Trying to understand and balance an ownership model for your organization is not always as simple as needing a cost-effective mobile program such as BYOD (Bring Your Own Devices) or being in a regulated industry where your mobile population must be business only (COBO, Corporate Owned, Business Only).
Many businesses will find that they need to have a more flexible or hybrid ownership model to accommodate their security needs as well as the needs of their employees, many of whom already carry devices with them all day long.
In the last ten years, the proliferation of smartphones and laptops has changed the paradigm in how we use our devices: employees who are given corporate devices also using them for private activities, and the opposite – employees using personal devices for work-related tasks.
The first scenario has been a challenge since the inception of company issued devices, as employees not only want to use their devices to work but to facilitate their own lives, family reaching out via pagers, in the US Nextel’s PTT amongst friend and family and now employees want to check their private emails, read online news, and use other apps like social media, games, etc. all on one device without having to carry another device.
The latter scenario has come to prominence more recently, with everyone owning and using at least one device if not several. Some companies initially saw the opportunity to be flexible by allowing employees to use their personal devices at work with minor updates to the corporate infrastructure.
Let us explore all these ownership model options, highlight their pros, and consider their cons to help you understand which ones are best for your own environment.
Bring Your Own Device (BYOD) is used in organizations where employees can use their own personal mobile device for work tasks like accessing their work mail, apps, etc. without compromising security.
IT has little to no control over the device, so in this scenario we recommended using a containerized solution to ensure corporate data both at rest and in transit are strongly secure, independently of the device security posture. Although this might come with immediate cost savings (no need to purchase/provide mobile devices for employees), it has its own limitations and challenges.
One of these challenges is the sheer variety of devices, which can make Service Desk life hard as they will have to virtually support an infinite number of devices, not to mention compatibility and limitation issues with enterprise apps.
Another setback is considering what happens when a device is lost, broken, or stolen. The employee may not be able to buy the same type of device and could purchase a new one that does not meet your organizational security requirements. Furthermore, employees might not be inclined to place work-related phone calls using their private phone number, or spending their monthly data rate on work-related traffic, while paying for it entirely.
Corporate Owned Business Only (COBO) is a deployment where full control over device and data is required with little-to-no room for private usage – typically for regulated environments (Federal administration, government, etc.). This might be one of the easiest models in term of management and administration as only a curated number of devices are pre-approved with a defined set of vetted enterprise apps.
While this is the most secure, ideal option for regulated environments, the downside is the end-user acceptance; no room is allowed for end-users to install personal apps and store personal data (e.g., photos) and users likely do not want to carry two devices all day, so most will leave it at the office when the business day is over. But in most scenarios where COBO is selected, this is not a problem as these devices are considered just another tool in the employee toolbox.
Corporate Owned Personally Enabled (COPE) deployments are when the device belongs to the company and work data is stored, but the device is also enterprise-managed/controlled and leaves the user with a wall-garden for their private apps and data. In other words, this management mode provides a good balance between BYOD and COBO without compromising corporate data security.
This is also true for making phone calls and using the data plan. Furthermore, with Dual SIM support or eSIM technology, it is even possible for the employees to add their existing private subscriptions to their phone, so it is used for anything private, while the corporate subscription is designated for anything related to work.
To avoid the burden of the cost (device and phone/data line) and engage the employees even more in the digital workplace transformation, some organizations leverage a MDaaS (for Mobile Device as a Service) program as an option to offset the cost of ownership: employees can pick up the device of their choice from a curated, pre-approved list of compatible devices and are compensated.
This has demonstrated that employees take better care of their device in the long term, and the company will be able to negotiate better deals due to the high volume of devices purchased every other year.
When it comes to choosing an ownership model, you should select the option or options that work best for your organization, taking into consideration factors like cost, auditability, security, management, and the very UEM software solutions already in place, as features and functionalities might slightly vary between them. ISEC7 can advise you on choosing the right ownership model for your business, and offer insights on how to improve your security posture.
We would be happy to answer any questions you may have about ownership models. Please feel free to contact us if you have any questions or would like assistance in reviewing your organization’s mobile strategy.
(C) Rémi Frédéric Keusseyan, Global Head of Training, ISEC7 Group