COPE Mobile Policies for Enterprises
Today, employees can connect to the office with a few taps or clicks from just about anywhere with mobile devices. From one perspective, this is an incredible mobile computing achievement, but with great potential often comes significant risk.
Connected devices have been at the center of serious data breaches. A recent Crowd Research Partners study revealed that 24 percent of surveyed organizations said connected devices made contact with malicious Wi-Fi connections in the preceding year.
We are still learning about the increase in security incidents during the global shift to remote work during the COVID-19 pandemic, where millions of workers connected to employer networks from mobile devices away from the office.
When enterprises fail to weigh their options for connected device management, bad things happen.
Companies can eliminate or reduce many of the potential risks associated with employee usage of connected devices by adopting a corporate-owned, personally-enabled (COPE) approach.
What is COPE?
COPE programs put the bulk of the decision-making related to connected devices into the hands of the enterprise. With COPE, companies can directly issue mobile devices to employees or restrict employees to specific device models by implementing a Choose Your Own Device (CYOD) policy.
It is important to distinguish COPE programs, which allow personal use, from COBO (Company-Owned, Business Only) programs that restrict usage to business purposes. This is why many employees consider COPE an enticing company benefit.
Enterprises often decide to implement COPE programs for enhanced network security benefits. By exerting more control over the purchase and usage of connected devices, security teams can maintain better oversight of network behavior. Employers can block apps and websites and wipe devices remotely if they are lost or stolen.
Resource allocation planning
Enterprises can create accurate forecasts based on expected costs to outfit employees with connected devices. Other programs often include varying reimbursement elements for devices and service fees.
In most cases, enterprises will find that COPE programs are more expensive versus options like Bring Your Own Device (BYOD) programs, where employees select and purchase their own devices and connect them to the company network.
Management and oversight burden
COPE programs require a great deal of oversight, starting with the buying process. Selecting the right devices requires time-consuming research.
Once the program is underway, companies must keep track of their massive technology investment and conduct some kind of usage monitoring to ensure the devices are being used properly.
Human resources considerations
Enterprises adopting COPE must consider how best to manage the program from a human resources standpoint. It is important to address corporate expectations for device care and usage. Employment policies related to COPE might include:
— Disciplinary guidelines for employee misuse or negligence
— Training on newly issued and updated COPE devices
— Device support protocol (external or internal)
Companies can enhance employee recruitment efforts by framing COPE as a valuable employee benefit, as well. These programs can save employees hundreds of dollars each year versus using their own equipment and services to conduct work away from the office.
Matt Diaz, a Dinsmore and Shohl data privacy attorney, urges enterprises to consider built-in security features and default data collection settings when purchasing COPE devices. “Businesses should evaluate existing security features on devices and determine whether more security measures are necessary based on how employees will use them,” he says.
Diaz says companies should be proactive when it comes to adjusting data collection settings, switching from default settings to minimize data collection — especially personally identifiable data. Taking these measures can help enterprises stay in compliance with regulations like HIPAA and the GDPR and CCPA as well as state and federal employment regulations related to personal employee data.
The National Institute of Standards and Technology (NIST) has developed a set of guidelines companies can follow when setting up COPE programs and related policies. This publication helps companies stay compliant with various federal regulations and also provides helpful tools for organizing a COPE program from the top-down.
COPE can be an attractive employee benefit, but as with all connected enterprise device programs, companies must take care to address work/life balance concerns.
Being within constant reach of the office can offer some convenience from the employee perspective, but some workers have trouble switching off. This scenario can lead to strained employee-employer relations.
Companies can mitigate some of these concerns by addressing them in related corporate policies and handbooks. Management training programs can also cover best practices for managing remote workers and after-hours communication.
It is also worth noting that because employees can connect COPE devices for personal use, they are doing so with the knowledge that their employer can monitor their every move. This, too, can lead to strained partnerships between employees and employers. Striking a balance between employee freedom and network security can become tricky.
Generally, however, COPE programs can help employers offer robust remote work options, a benefit that appeals to an increasing number of job seekers. A recent Zapier report, for example, noted that 74 percent of surveyed knowledge workers in the US were willing to quit their current jobs to take a similar position that allowed for remote work, and around 26 percent already had.
State of enterprise adoption of COPE
Companies are increasingly adopting policies that allow for COPE devices, according to a recent Citrix whitepaper, “Best Practices to Make BYOD, CYOD and COPE Simple and Secure.”
COPE programs offer a wealth of benefits for enterprises that want to retain more control over network connections, especially as it relates to security. These programs do pose a few potential roadblocks and pitfalls, however. In particular, it can become quite costly to launch and manage a COPE program in terms of real dollars and human resource allocation.
Be sure to take some time weighing all of your options before settling on a COPE approach. Depending on your immediate and long term goals, you may find another approach, like BYOD and strict internal usage policies, is a better fit.