MOBILE DEVICE MANAGEMENT

…OR PRETTY MUCH EVERYTHING YOU

NEED TO KNOW ABOUT MOBILE

DEVICES IN THE WORKPLACE!

47%of all employees now use their smartphone, tablet PC or other portable device for work purposesSOURCE: YOUGOV SURVEY

• BYOD (bring your own device) is simply where employees use their own smartphone, tablet PC or other portable device for work

• CYOD (choose your own device) is where employees are provided with specified company devices

The purpose of this guide is to provide a practical understanding of:

24% of consumers use a smartphone or tablet as their primary, work-related computing deviceSOURCE: SAMSUNG

1. The challenges of managing mobile devices in the workplace: governance and compliance, device and application management

2. The benefits mobile brings in terms of ease and flexibility and how we can help keep your data safe and secure

3. The support that’ll be available should your phone become lost or you just need a bit of extra advice

2

1. MAN CREATED THE MOBILE DEVICE AND SAW THAT IT WAS GOOD - FOR OUR BUSINESS

2. WONDERS OF THE MDM WORLD

3. THE SEVEN DEADLY SINS: HOW NOT TO DO IT

4. THE 10 COMMANDMENTS: THE LAW AND MORE

5. SEVEN STEPS TO HEAVEN: OUR VERY OWN MOBILE DEVICE PRINCIPLES

6. HEAVEN ON EARTH: ENROLMENT GUIDES FOR MOBILE DEVICES

iSlate

The six pillars of Mobile Device Management (MDM)

3

iSlate

Angry

Why?:1. Increased performance2. Enhanced protection3. Greater flexibility4. Cost savings5. Simplified IT infrastructure6. Convenience7. Ease

1. MAN CREATED THE MOBILE DEVICE AND SAW THAT IT WAS GOOD - FOR OUR BUSINESS

4

Pterosaurs

I. Increased performance: ultimately giving you the freedom to work on any device. We’re more productive while traveling or working away from the office if we are comfortable with the device we’re using.

II. Enhanced Protection: Data on our our mobile devices will be better protected with enhanced encryption and more secure pass codes.

III. Greater flexibility: In the long term our MDM policy will ease the process of selecting and managing a mobile provider and plan.

IV. Cost savings: By reducing our corporate mobile plan, we will also save money due to lower costs associated with individually managed call, data and SMS plans.

V. Simplified IT infrastructure:The management and cost overhead will be significantly reduced along with the need for IT to purchase mobile devices when, let’s face it, lots of us already have our own.

VI. Convenience: Having just one device for everything has to be better that carrying around a sackful of technology!

VII. Ease: We will have more tools that fit our culture of self-help.

4personal gains of mobile for employees are: more flexible working hours, the ability to foster creativity, speeds up innovation, and facilitates greater teamwork/collaboration. SOURCE: DELL

2. WONDERS OF THE MDM WORLD

5

59% of companies believe they would be at a competitive disadvantage without BYOD.SOURCE:DELL

We are working towards a world where BYOD will be commonplace, so we need to be prepared as there are serious consequences to poor mobile device management.

For example, if customer data has not been encrypted on an employee’s personal mobile device and that leads to a breach in customer data, the business itself is responsible and liable to a fine of up to £500,000 by the Information Commissioner’s Office (ICO).

If we want to reap the benefits of mobile working, it’s important we’re aware of the seven deadly sins of mobile device management. So let us begin…

6

67%of respondents said that the ability to manage and secure devices running on different operating systems is critical or very important. Source: IDG surveySOURCE: IDG SURVEY

I. Doing nothing: Taking no action is dangerous as it makes each individual responsible for how they share and collaborate (which doesn’t seem very #together). It also creates ‘shadow IT’ that bypasses our controls and can lead to a bring-your own applications (BYOA) scenario, which raises compliance and security concerns.

II. Hasty purchasing decisions: As the business’s trusted advisor one of our guiding principles in IT is to avoid buying technology that doesn’t fit with our long-term strategy. To do so risks wasting money on kit that doesn’t suit our needs. The very process of developing a policy has forced us to address the mobile and data requirements of each part of the business. This has helped us to work out what technologies are best.

III. Heavy admin: Although mobile device management may increase our productivity, complicated admin to manage this could lead to a stint in purgatory. So our approach is about freeing up IT managers’ time for more strategic, business focused stuff. Above all we’re trying to avoid swapping the management of a standardised fleet of devices for the management and security of multiple platforms over which we have little visibility or control.

IV. Narrow scope of device support: We want to enable colleagues to use the devices that THEY choose, whether corporate or personal. Choices are expanding every day, as manufacturers bring new upgrades and devices to market so we’re making the effort now to handle this, thinking not only of what might be around today; but what we’ll be supporting in the future.

3. THE SEVEN DEADLY SINS: HOW NOT TO DO IT

7

46% of end users surveyed said network performance negatively affects mobile devices the most.SOURCE:GARTNER

V. Complicated support We’re keeping it simple for colleagues by creating access to a range of apps that will improve our service and ensure enrolment is quick and easy (see device guides).

VI. Not separating - and respecting - personal data Lots of people read emails on their smartphones and tablets, blurring the boundary between personal and work. This has security concerns. Users don’t necessarily update and protect their own devices as they should, which potentially exposes their operating system and applications, making us, our network and our data vulnerable. Having a policy that clearly defines what is and is not allowed is crucial. We’re addressing this issue by having ‘partitions’ - or ‘profiles’ if colleagues use their own device; one profile for personal and one for work. This gives colleagues the freedom to use their devices for stuff that’s not work-related while providing the level of security required by IT.

This way, the work environment is fully encrypted, managed and secure!

“YOU NEED TO MANAGE GROWING WORKFORCE

EXPECTATIONS AROUND MOBILITY. YOUR

EMPLOYEES USE MANY DEVICES AND THEY

EXPECT TO USE ANY DEVICE OR APPLICATION

ANYTIME, ANYWHERE.”SOURCE:GARTNER

of employees believe that having a single mobile device helps balance employees’ work and personal lives.SOURCE:SAMSUNG

78%8

77% of employees haven’t received any education about the risks associated with mobile devices in the workplaceSOURCE:2013 DATA PROTECTION TRENDS RESEARCH, CONDUCTED BY PONEMON INSTITUTE

It’s simply not great if our IT gurus aren’t able to approve or deny access to our networks, whether they’re personally owned or company provided.

Separating personal from work space–partitioning– reduces the number of policies we need to manage mobile risks effectively and makes it easier to manage policies across a range of devices.

VII. Poor enforcement of corporate and personal device policies

FEWER THAN HALF OF ORGANISATIONS HAVE POLICIES IN PLACE THAT MANAGE THE

RISKS PRESENTED BY PERSONALLY OWNED DEVICES EXTREMELY

OR VERY WELL.SOURCE:COMPUTER WORLD QUICK POLL RESEARCH: BYOD NOT ALL IT’S

CRACKED UP TO BE?

9

“We’re finally reaching the point where IT officially recognises what has always been going on: people

use their business device for non work purpose. They often use a personal device in business.

Once you realise that, you’ll understand you need to protect data in another way besides locking down the full device. It is essential that IT specify which platforms will be supported and how; what service levels a user should expect; what the user’s own

responsibilities and risks are; who qualifies; and that IT provides guidelines for employees purchasing a personal device for use at work, such as minimum

requirements for operating systems.”

David Willis, vice president, Gartner10

BYODcould cause you to violate rules, regulations, trust, intellectual property and other critical business obligations.SOURCE:GARTNER

Mobile device management can create a conflict between agility and compliance. Technological advances usually run faster than the law. In particular, when personal data sits next to corporate data on a mobile device, it’s a recipe for disaster. If we fail to secure personal devices with encryption and passwords and corporate data is subsequently breached, ultimately it’s the company that’s responsible

There are two key pieces of legislation that we need to comply with:

Under the Data Protection Act (DPA) 1998, companies must make employees aware of what personal data the business is collecting, how it’s being used, where it’s stored and who can access it.

The Information Commissioner’s Office (ICO) enforces the law and can levy fines of up to £500,000 for serious data breaches. As the bare minimum data security standard, the ICO advocates encryption.

We should all be aware of their Bring your own device guide.

11

“The data controller must remain in control of the personal data for which he is responsible, regardless of the ownership of the device used to carry out the processing.”SOURCE:ICO

There is also the European Union Data Protection Directive of 1995 – Draft for Data Protection Regulation. It says that employees must give their explicit consent for an organisation to access and process their personal data. It also says that organisations processing personal data must take the appropriate technical and organisational measures to ensure data is secured. These measures include encryption on devices and a PIN policy.

In relation to the DPA, the ICO gives specific guidance on using personal mobile devices for work purposes.

In particular, the ICO stipulates that BYOD means that the organisation or data controller may not own the device or have direct control over it. However, because the devices are being used to access and store corporate information as well as that of the individual mobile user, appropriate security must be in place to prevent personal data about corporate customers held on an employee’s device from being compromised – whether accidental or deliberate.

12

I. THINE CORPORATION SHALT NOT OWN THE DEVICE IF IT IS TO BE TRULY BYOD

II. THOU SHALT NOT BLUR PERSONAL AND BUSINESS USAGE, AND MUST RESPECT THINE COLLEAGUE’S RIGHT TO PRIVACY

III. THOU SHALT TAKE FULL RESPONSIBILITY FOR CUSTOMER DATA, INCLUDING ASSESSING WHAT DATA IS HELD ON A COLLEAGUE’S DEVICE, WHERE DATA MAY BE STORED, HOW IT IS TRANSFERRED AND THE POTENTIAL FOR DATA LEAKS

IV. THOU SHALT ENCRYPT AND PIN

V. THOU SHALT ASSES ALL DEVICE SECURITY CAPABILITIES

VI. THOU SHALT HAVE A PROCESS FOR DEALING WITH THE LOSS, THEFT, FAILURE AND SUPPORT OF A DEVICE

VII. THOU SHALT IMPLEMENT ISO 27001

VIII. THOU SHALT BE AWARE OF AND ADHERE TO SECTOR-SPECIFIC REGULATORY AND COMPLIANCE RULES

IX. COLLEAGUES SHALL AGREE TO FOLLOW SD’S POLICY, WHICH CLEARLY SETS OUT OUR RESPONSIBILITIES

X. THOU SHALT HAVE AN EXIT PROCESS WHEN A DEVICE OWNER LEAVES

4. THE 10 COMMANDMENTS: THE LAW AND MORE

13

Getting this right isn’t easy, but the alternatives are worse – loss of reputation, earnings, customers and hefty fines.

This is where the MDM policy comes in, and where colleagues are also held accountable for their part.

Failure is not an option!

14

Companies with well-established BYOD policies are the least likely to experience any kind of setbacks, with over a quarter ofthis group experiencing none at all. SOURCE: DELL

According to the Information Commissioner’s Office (ICO ), it is crucial that users connecting their own devices to an organisation’s IT systems clearly understand their responsibilities. And, once in place, the policy must not be forgotten about. The ICO advocates regular audits and compliance monitoring to ensure that the policy is being adhered to.

67% of people use personal devices at work, regardless of the office’s official BYOD policy.SOURCE: MICROSOFT

15

The guiding principles of our mobile device policy

1. Provide guidance and accountability

2. Consult relevant people – this has included HR, as well as colleagues of course

3. Specify the types of personal data and applications that can be used and the types that can’t

4. Consider where data is stored and use passwords, PINS and encryption

5. Maintain a clear separation of personal and company data

6. Consider how data is transferred and ensure monitoring is not draconian but meets compliance standards while protecting personal privacy

7. Have a loss or theft policy that enables us to remotely wipe company data if we need to

5. SEVEN STEPS TO HEAVEN: OUR VERY OWN MOBILE DEVICE PRINCIPLES

16

If you need specific help to enrol your device please contact us

Android

Android (Samsung)

Windows Phone

iOS

Contact us

6. HEAVEN ON EARTH: ENROLMENT GUIDES FOR MOBILE DEVICES

17