, and sign-off that they will abide by BYOD policies.

Employers gain better visibility for all telecom expenses with stipend reporting when
TEM WEM and MDM programs are integrated with BYOD programs. Interfaces with
accounting systems can gather information from employees expenses to identify what is
allowed and what cannot be expensed.

Employers may also wish to consider a system that alerts employees and telecom
managers when consumption of a data or voice plan is close to its monthly allotment or
other capabilities to manage international roaming charges. Finally, look for reporting
that can identify when new devices are provisioned, apps which are out of compliance
and devices that have not checked in after an extended period of time.

Security
Smartphones and tablets like PCs, and data that resides on those devices, must be
protected. There are a several areas of vulnerability. One is the physical loss of
equipment, when an employee leaves it somewhere or it is stolen. The second security
risk includes spyware, malware and viruses. This can result in a network of devices
programmed for malicious activity such as stealing data (customer credit cards, patient
records etc.) or crashing a corporate network.

Every device manufacturer supports encryption, but the levels differ. Some MDM
providers have the ability to encrypt specific files, folders or company data. Also,
providers can now place corporate data and applications in a secure environment or
sandbox. Partitioning allows employees to separate work and personal items.

Some MDM providers are offering browser security. Mobile web browsing can be filtered
to lower the risk of attack on a device. Web filtering tools can block access to potentially
dangerous or non-work-related websites. Intrusion-prevention software tools can block
network access for noncompliant devices. In addition, some security now helps screen
devices for malicious apps.

Applications
Some apps every employee should have. Others must be banned. Application filtering
with white lists and blacklists can control this process based on the device and operating
system. Enterprises may want an application store for in-house custom apps and
preferred apps, In addition, Apple's and Google's approval processes might take too
long or there may be reasons to avoid releasing an app in a public app store that
competitors can view. MDM support for installing custom apps and setting up a company
app store experience will be important as well.


Copyright 2013 TEMIA P a g e | 9 www.temia.org
Policy Enforcement
Before managers update their mobile policies, it is necessary to learn the ways which
employees at different locations or divisions are circumventing the program. An
enforceable policy can help secure corporate data on personal devices. This may
require a policy to lock devices after several failed attempts at a password and a kill
switch that can remotely wipe the data if a device is lost. Some MDM providers are
introducing data monitoring capabilities that provide reporting on what data is moving to
and from the device.

Location capabilities with Geofencing, can detect when devices leave certain
geographic areas and take action to secure them (such as locking or remotely wiping
data on the device). In some cases, a camera can be locked when employees are in the
office or other locations and released for personal use when they are home.
Unfortunately, privacy laws add complexity for firms in some countries that prohibit
location tracking and use of these features.

Next Steps
Decide how many forms of BYOD that you will support
Determine the device scope: Will the BYOD program support tablets, smartphones,
PCs, applications or a combination of these items?
Will the BYOD program apply to a secondary device, or is it for users primary
devices as well?
Consider the benefits of supporting a mix of enterprise-liable, bring-your-own and
hybrid models.
Determine when, how, and how much you will subsidize business use of personal
devices.
Working with HR, your legal department and your corporate risk organization,
understand how tax, privacy, legal liability and labor relations impact the program.
Determine who qualifies for a usage subsidy and how it will be paid (allowance,
stipend, voucher or reimbursement program).

Conclusion

Where does your company stand on BYOD today? If you do not define a BYOD policy,
employees will bring their personal devices and applications to work. A SANS Institute IT
Survey identified that 91% of respondents were not fully aware of mobile devices on
their network. Tools are necessary to ensure that employees do not bypass official
corporate policy and use shadow technology that has not been approved.

Mobile devices and PCs are often considered together for BYOD considerations, but the
challenges and how they are used are quite different. PCs can function as stand-alone
devices that are not networked, while mobile devices are part of a dynamic, real-time
collaborative ecosystem. Nearly all of their value comes from connectivity.


Copyright 2013 TEMIA P a g e | 10 www.temia.org
The lifecycle for smartphones and tablets is a relatively short period of 12 to 18 months.
With the flood of new consumer devices coming to market and short lifecycle,
implementing BYOD is not a one-time job. Each new product needs to be tested to
determine its security risks. Managers must define their security controls, management
controls and provisioning and de-provisioning or retirement process.

It is easy to get distracted in reviewing new offerings, or other functionality that might be
cool and interesting. Keep these in mind, but begin with your specific users because new
features and offerings may solve completely different needs and goals for other users.
Determine what problems or needs you need to solve. Invest in a sustainable user-
centric approach.

Balance strategic and experience objectives. Also, consider the potential economic
impact (both positive and negative) in adopting a BYOD policy. Consider the use case
and how employees will use different devices, data and apps. As TEMIAs survey found,
most organizations are using a hybrid model for individual libel and corporate liable
rather than an all or nothing approach.

Managers should also be sure to factor all the costs to support multiple platforms.
Placing limits the number of devices and applications that employees can use will help
limit the security risks and costs of the program. This is where a CYOD program that
limits the number of approved devices and platforms may be more realistic compared to
a free ranging BYOD program that allows employees to bring any device. The key is to
find a balance between employee demands for choice, freedom and privacy with
corporate concerns for control. Too much control will lead employees to circumvent the
system and limit its effectiveness.

A smart BYOD program will find the right balance while addressing security, concerns
for theft of intellectual property and runaway expenses. These risks may be lower for
employees who are less likely to have valuable information on their device. The
incremental costs of BYOD for these employees may be lower than it would for
executives and other employees who require higher levels of security. This sort of
calculation is the basis for determining which employees should be eligible to participate
in a BYOD program. These considerations can also help determine standards for which
personal devices and applications they can use.

Once these decisions are made, create a policy and determine the capabilities that are
needed to manage the program. BYOD policies should not be overly restrictive. They
must align with corporate culture. To address the challenges, include education, mobile
policy, and technology that is backed by subject matter experts. In addition to
understanding how it will work, employees need to recognize the consequences if they
fail to comply with policies. They should also know that tools are in place to help enforce
mobile policy and monitor compliance.

TEM, WEM and MDM programs can help manage BYOD programs by automating
efforts to determine eligibility, program enrollment, tracking devices and applications
employees want to use, and sign-off to abide by BYOD policies.


Copyright 2013 TEMIA P a g e | 11 www.temia.org
Financial executives need to see beyond the hype and recognize the true costs of
supporting BYOD, managing compliance, security risks device and monthly service plan
reimbursements and rogue expensing of charges. All of this may make a BYOD program
more expensive. After BYOD is debunked as a cost saving initiative, managers may find
that there are still compelling reasons to move forward with the program for some
employees. Some organizations may want to give their employees more freedom and
others may see increased worker productivity.

One of the biggest surprises is that organizations need to budget for BYOD programs.
As these programs evolve, organizations are beginning to realize that they need to plan
for the extra effort that BYOD, CYOD, and CLEO programs require.

Research Notes

The TEMIA research findings in this paper came from a survey of members which was
conducted in December 2012 through January 2013. TEMIA members are well
positioned to provide insights because they manage over $61 Billion in telecom spend
for thousands of global organizations.

We welcome your feedback on this document, at info@temia.org.

TEMIA has authored this paper. TEMIAs mission is to raise awareness and knowledge
of the benefits of Telecommunications Management solutions, to improve the quality and
value of solutions through the development and promotion of open industry standards,
and to cultivate shared industry knowledge among Solutions Providers, business
partners, telecom service providers, and enterprise clients. TEMIA is a nonprofit
association, which receives its funding primarily from Solution Providers.

Recommended Reading

Readers can access TEMIA reports online: www.temia.org/resources/download-reports.

Adoption of Telecommunications Management as a New Industry Term

TEM RFPs - Guide to Evaluating TEM Solutions

A Call to Action: Overcoming the Conundrum of Telecom Invoices and Electronic
Billing

Your Exceptional TEM Program: Best Practices for Sourcing Using TEM Metrics to
Improve Performance

Your Exceptional TEM Program: Best Practices for Enterprises and Suppliers that
Raise TEM Performance through Key Performance Indicators and Industry
Standards

Copyright 2013 TEMIA P a g e | 12 www.temia.org

About TEMIA

TEMIA is the authoritative voice for Telecommunications Management, Telecom
Expense Management, TEM, Wireless Expense Management, WEM, Mobile Device
Management, MDM, Mobile Security, Mobile Content and Mobile Applications Solutions
Providers.

In 2006, many of the largest Telecom Expense Management (TEM) solution providers
established The Telecom Expense Management Industry Association (TEMIA). TEMIA
has redefined itself with a broader mandate to focus on Telecommunications
Management. TEMIA's ongoing mission is to raise awareness, to improve the quality
and value of solutions and to cultivate shared industry knowledge for
Telecommunications Management, Telecom Expense Management, TEM, Wireless
Expense Management WEM, and Mobile Device Management, MDM, Mobile Security,
Mobile Content and Mobile Applications. TEMIA seeks to do this through the
development and promotion of open industry standards, and industry knowledge among
solutions providers, business partners, telecom service providers, and enterprise
clients. Further, TEMIA members subscribe to a Code of Ethics, which clearly
differentiates their level of commitment to their clients.

For more information about TEMIA, please visit, http://www.temia.org, contact
info@temia.org, or call TEMIAs Executive Director, Joe Basili at 973 763-6265.