In my last blog, “Launching a “Bring Your Own Device” project – what have we learned in the past few years?” I wrote about what we have learned from customers who have started BYOD projects. In this article I want to focus on what you need to do regarding the topic of Support Policies. If you have not had a discussion with your Human Resources and Legal departments I would encourage to get them engaged with your project now!
OK let’s discuss a few of the easier items from figure 1, “Support Policy”. If you allow employees to bring personal property onto your premises you should already have a clear policy of what happens if it is lost, stolen, or an employee damages another employee’s property. This is where consulting with your Legal Department pays big dividends – they like writing liability and legal policy statements!
Now, let’s consider what items should be included in this policy to update it for BYOD? In addition to those that define the liability the company has regarding employee’s personal property, there are some simple items. Consider how you want to handle hardware failures. The easy approach would be to say since the company does not own it - then the company has no responsibility to repair it. However, if the employee encounters a failure, it can impact your bottom line. If the employee needs the device to complete the tasks you assigned to them, then a hardware failure will preclude them from completing the tasks. Just to remind you, if you have outsourced your workplace then you probably have a Service Level Agreement (SLA) stating the provider needs to return the user to productive state in 4 to 8 hours. Those providers tend to do things like stock spares at larger campuses or make sure they can get a replace in less than 24 hours. Don’t expect your employees to stock a spare at home.
Some suggestions on this topic. If you allow BYOD then your policy should state how you expect hardware failures to be dealt with. For example, do you expect employees to purchase a “no questions asked” next business day warranty. (This is what I recommend my friends with kids going to college to purchase but, things that go on in dorm rooms are different than offices). So, what happens if your employee does not purchase the extended warranty and they encounter a hardware failure impacting their ability to complete tasks? Your policy could have a clause to indicate they must maintain sufficient credit to purchase a new device in the event of a failure. Of course to implement the policy will require you to pull a credit report once every n-quarters to determine if employee is in compliance.
Another potential solution would be to purchase a hardware repair policy for your employees (leverage “a group” discount much like health insurance). Your BYOD employees might have multiple devices they use for business so you might consider allow them to register multiple devices, up to some reasonable limit, with the policy. This would provide a degree of confidence that if a failure occurred the hardware could be replaced in a timely manner (albeit shorter than the SLA you have with your provider today). Be careful though, this might trigger a tax to the employee because it could be perceived as a “company perk” – consult with your Human Resources and Legal departments
Ok we have dealt with aspects of your policy when an employee brings personal property onto your premises (lost, stolen or damaged by another employee) and we have discussed options for making sure employees have access to their “technology tool” for performing their tasks. Next, we need to discuss what happens if the employee’s BYOD damages your property. This is an area that Risk Management departments fear the most about BYOD. In today’s world of continuous cyber-attacks what happens on that one day when a user connects their device to your infrastructure and malicious code infects your infrastructure and other employee devices.
There are lots of options on the market to implement security controls on your network including heuristics based monitoring on packets to identify threats, application controls, etc. My suggestion is IT managers need to invite their peer over in the Risk Management department to have a cup of coffee and have a long discussion. Yes, I know the IT department tends to fear Risk Management but, they are there for a reason –to identify and measure the risks faced by the company, develop mitigation strategies and to minimize damage that outside threats may cause the company (and you thought they only reason they were there was to say NO to any of your projects).
Finally, we need to consider the impact of BYOD to your helpdesk. Frequently I hear from clients that they just don’t understand why their helpdesk staff cannot support different platforms and configurations – software providers do it all the time. Well, most businesses have 100’s if not 1000’s of business applications. When you call a software support desk they are supporting their software and as such can train their agents in advanced diagnostics for their software. Corporate strategy for helpdesks has been towards lower cost and quick resolution. If a problem cannot be resolved quickly, then trigger a platform reset (since the corporate configuration is known to work).
Unless you have moved all your applications to a Cloud Software as a Service (SaaS) model or made an investment to move all your business applications to data center using client virtualization techniques (Presentation Virtualization, Terminal Server, Virtual Desktop, etc.) – you need to be able to support your applications on the devices your employees will use. BYOD will take “we are going to reset your machine back to a known state” option off the table. As such, you need to make an investment in training your helpdesk on better problem solving techniques and expect calls to be longer.
I will be writing about other caution points that should be considered to effectively implement a BYOD strategy within the organization. However, I would like to hear from you based on your experiences what it takes to launch a successful BYOD program. Feel free to post here or contact me on twitter.