• Save
The consumerisation of workplace technology
Upcoming SlideShare
Loading in...5

The consumerisation of workplace technology






Total Views
Views on SlideShare
Embed Views



0 Embeds 0

No embeds



Upload Details

Uploaded via as Adobe PDF

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

The consumerisation of workplace technology The consumerisation of workplace technology Document Transcript

  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceLiving with the genie:The consumerisation of workplace technologyA guide to developing policy and practice 1
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceConsumer-driven technology is proliferating in the workplace.From CEO to newest graduate trainee, people want to usesmartphones, tablets and other new device types – and theyare doing so, whether employers like it or not. The result is atidal wave of unregulated devices threatening to destabilisethe safe, secure corporate IT infrastructure in which companieshave invested millions, by opening the back door to let dataescape and intruders enter.“The genie is out of the bottle; we are all on new ground*as users push, pull and smuggle their own choice of technologyinto the workplace, bypassing traditional IT procurement,protocols and controls*” says Christine Vincent, Head ofManaged Mobility, BT Global Services. “Many companies haveno idea of the great risks to which they are being exposed.And even when they do have some idea of the risks, they donot know where to begin to manage this brave new world.”Every large organisation must quickly face up to the realityof the situation: accept what is happening and start to lead.It is time to stop worrying about which device to choose andstart developing policies and practice that will allow you toenjoy the many benefits of consumerisation and keep yournetwork and data secure.This paper looks at the issues raised by the uncontrolledadoption of consumer technologies by employees and makespractical recommendations to bring the situation undercontrol. It draws both on BT’s experience of managing mobiledevices across its own global workforce and the work we havedone to help other large organisations bring control and clarityto their mobile device population. 2
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceMobile devices in the workplace – the genie escapes from the bottle Tablets, smartphones and other emerging form factors now offer the sort of user experience once only available on a PC. The dynamic advance of mobile technology is rapidly blurring the established, traditional model of corporate technology procurement. Consumers want to extend that rich, easy to use experience they enjoy on their personal devices into their working life. In what Forrester calls ‘tech populism’* employees are increasingly introducing their own personal devices – smartphones, tablets etc – into the workplace. In a major paradigm shift, the employee, not the IT department, is choosing how to interact with the organisation. Whether it is senior executives who want to try the latest smartphone for themselves or young employees who want to use their own personal devices at work, the proliferation of new and diverse mobile devices is a worldwide phenomenon. And the result is that even the most tech-savvy organisations are struggling to keep up and manage the changes.Considerable challenges… yet also opportunities User appetite for new mobile devices currently outstrips many organisations’ ability to manage their deployment, creating major challenges around security and cost. According to IDC, the top three challenges in supporting the mobile workforce are1: 1. Cost 17% 2. Managing devices 16% 3. Network security 13%Cost Control. Spending on mobile services is now greater than landline voice spend for most organisations. Indeed, it is not uncommon for a large organisation not to know how many mobile devices it has, or are being used. One BT customer in North America believed it had 8,000 devices but actually had 12,000 devices, meaning mobile spending was roughly 50 per cent higher than anticipated. Smartphones also drive up demand for bandwidth considerably and users can unknowingly rack up costly roaming charges. 3
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceManaging Devices. Most CIOs expect a future of substantial diversity. At the time of writing Apple’s iOS and Google’s Android are the dominant operating systems for smartphones* usurping BlackBerry. However, the market is undergoing rapid and constant change and as mobile devices are used for increasingly complex applications, they will become more difficult to manage and support. Rapid growth and mobile technology development exacerbates the pressure on IT departments, which are already struggling to keep up with the move towards more flexible working and user choice and self service. While nearly 60% of firms support personally owned smartphones at some level2, 26% provide no support for personal devices and 10% have no strategy at all.Security. End user enthusiasm for new mobile devices is creating unprecedented security problems that can put network integrity, data and the whole corporation at significant risk. A recent Forrester survey found that only 50% of organisations enforce a password policy for mobile devices3 and even fewer deploy device loss protection technologies. The cost of lost data has grown for US companies every year since 2006, reaching an average cost of $7.2 million in 20104. Unsurprisingly, only a minority of CIOs are convinced their current mobile security would satisfy an auditor5.Liability and compliance is a fourth challenge. The blurring of traditional models of IT ownership and corporate practice create urgent challenges around liability and compliance. Who owns what? Who is responsible for what and how does this affect corporate liability? It is only too easy to breach data protection or similar legislation by downloading customer data to a mobile device. A serious breach of the UK’s 1998 Data Protection Act can incur a fine of up to £500*000. Mobiles are easily lost; a survey of airports in the United States found that travellers left behind more than 11,000 laptops, tablets, smart phones and USB sticks in one year6. Challenges in supporting the mobile workforce7 4
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practice Yet the horror stories are more than balanced by the multiple opportunities that mobile devices can deliver.Increased productivity. When employees use a device that they prefer, can already use competently and to which they have a personal attachment, they will be more productive (and make fewer demands on the IT helpdesk, reducing the cost of support). Research for Citrix Online in France, Germany and the UK has shown that small and medium sized businesses that let employees use their own personal technology have seen productivity increases of up to 30 per cent8.Improved business continuity. When you equip employees with technology that lets them work anywhere, you build a far more resilient organisation and ensure greater business continuity in the face of extreme weather, civil unrest or simply major sporting events that disrupt travel.Attract & retain talent. Once it was company cars that attracted young high flyers. Now it is more likely to be a good work-life balance. Young people born between 1980 and 2000 are now entering the workplace. This ‘millennial’ generation has grown up with PCs* mobile phones and is highly connected. Mobile technology is an integral part of their personal lives and they want the same in their professional life. More flexible working, and being able to choose the tools they use have become important factors when it comes to employment.Managing mobile complexity – the questions you need to answer There is no such thing as a one-size-fits-all device. And with the speed at which the market is moving, there is no point basing a strategy around a device or manufacturer. “Managing the transition to a more mobile environment is emphatically not a procurement decision” says Christine Vincent. “Think of it in the same way as a company car policy. It would be madness to specify a single manufacturer or model, but you do need to be sure that employees are properly equipped with a vehicle that is fit for purpose, that they are happy to use and that provision is made for personal safety and corporate liability. So you have a corporate car policy that defines the range of vehicles, procurement options and services available to individual users. Now you need the same approach for mobile devices.” A mobile policy needs to address three broad questions: 1. Which model of procurement and liability best suits the organisation? 2. What levels of security are required? 3. How will costs be managed and controlled? 5
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceWhich model of procurement and liability best suits the organisation? There are four basic models of procurement/liability to consider, each with its own pros and cons. It is important to segment your workforce to identify different types of user and determine the best ownership model for different user types. Part of the answer will be defining the range of applications employees need access to, from simple Internet browsing and email access to the full corporate environment. Terms of use will be clearly defined in the company’s mobility policy (and for some instances* such as what happens to a device/SIM when an employee leaves, in employment terms and conditions Asset procurement and liability Option 1 Option 2 Option 3 Option 4 Device Employee Employee Company Company SIM Employee Company Employee Company For employees for whom mobile access to corporate applications is mission critical, or who hold or access sensitive data (such as senior executives, sales staff and critical service and support employees), a model of corporate provision and corporate liability is advisable (option 4). Not only does this enable you to impose the highest levels of corporate security but it also provides a fast-track route to restore any faulty devices and minimise downtime for key people, by completely wiping a lost or stolen device and rebuilding the replacement. For occasional mobile users, whose main mobile requirement is access to corporate email, a personally-liable model may be appropriate: both device and SIM or device only (options 1 and 2). However, this should be considered in the light of the company’s strategic goals, regulatory framework and mobile policy. BT believes that corporately provisioned and liable mobile services provide the most cost- effective model due to the beneficial mobile tariffs that enterprises can obtain from mobile operators. However, other options may be incorporated into a policy to provide flexibility within the organisation. There is little benefit in adopting the employee SIM, corporate device model (option 3). The organisation’s mobility policy should accommodate both corporate and employee- owned devices* and clearly define ‘acceptable use’. It is good practice to review the policy annually. ‘BYOD’ – Bring Your Own Device’ is a big trend. The following table sets out the pros and cons of allowing employees to buy and own their device and/or SIM card, which you should consider when developing a corporate mobility policy. 6
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practice Ownership Pros ConsEmployee provides/owns Reduces cost of providing access to User may opt for lower specification devicedevice. Company corporate applications for large and retain device allowanceprovides SIM group of mobile users Limited control and security of devices Control cost by setting device connecting to corporate network allowance Ambiguity around the responsibility for data Addresses changing user stored on a personal device preferences Risks of holding personal and business data, Boosts employee morale by and applications on a single device, including allowing device choice data security, malware and viruses User responsible for warranty and Requires strong policy, and corporate non-warranty replacements disclaimer, but difficult to police & administer User responsible for ordering and User dissatisfaction with control over their delivery device: security, apps available, replacement Users still call corporate IT helpdesk for assistance with set up, email and application support, and are more difficult to support Different platforms mean new skills may be needed at the helpdesk User confusion and downtime when device is faulty/missing Increased complexity in managing range of devices, operating systems and liability schemes User takes the device with them if they leave the companyEmployee owns/provides Employer only pays for business Personal invoices and call data recordsSIM calls or sets monthly usage cannot be consolidated to provide a full allowance global mobile expenditure view, making it User may not claim back personal difficult or impossible to manage costs calls Calls do not count towards corporate volume User responsible for bill payment commitment High street’ tariffs are more expensive than negotiated corporate tariffs Manual processes for monitoring usage are ignored Manual process for claiming is inefficient and has potential for error Unable to apply best practice to user behaviour 7
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceWhat levels of security are required? The traditional, centralised IT model that kept users and data secure has not always kept pace with change. Many organisations have inadequate security to protect mobile devices and corporate data. Only 50 per cent of organisations enforce a password policy for mobile devices 9 and as many as 21 per cent of people let their family use their work laptop to access the Internet10. A formal, enterprise-wide and process-driven approach is required, which includes educating users about their responsibilities and the risks of non-compliance with mobile security policy and practice. No one-size policy fits all. The following table includes some key questions and recommendations to help you develop a mobile security framework that suits your organisation. Recommendations How do users know how to The mobile policy defines acceptable use, including specific security measures protect their device/data? (do’s and don’ts) The policy is clearly communicated to users Users are asked to agree to acceptable usage How do we enforce A full inventory of who has what will provide a record of who is accessing the acceptable use? network and for what purpose Local privacy laws may govern how much monitoring is possible How do we secure Enforce encryption of data (especially customer data) on mobile devices confidential and sensitive Devices that do not support encryption may not be allowed to access enterprise data? systems Ensure that users have access only to the applications and data they need Ensure that data resident on devices can be remotely wiped when the device is decommissioned, lost, or stolen Include an employee responsibility for reporting of lost or stolen devices within the acceptable use policy How do we protect Implement a strong authentication policy, including passwords devices? Automatically wipe the device after 10 unsuccessful log ins Remotely lock or wipe devices that are reported lost or stolen Display a telephone number on the locked screen to be called in the event of someone finding a lost device Don’t put the company name or logo on devices How do we prevent Specify what is acceptable/unacceptable use downloads of unauthorised Use application blacklist and whitelist features of mobile device management apps/illegal downloads? products, including compliance reporting Develop an enterprise app store or use an Enterprise App Store service How do we support Identify service levels for each class of user different classes of user? Clearly communicate levels of support, so users know whom to call with a problem Require users to back up their own personal data Continue to educate users about enterprise mobility policies and practices What happens when Ensure there is a robust process for cancelling passwords, usernames and logins someone leaves? and for retrieving all authentication tokens and company-provided devices. 8
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practice Security will also need to take into account any industry-specific or regulatory requirements, and any circumstances particular to the organisation. There is no complete solution and user compliance is key to the success of any mobility security policy, so ongoing education and training are essential. Large organisations should consider Mobile Device Management solutions which secure, monitor, manage and supports mobile devices deployed across an enterprise.How will costs be managed and controlled? “Global enterprises struggle to get a handle on the rising costs associated with mobility and to understand and rationalise their inventory of services and devices across multiple carriers.” – Current Analysis, 2011 Managing the cost of enterprise mobility is a pressing need for many large organisations, very few of whom have good visibility or control of their mobile spending. Expenditure on mobile services remains subject to disparate local processes and minimal focused attention. Contracts with mobile operators are allowed to expire, leaving the enterprise paying uncompetitive rates; mobile invoices are left unchecked, billing errors go unnoticed; pooled plans are not regularly reviewed to ensure they are optimised to usage patterns; and mobile policy is not updated to keep up to date with changing user behaviour, pushing up costs in new areas such as data consumption. Neither the organisation nor the user knows what ‘good’ should look like. Managing mobile costs is complex, but the financial gains are significant. For example, simply implementing strong corporate mobility policies and tools that actively reduce usage can typically deliver savings of between five and 20 per cent11 Purchasing and procurement of better mobile tariffs can also reduce costs by five to 20 per cent12. Telecoms expense management (TEM) and Mobile Lifecycle Management (MLM) services can help large organisations control mobility costs, optimise internal processes and manage usage levels. Such third party services can deliver improvements in mobility strategy that generate savings of up to 30 per cent on an organisation’s mobile costs. The following table highlights areas of mobile cost management, and details the range of choices. 9
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceArea of cost Questions to consider Possible outcomesHardware What type of device does the user A basic mobile phone, to make and receive calls and text when need to do his/her job? away from the desk, or in case of emergency A smartphone or tablet (e.g. BlackBerry, Apple etc) to access email and business applications, as well make/receive calls when away from the desk Data card, to provide remote connectivity for laptop What devices and tablets and None mobile operating systems can the Basic mobile phones organisation support? BlackBerry/BlackBerry PlayBook iPhone/iPad Android/Android Tablet Other smartphones/tablets Who pays for the hardware? Full payment by the organisation Full payment by the individual User has an allowance towards device hardware How will we manage the hardware User purchases device and claims back via expenses allowance? Organisation purchases devices and claims back excess from user (e.g. via payroll). What processes are in place to None manage the hardware allowance? Some, mainly manual Fully documented and automated How do we ensure users only A service catalogue from which users place orders order devices in line with company There is a defined workflow for the authorisation of orders policy? All orders are processed through a central order point There is limited or no control of orders How do we identify orders placed Manual validation of invoices against our inventory and known outside the authorised process? orders Automated validation of invoices against our inventory and known orders There are limited or no checks on this How do we check mobile Manual check of hardware costs against the contract operators are billing correctly for Automated check of hardware costs against the contract hardware? There are limited or no checks on this Are there any tax implications to Hardware fund is not taxable in country take into considerations? Hardware fund is taxable and is managed through payroll What policy do we have for in/out None warranty replacement and device Some, mainly manual refresh? Fully documented and automatedService How do we identify which service Service package information is collated manually as part of thesubscription packages are provided to users? inventory This information is collated automatically into the inventory Limited or no information is maintained How do we ensure that users have Manual checks are carried out on random users the right packages for their usage Manual checks are carried out on targeted users profile? Automated checks are completed and a set of service package changes is produced to be actioned by the mobile operator This is checked as part of the contract renewal Limited or no pro-active checks are carried out How do we find out about new Regular dialogue with the mobile operator packages available from mobile Checks are made via the internet to understand what packages operators? may be available, followed up with dialogue with the mobile operator Rely on the mobile operator to tell us Checked as part of the contract renewal Limited or no pro-active investigations are carried out 10
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceArea of cost Questions to consider Possible outcomes How do we check that mobile Manual check of random subscription costs and discounts operators are billing us accurately against the contract and applying the correct level of Manual check of targeted subscription costs and discounts discount? against the contract Automated check of subscription costs and discounts against the contract There are limited or no checks on this How do we identify connections A manual record is maintained of numbers without usage, and that are no longer used but for manually checked to see if this is ongoing which we are still paying An automated check is completed to identify numbers that subscription charges? have no usage for more than three months There are no checks to identify these devicesUsage Do we allow personal usage on Yes, reasonable usage corporate-provided devices? Yes, users are allowed to use their mobile device for both business and personal usage No, the mobile device is for business use only Does our mobile policy include Yes, we have a fully documented mobile policy guidance on personal usage? There is some reference to personal usage in our policy There is no reference to usage in our policy There is no mobile policy in place How do we handle tax on personal The user self-certifies personal usage usage? Personal usage in handled via payroll Users pay for personal usage to mitigate tax implications Does our mobile contract include a Yes discount dependent on a spend No target? How do we monitor user Manual checks are carried out on random users and call types behaviour? Manual check are targeted at high spenders and certain call types Automated checks are completed with usage and behaviour reports There are limited or no checks on this Can our users see their mobile Yes, users have access to their spend via the mobile operator spend each month? Yes, users receive a formal spending report No, users have no sight of their monthly spend Are our users aware of what is Yes, our mobile policy defines ‘reasonable usage’ and users ‘reasonable usage’? who exceed this level are informed Yes, our mobile policy defines ‘reasonable usage’ and requires user self management We do not define ‘reasonable usage’ How do we implement best Based on manual analysis of the usage, targeted users are practice? advised of best practice Generic best practice messages are sent to all mobile users There is no best practice process in place Can we chargeback personal usage Yes, there is a set allowance for mobile expenditure on to users? personal calls; spending over this level is charged back to the user The user pays the full invoice and claims back a set monthly allowance Users are able to ‘tag’ their personal calls which are charged back each month to the user There is no mechanism in place to charge back personal calls. 11
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practiceMaking it work A conservative approach is advisable - softly, softly in preference to big bang. There is still a lot to learn for the mobile employee and employer. A clear and comprehensive mobile policy is a priority, and it must be supported by education and training. The organisation should strive to encourage good practice and aim for user self-management. “Just as company car drivers know what they can and can’t do with their car*” says Christine Vincent* “in time* mobile users will develop the same sixth sense of what is acceptable and unacceptable practice, and the company will become adept at monitoring and improving mobile behaviours.” Mobile technology can transform business performance, improving productivity, opening up new markets and stimulating new ways of thinking and working. A practical, robust and responsive corporate mobility policy is the starting point for the organisation’s exploration of how to take advantage of mobile technologies for the benefit of all its stakeholders. An experienced practitioner of mobile working in its own business, BT is also a network-independent provider of Mobility Lifecycle Management services that help organisations implement mobility policies and introduce good practice. For further information please contact christine.2.vincent@bt.com 12
  • Living with the genie: the consumerisation of workplace technology A guide to developing policy and practice1 IDC EMEA Enterprise Mobility Survey 2010, Western Europe Sample2 Enterprise And SMB Networks And Telecommunications Survey, North America And Europe, Q1 2011, Forrester3 Tablets Pave Way For Mobile Development: Security Pros Must Get Ahead Of App Dev Wave, Forrester 20114 2010 Annual Study:U.S. Cost of a Data Breach, Ponemon/Symantec March 20115 CIOs attitude toward consumerization of Mobile Devices and Applications », May 20116 CREDANT Technologies July 2011 http://www.credant.com/news-a-events/press-releases/436-credant-survey-finds-consumers-left-thousands-of-laptops-and-smart-phones-at-airports-across-the-united-states.html7 IDC EMEA Enterprise Mobility Survey 2010, Western Europe Sample, N756 (UK, Fra, Ger, Ita, Spa, Neth, Swe)8 http://news.citrixonline.com/news_release/Consumerisation-of-Technology-Driving-Dramatic-Productivity-Gains-in-One-in-Three-Businesses/?p=19889 Tablets Pave Way For Mobile Development: Security Pros Must Get Ahead Of App Dev Wave, Forrester 201110 http://globalservices.bt.com/static/assets/insights_and_ideas/risk_resilience/pdf/btgs_gs09_6thingsuneed2knowin2010_whitepaperFINAL.PDF11 BT MME brochure 201012 BT MME brochure 2010Offices worldwideThe services described in this publication are subjectto availability and may be modified from time to time.Services and equipment are provided subject to BritishTelecommunications plc’s respective standard conditionsof contract. Nothing in this publication forms any part ofany contract.© British Telecommunications plc 2011.Registered office: 81 Newgate Street, London EC1A 7AJRegistered in England No: 1800000 13