Many business environments are becoming increasing mobile. Traditional desktop environments are being replaced with laptops and docking stations, allowing employees to plug and play their machines at the office and then take them with them when they travel. Depending on the size of the organization, there will likely be different policies for procuring devices. Some organizations restrict their employees to only using company devices on company resources. Others are more liberal, allowing employees to use their personal devices to work. It is essential that your business has a set strategy for procuring devices to keep your digital environment organized and secure.
Below are the major strategies for device management. Each one presents a different approach to who owns the device, how the device is configured, what is allowed on the device, and who pays for the device. You can review and discuss each strategy with your cybersecurity team to determine which one is most appropriate for your organization to align with.
Bring Your Own Device (BYOD): this strategy allows employees to bring their personally owned devices and use them for company work. The employee is in charge of paying for the device and keeping it in good condition. They are also in charge of the underlying operating system. However in this strategy, the organization will allow access to company resources under conditions acceptable to them. The organization may require employees to enroll the device in Mobile Device Management (MDM) and utilize a separate profile for work use. This strategy has the advantage of providing greater comfort and convenience for employees. However a badly implement BYOD solution can create security risks for the organization due to company data being mixed in with non-company devices.
Corporate Owned Personally Enabled (COPE): this strategy involves the organization purchasing the devices, then providing them to employees for them to use in both workplace and personal capacities. Like BYOD, the organization will usually set standards for the device to ensure security. Employees have near full reign over the use of the device, but the organization can and will step in when a security or severe misconduct issue arises.
Corporate Owned Business Only (COBO): this strategy involves devices issued by the organization to employees to be used for strictly business purposes. These devices can be taken home by employees, but policies will be in place to prevent any personal use. This approach grants employees the convenience of being able to take their devices on the move while also safeguarding sensitive company data.
Choose Your Own Device (CYOD): this strategy involves the organization allowing employees to pick their devices themselves. This can be beneficial in environments where different jobs require varying levels of power. The organization may set a ceiling on device price to keep it within budget. When the devices arrive, the organization will usually combine them with any of the above strategies to dictate employee use.
It is important to carefully analyze the needs of your workplace to choose the best device management strategy. A small environment with varying schedules and workflows may benefit from BYOD or CYOD, as this provides more comfort and customization to employees and is easier for the organization to manage with a smaller pool of employees. An organization with a greater number of employees, say 10 and above, might be more suited for a COPE or COBO implementation. This allows employees to use their devices at their own discretion while also allowing the organization to keep a firmer grasp on the device state and usage.
Once you have decided on a device management strategy, ensure that you keep employees educated on expectations for use of their devices. This is best accomplished by drafting policies that lay out the expectations in writing. As an example, this framework provides documentation on drafting a BYOD Policy later on in Stage 2.