Site Note: We’d like to introduce you to Brian Katz. Brian is an EMF member who works at pharmaceutical giant Sanofi and has a great blog where he shares his thoughts on enterprise mobility. Brian has graciously allowed us to share those thoughts with you on this site.
There are a lot of articles floating around right now about how BYOD is the next big thing. It’s already here. 77% of companies are doing BYOD. You see these headlines everywhere and most of them are meaningless as companies are still trying to come to grips with how to really do Bring You Own Device.
You see most companies have this fear that if they allow their employees to bring their own device the walls of the company will come tumbling down and they will no longer have their corporate assets or secrets to themselves. While the computer revolution has certainly made a company’s data easier to steal – this has been an issue forever. What did people do before computers? They would carry home files in their briefcases (nobody used backpacks or messenger bags back then). How many of those people left their briefcase on a train or a plane for someone else to steal. Before laptops and home computers became the rage people used to print all their documents out on the big dot matrix printers, which eventually became noisy daisy wheel printers until the advent of Laser Printers. How many people do you know when it says “please don’t print this email to save paper” do it anyway. Where do they put that email –in their bag so they can read and later mark it up.
The trick to handling these things is to get the user to understand the common sense that they need to protect the corporate data. As the saying goes, common sense isn’t so common anymore. This is what leads to the secret sauce for enabling any sort of BYOD as part of the Consumerization of IT. This isn’t an epiphany either. In a previous life I spent some time back in the 90s as a Technology Coordinator for a school system. We realized early on that when it came to computers you had to take into account how the students might use and sometimes abuse them. Schools very quickly learned all about protecting their assets and holding people accountable. They created an Acceptable Use Policy or AUP.
Any company, whether it is rolling out corporate devices or letting users bring their own devices, needs to invest some time into creating an AUP. What makes an AUP work is that it becomes the agreement between the company and its employees on what is expected from them when they use mobile devices.
Now, realize this isn’t just a list of rules that are made up in a vacuum by the security department. If a company goes that route they will very quickly lose any enthusiasm they might have for the program. An acceptable use policy is made up by a group of people in the company, which while it includes security, should also include the business, the administrators and, most importantly, the users themselves. By allowing them to help create the document, you are insuring that they become stakeholders and want to take part in following the policy.
So what do you need to put into an AUP? Security is going to define a list of do’s and don’ts. Don’t leave your phone lying around unlocked, don’t use a simple passcode, do report your phone if its gone missing. There will be a whole host of rules like that. What’s important is that the policy doesn’t stop there. The business should define what they want you to do with the phone. They want you to use it when you go on a sales call, they do want you to enter your expenses when they occur using the app they have provided. This is where if it’s a corporate device you will probably agree to let the user install their own stuff/apps on the device. Let them install Angry Birds if it will make them more comfortable using the device. The users themselves will want to get in on this as well. They will want to have their private email account on the phone. They will want to understand how to use the data. Many times they will push for more restrictive policies for some things and more lenient ones on the others. They will appropriately suggest that the first you do is lock the phone if they call to report it missing instead of wiping it right away, especially if it is a personal device.
As one company reported recently – by locking the device first they found lost devices were reported missing almost immediately as opposed to the original policy where they did a device wipe right away – people would wait up to 2 weeks to report a device missing as they thought they might find it and didn’t want to lose their data.
Now that you have created an acceptable use policy with all these groups working together, first thing you will need to do is simplify it, 10 pages of writing will never get read by your users. Your goal is to try and keep it under 2 pages (and if your really good get it down to 1, you may need to single space). You’re going to have to let your legal team look at it, trust me – you’ve never had so much fun as when you get the doc back from legal. It will be dreadful to read at that point. Now comes the final test – you need to put the document into plain English (which you will later translate into every other language your company uses) and if you really want it to go viral you try to add a little humor to it too. This is what makes this document so powerful, it tells you what you should be doing (this is encouraging) while warning you of the pitfalls you shouldn’t be doing in an easy readable 10 minute document.
An AUP is where you try to make common sense common again to all your users who will be using a mobile device. Trust me, it resolves a lot of headaches before they begin.