Who Should Own Your Smartphones?
It's time for IT to face facts: The great corporate barrier against employees using personal smartphones has been breached.
Despite everything you may believe about the need to control employee access and equipment, more and more companies are easing the reins on employee-owned smartphones in the corporate environment.
C-level executives are no longer alone in demanding exceptions for their iPhones. Half of the smartphones in use among U.S. and Canadian businesses are not company-issued equipment, according to a recent report from Forrester Research. In fact, some organizations are even subsidizing employees' service plans as an easy way to avoid the procurement and management headaches of an increasingly standard piece of work equipment. But should you?
Several issues beyond access and security are worth considering before you decide who should own your employees' smartphones. But take note: Smartphone use among U.S.-based information workers is expected to triple by 2013, according to Forrester. The time to establish your smartphone ownership plan is now.
Employee-owned smartphones: A question of money Subsidizing employees' use of their own mobile devices seems like a great way to contain cell phone costs. After all, reimbursing a flat fee for work usage of employees' phones can cap your monthly per-user costs and reduce the likelihood of inactive cell phones going unnoticed on the rolls. Moreover, you can eliminate the need to fight with carriers over billing or to outsource this activity to a TEM (telecom expense management) firm to ensure you're not being cheated. (To get a sense of severity of carrier billing issues, consider this: Even after paying TEM firms to review and fix billing issues, TEM clients come out ahead, saving real money on their telecom bills.)
But moving to a subsidized, employee-owned smartphone plan probably won't save you money, says Michael Voellinger, executive vice president at Telwares, a telecom services and consulting firm with a long history in the TEM business.
"It's usually a wash," says Voellinger, whose firm has seen some clients save money this way, while others ended up spending more.
Why isn't a capped per-user payment cheaper than setting up and managing a company-wide plan? Because many of the issues that come with employer-paid smartphones also apply when paid by the employee.
For example, if an employee goes overseas and incurs roaming costs, who pays? Or when an employee exceeds a data plan's limits for work purposes, how do you determine your share of this cost? As it turns out, your largest cost ends up being staff time to figure out and process these exceptions as they occur, not the specific extra charges themselves, Voellinger notes.
Moreover, if smartphone charges are treated as a reimbursable expense, it becomes difficult to quantify your telecom spend across the organization. In essence, you're burying the data, which tends to lead to unnecessary usage and, thus, higher costs.
Employer-owned smartphones: A question of management Of course, many companies that issue smartphones to employees do a poor job monitoring and keeping track of devices. This often leads to some employee usage bills of several thousand dollars on any given month, as well as "ghost" devices that continue to be paid for even after the employee is gone.
Voellinger advises companies to consider the context of their employees' smartphone use before settling on a strategy. For example, if most employees' use of smartphones for work purposes is limited, then a subsidized, employee-owned smartphone plan can make sense, as it adds convenience at a predictable cost. This approach can also make sense for dispersed organizations, especially those spanning multiple countries, as no single carrier can meet all of their smartphone needs, thereby reducing savings typically available via group discounts and bulk purchases.
But subsidizing employees' personal smartphone use could end up costing much more than an organization-wide plan from a single carrier, Voellinger notes, especially when reliance on mobile minutes and bytes is heavy. For some businesses, cost won't be the deciding factor: Strict auditing or compliance standards may require you to keep personal and corporate systems separate.
Although Voellinger advises companies to issue and manage employee smartphones, he says some companies will nonetheless end up with personal devices in use and should factor them into their policies and systems. (Voellinger walks through many of the considerations in his own blog.)
Your smartphone strategy: Obtaining the right mix Of course, your smartphone strategy need not be black-and-white. Some companies may want to mix employee subsidies for some users with company-provided devices for other users, Voellinger suggests. In other words, you may have several classes of users and choose a different provisioning and cost strategy for each.
Forrester analyst Ted Schadler strongly recommends dividing your information workers into several groups based on how their mobile enablement benefits the company. "Don't treat everyone the same," he says.
For example, you might segment your staff as follows:
When considering costs, don't forget that there is more than just service plans and device costs. The complexity of supporting multiple kinds of smartphones -- a mix of BlackBerrys, Windows Mobile devices, and iPhones -- adds a cost as well, Voellinger notes. The price for that extra support could neutralize any savings you earn focusing entirely on cell phone access charges.
Then again, that cost could be worth it, Voellinger notes, as it allows you to use the right smartphone for the job. This approach often bolsters employee productivity through increased satisfaction, given the expectations of today's employees, Voellinger says: "What makes my blood boil is that an employee gets downgraded when they walk in the door" compared with what they use at home. The employee's reaction is increasingly likely to be, "You're seriously going to hand me XP Pro and a BlackBerry Curve?"
And don't forget that company-issued and company-managed smartphones have their own support costs, not just for employee support but also for billing and asset management.
Navigating the smartphone's dual-use nature One argument for allowing employees to use their own smartphones for work purposes is that carrying two devices and having two mobile phone numbers is a pain.
Sure, people have long had personal phones at home and office phones at work, but because people carry their smartphones with them most of the time, it can be an employee-friendly policy to let them use just one device for both purposes. It could be a personal device that's subsidized for work usage or a work device that allows personal usage to a certain cost limit.
People take care of personal issues on their work phones and take work calls at home, so allowing for the same mix on a cell phone isn't a stretch. Data capabilities, however, provide a new wrinkle, and the fact that employees' smartphones can store and access company information such as emails, contacts, calendars, and documents is enough to make many IT and security pros wince at the thought of dual use.
This problem is not unique to smartphones. Many employees work at home -- and even at the office -- on personal computers. A December 2009 Gartner survey estimates that 10 percent of midsize businesses allow employees to use their own personal laptop at work, a figure expected to rise to 14 percent this year. Also, some users play games, check personal email, or run iTunes or Windows Media Player at work to listen to their personal music on their work computers.
"The focus is on mobile, but the problem is universal. What's the demarcation? There is none," says Telwares' Voellinger. "By owning the asset [the smartphone or PC], is the prevention [of abuse or breach] any different? The risk is still the same."
That's why the "secret" to smartphone management is "treating employees like grown-ups and using a 'trust and verify' model for policy control," Forrester's Schadler says. "You have to stop treating it as an IT policing issue and instead treat it as a business risk management question."
More and more companies are making this shift in their thinking, Schadler says, not just for smartphones but also for bring-your-own PCs (and Macs) and other user-facing technologies.
Yet for smartphones, the dual-use bar for managing access and data security is quite different, given that most smartphones don't yet offer PC-level security and management capabilities.
For example, it's fairly straightforward to require the use of encryption, certificates, and other security tools on Windows PCs, no matter who owns them, thereby allowing IT to ensure that a home PC is secured the same way as a work one. (For Macs, it's not quite as easy, but still largely possible.) But for smartphones, security and management capabilities vary greatly from device to device. BlackBerrys and Windows Mobile devices can enforce PC-level security and data management if the business has the right policy servers in place. But for iPhones, only some policies can be enforced. Even fewer are enforceable on Palm Pres and Nokia Symbian devices, and almost none are enforceable on Google Android devices. Third-party tools are beginning to change that reality, but by and large it's fair to say that you can't control the data and access on these newer devices at the same level you can a home PC.
"You need to strike a balance between an IT-controlled management tool set such as you have built for desktop management and employee-led management, where employees are responsible for their own devices," says Schadler. "That balance point will vary based on your industry and culture."
Surprise: You probably can't control as much as you may want Further complicating this issue are the legal ramifications of dual-use devices.
The laws on what employers can do with employees' personal equipment and accounts haven't caught up to today's mix of devices and cloud services, notes Peter Vogel, an attorney at Gardere Wynne Sewell who specializes in Internet, computer, and e-discovery issues. There are plenty of misunderstandings as to what a business can and can't control.
Despite the legal ambiguity from conflicting court decisions and the lack of precedent in many areas, patterns have developed in cases involving home PCs and other personal technology that may influence your smartphone ownership strategy.
For example, corporate email belongs to the company, and the company has full access to it, no matter where the employee accesses it. Plus, the company can set policies for what is transmitted through corporate email.
"But email issues are complicated by employees who use Webmail services such as Gmail, AOL, and Hotmail to conduct company business. Many courts have ruled that employers lose confidentially and potentially valuable trade secrets when employees send confidential information via Webmail," Vogel says. That reasoning could easily be applied to the use of personal smartphones.
International issues also pop up, Vogel notes: "Generally in the U.S. emails are private to employers, while in the E.U., Canada, and Japan emails are private to employees. Furthermore, in the E.U. there are data privacy laws for individuals called the 1995 Data Directive that permits citizens of the E.U. to access any computer that contains data about them and change that data. The U.S. has nothing like this at all, and when there is communications between the E.U. and U.S., determining which law applies gets very complicated."
In a 2008 case, a federal court ruled that text messages on police department-paid pagers belonged to the police officers, not the police department, because the messages were stored by a carrier. The department wanted the messages to see which were personal so that they could calculate how much the officers owed the department for personal use. Vogel says this case was decided on very narrow grounds -- the fact that the messages were stored at the carrier, which is subject to different laws than a company that stores its own records -- but nonetheless raises the kind of ambiguity sure to surface as smartphones are used increasingly for both personal and corporate activities.
You might try to deal with these and other issues through employment agreements, Vogel suggests.
"Generally employees are bound to the terms of employment agreements," he explains. "So if the employment agreement states that the employees provide their own PDAs or smartphones but the employer pays a monthly allowance, one would have to look at the terms of the employment agreement to see if the employee is entitled to privacy."
But "generally just having a corporate policy is not enough without some affirmation of the employees to agree," Vogel notes. "Companies run the risk that courts will conclude that even though corporate policies are in place, they are either unenforced or selectively enforced. As a result, without rigid enforcement, a company cannot depend on the courts to adopt these corporate policies regarding who owns emails and text messages and who is entitled to privacy."
Another issue: What information on these devices is discoverable in a court case?
"Every state is wrestling with this," says Telwares' Voellinger. "Pennsylvania, for example, assumes that the moment information goes out onto public networks, it's discoverable." That could cover anything delivered through the Internet, for example, which smartphones and PCs use routinely.
The practical issues of personal smartphone use Beyond the law are practical considerations: If an employee uses a personal smartphone for business purposes and then leaves the company, customers and partners can still contact that former employee -- and may not know how to contact his or her replacement. If the company issues the smartphone, the phone number can be moved to another employee, Voellinger notes. But this risk is not that new nor is it smartphone-specific.
Moreover, although BlackBerrys, Windows Mobile devices, iPhones, and Palm Pres support remote-wipe capabilities, there's a risk that an employee-owned device could still retain corporate data when the employee leaves, Voellinger says. The risk here can be largely managed by requiring employees to use smartphones that meet specific requirements, so the devices you let access your networks are ones you know you can manage as needed, no matter who owns them.
Some employees may be less apt to answer a personal smartphone after hours when it is subsidized by the employer than to answer a work smartphone issued by the employer, Voellinger says. The reason: The employee figures the subsidy just applies to work hours, especially if getting reimbursed for extra work usage is a painful process. On the other hand, if the phone is routinely used for work and business purposes, there may be no rigid work/home time boundaries in the employees' mind.
Forrester's Schadler also recommends that your corporate policy be thought out more than most are: "Most firms that support iPhones require their employees to sign a statement that lets the company do a remote wipe on the device and implement other policies in exchange for application support. [We recommend that you] extend this policy-based approach to cover jailbreaking, password requirements, and use of features such as cameras and GPS for work purposes."
In the end, who should own your smartphone? Sometimes the employee, sometimes the company, and sometimes one of each. There are good reasons for all three scenarios, even in the same company. The trick is to understand the ownership options that make the most sense in your context, not fall back to "this is how we've always done it."
Read more about mobilize in InfoWorld's Mobilize Channel.