While Bring Your Own Devices (BYOD) policies have given workers the freedom and flexibility to work anywhere on their own personal devices, they also create security risks for enterprises.
For one thing, overwhelmed and understaffed IT departments now find themselves having to manage a plethora of personal devices, each desiring access to closely guarded corporate information.
These devices are often locked down with restrictions and security hoops, driving employees to avoid IT oversight and putting the security of their organisations at risk.
Indeed, the security concerns of BYOD – and the associated cost of IT support – have led some organisations to move away from BYOD to let employees choose their own device (or CYOD) from a list of corporate-owned devices.
In CYOD, however, employees are allowed to use their devices for business purposes only, which means they are back to carrying an additional device to read private e-mails or catch up on Facebook feeds.
To achieve the best of both worlds – BYOD and CYOD – some organisations are now dabbling in what’s known as a Corporate Owned, Privately Enabled or COPE strategy.
According to a BlackBerry whitepaper on COPE, a COPE-governed enterprise mobility plan is one that provides employees with the ability to choose from a selection of corporate-owned and approved devices, which most likely have been pre-configured with separate work and personal environments.
COPE is viewed by many IT managers as an “eat it too” proposition, as it essentially combines the control that is a hallmark of CYOD with the end-user appeal of BYOD.
“An archetypical COPE deployment would be one that delivers unfettered productivity and superior user satisfaction, without the nausea-inducing complexity and vulnerabilities associated with loosely governed BYOD policies.”
But how should organisations decide if they should go with BYOD, CYOD or COPE? Neville Burdan, general manager for end-user computing at Dimension Data, said it all boils down to the issue of data sovereignty and compliance.
In government and regulated industries, such as banking and finance, organisations tend to favour COPE, because they want to own and manage all their devices, while reducing the need for employees to carry two devices, Burdan said.
“In ‘looser’ industries where data sovereignty is not as important, companies will consider BYOD or CYOD based on the cost of IT support,” he added.
Burdan noted that in BYOD, companies are realising that support costs can quickly escalate if employees use personal devices that have not been tested in a corporate environment.
“Many are thus limiting BYOD devices to those that have been tested by corporate IT,” he said.
For companies considering a COPE strategy, Burdan said it is important to lay the ground rules through user policies.
“Acceptable use policies have to clear and concise, not only for the company, but also for users who should understand what they should or should not be doing with their COPE devices,” he said.
One area that such policies should address is how data is treated on COPE devices, Burdan said.
“While corporate data belongs to the company, personal data could be destroyed should malware find its way into a device. So, users should be expected to back up their own personal data on a COPE device,” he said.
On the peculiarities of Asian companies in implementing enterprise mobility, Burdan said many tend to implement the technology first without a user policy. “They get a throwback from users, and this pauses the rollout for six to 12 months,” he said.
