The average person today has 1.2 personal electronic devices. OK, that’s a completely made up statistic but you have to admit everyone seems to have at least a smart phone or tablet computer – and many have both.
The device in your pocket has as much capability and power – if not more – than Apollo 11 so it shouldn’t come as a surprise if employees want to use their personal devices for business. But it’s not quite so simple as saying, “Sure thing, have at it.” Accessing your nonprofit’s system — and data — can be tricky, if not dangerous.
“The top tier of technology that used to be the realm of IT is now everywhere,” said Darren Schoen, director of technology infrastructure at the Broward Center for Performing Arts in Fort Lauderdale, Fla. “Users expect to have everything everywhere because they can with their own personal stuff,” he said, pointing to cloud services such as iTunes, Dropbox and Google Drive.
Bring Your Own Device (BYOD) is a growing trend. “It’s coming. It’s not if but when we have that conversation,” said Schoen. “As devices become more powerful, you’re going to have to deal with it. Pretty much everyone is going to have them eventually.”
Schoen likes to ask this question. Imagine losing an iPad with your entire donor database on it: Would you be worried that someone could get that information? “If your answer is yes, that is why you need to be worried about security and safeguards,” he said. Data could include credit card information or intellectual property. “Any data that is sensitive that you would not feel comfortable emailing to your entire contact list – friends, family and competitors – if you’re worried about that, you need to be worried about BYOD and security, he said.
With IT sprawled the way it is, Schoen said, “we can only patch the dike so many places. Unless we’re draconian in our policies, there is going to be some risk with any device coming onto your network.”
Schoen, who presented a session on BYOD at the annual Nonprofit Technology Conference (NTC) this past April, preaches getting buy-in from the top down, and one selling point is the risk of allowing devices onto a network.
“With more money we take in, the more compliant we have to be,” Schoen said, whose organization is annually generating about $32 million. “We’re one of the busiest venues in the world for our size. Are we willing to say, because someone lost their phone, we lost 100,000 credit card numbers?”
No devices are allowed on the network at the Broward Center. “That’s what I’ve done, how it’s worked very well for us,” Schoen said. Email access is provided for all devices because of Broward’s extensive filters, and a remote connectivity app allows users to connect from a home laptop or tablet. “We still have preserved our network security, yet still giving options to our users,” he said.
If an employee wants to use their device, Schoen suggested having them agree to install an app that can be used to wipe the phone of any organizational information or data, if necessary. “BYOD may be becoming expected, but we should not be expected to support every single thing about their devices,” he said.
Staff will not get anything because the risks are too great unless they sign the policy, said Schoen. It also can help set expectations. “A lot of times, people won’t freak out if you tell them we’ll only delete company data on your phone. That’s all we have access to. A lot of times people are going to take that much better than if you say, ‘We’ll wipe your whole plan,’ then it’s like a Big Brother, perception thing,” he said. The policy is your foundation for implementing BYOD and risk, regulation, privacy and infrastructure will be your guide, said Schoen.
Years ago it was easy to regulate devices with Mobile Device Management (MDM) because virtually all of them were company owned, Schoen said. But in some places, employees use their own devices, which might prompt a look at Mobile Application Management (MAM). MAM allows for a remote wipe of a device, or parts of a device, in case it’s lost or stolen.
Pioneer Resources in Muskegon, Mich., distributed a BYOD policy to staff explaining the organization’s need to be able to control corporate stuff like email on personal phones, including wiping someone’s phone if necessary.
There was some immediate pushback from staff. “We’ve had some people who refuse to sign up and want more documentation about what exactly we’ll be able to wipe,” said Susan Dennison, finance director at Pioneer Resources.
Privacy and security restrictions around the Health Insurance Portability and Accountability Act of 1996 (HIPAA) also can pose other issues for BYOD.
Pioneer Resources provides services, housing and training to people with disabilities, with its annual budget of about $7 million derived primarily from government contracts. Pioneer Resources has a staff of about 250 people, with supervisors already enacting BYOD policies within their departments about organization emails on personal smart phones. It has more than a dozen different off-site locations, in addition to a lakeside camp with 27 buildings.
The organization recently issued two tablet computers, set up with email and Internet access, to maintenance staff who work within the numerous buildings and properties. Tablets will allow them to exchange photos of parts or damage, as well as issue or complete work orders. The tablets were easier to use, as well as cheaper than buying laptops, Dennison said.
“There was the cost but also what they need to do with it,” she said. A property management app will let them pull information into a database and eventually allow a concise information exchange, creating a work ticket and feeding it into a database while also feeding work orders to staff.
“It’s definitely a work in progress,” said Richard Wollenberger, director, information technology at Parents As Teachers in St. Louis, Mo. He revised his organization’s BYOD policy last year, splitting it in two, for personal devices and company-owned devices.
The BYOD policy makes clear the minimum requirements of personal devices that connect to its system (only those that connect with Microsoft Exchange Active Sync), as well as an agreement that the organization can wipe from the phone under certain circumstances.
“We want to be proactive about who’s connecting to our system,” Wollenberger said, adding that he’s found free tools that can show what devices are connected to its systems. “We have a fairly good control method to who accesses the system,” he said. “We’re a lot less formal than other organizations are or need to be about it,” he said.
Parents As Teachers has 60 staff, with all but three working in one building in St. Louis, Mo., along with two employees in Minnesota and another in Seattle.
Parents As Teachers had a combined policy that encompassed company-owned phones as well as personal, but Wollenberger split the policy last year after company-owned tablet devices raised a different set of issues. It was updated again this year to include the new version of Blackberry software that the organization previously did not support.
“The point here is to protect our system and to do it as politely as possible,” said Wollenberger.
But even at small organizations, there can be costs to giving monthly access to staff, which employees might not be aware of, according to Wollenberger. Of 21 devices connecting at Parents As Teachers, 17 are personal devices and only four are issued by the charity. Other than the tool he’s used (Meraki), those have a cost per device to connecting each month.
“How do I manage the cost? Why should I be budgeting money each month to give you (staff) unlimited access to our stuff?” If it’s just for convenience, you pay the monthly fee; but people aren’t aware of the monthly cost.
At larger organizations with hundreds of employees, that type of cost likely would have to be a work requirement, with the company paying for it, Wollenberger said.
“The key is educating non-IT people about the importance of security. Do that and the risks go way down. If they take ownership of that problem, the risks go way down,” Wollenberger said. But there’s no way to do it without some level of risk. “It’s never going to be 100 percent,” he said, but it’s about ease of use, administration and teaching users why it’s important.
Schoen warns against getting locked into a MDM or MAM plan. “There’s a whole host of MDM, MAM things coming out,” said Schoen. “The space is changing so quickly right now because it’s such a concern for so many organizations.” NPT