Their phone, your headache

For years analysts have encouraged the consumerization of IT to enhance collaboration and productivity. It began with adoption of consumer instant messaging applications and continued with Web 2.0 technologies such as Wikis and social networking. Now, as employees start bringing their smartphones to work and request IT to provide access to email and other corporate applications, we are seeing the consumerization of not just an application but an entire computing platform.

At first glance this looks like a great idea. IT increases employee satisfaction, reduces OpEx costs by having employees foot part of the wireless bill, and cuts CapEx costs by ducking the cost of the pricey phones. What’s more, employees with smartphones devote more personal time to work so there is a productivity gain.

Early data from the Aberdeen Group shows that 20% of companies surveyed allow their employees to use personal devices for work.

But securing employee-owned smartphones is not the same as securing corporate-owned devices. In the corporate model, if an employee leaves the company, standard procedure is to retrieve the phone and “brick” it, wiping it clean of all data and resetting it to factory defaults. In the new model, when an employee leaves the company the phone goes too, packed as it is with personal pictures, videos, contacts, applications, music and confidential corporate information.

Is it fair to wipe all personal information from a phone just because an employee tried to be more productive for the company? At the same time, is it damaging to the company’s business to compromise security levels just because that employee happens to own the phone?

Enterprise data boundary

The way to address this issue is to start by adopting a framework that provides visibility into corporate data on an employee’s smartphone and allows administrators to set boundaries around this data. This doesn’t have to be something as fancy as tagging or fingerprinting mobile files. It can start with simply drawing a line between media files on one side and xls, doc, ppt, and pdf documents on the other.

The key is that however this enterprise data boundary is drawn, if an employee leaves the company, he or she should be able to take the phone with personal data intact, while IT should be able to ensure that any corporate information has been safely removed. The process should be simple and transparent to all.

In addition to segmenting personal information from corporate, IT must have an honest dialogue with employees about the trade-offs that exist when attaching a personal smartphone to the enterprise. For instance, regulatory compliance policies may mandate that corporate communications be archived for e-discovery purposes. These communications can include SMS messages, therefore, the employee must weigh the privacy concerns of having SMS archived in the same manner as corporate e-mail.

IT will likely find that different policies will apply between corporate-owned and employee-owned phones, so it’s crucial for the policy enforcement framework to delineate between phones based on ownership.