News

Mobile Devices and You

The tide is rising. Employees by the millions — in business, education, healthcare, non-profit work, and everywhere else you look — are routinely using their smartphones, tablets, and other personal mobile devices as part of their toolkit in the workplace. Indeed, 1.6 billion such devices were sold in 2010.

The up-side….

It’s no wonder people “BYOD” (“Bring your own device”), as they say on the Internet. Look at the benefits:

• Being comfortable on your own device
• Working at any time
• Working from any location
• Cutting response times
• Raising productivity

Employers benefit, too, by getting more out of employees — and cutting operating costs. But they’re also at even greater risk as the line between organizations and personal devices blurs.

…and the down-side

The biggest risks arise from users.

Because devices are privately owned, their owners decide how they’re secured, not the employer — which can create big problems when personal or business data fall into the wrong hands:

• If the phone or tablet has access to various company applications and is configured for automatic login, then the applications can be accessed by whoever has the device
• Thieves can use data stored on the device to make fraudulent purchases from personal and company accounts
• Confidential business data can be disclosed or abused
• Personal data can be sold to other criminals to obtain credit cards in the victim’s name, for example, or to send malware 

Software security is…soft

Additional big risks arise from today’s inherently non-secure device technology and software.

The leading makers of smartphone and tablet software, for example, focus on usability and marketability, not on security. As a result, even though they’re constantly making software improvements, bug fixes, and security upgrades, they are distinctly behind — sometimes significantly so — in the race with malware writers.

Adding to the challenge, manufacturers and resellers of phones with the Android operating system — the most popular phones in the world — can (and do) customize the system to work with their hardware, and many are slow to upgrade to more secure versions. (According to a recent study, 56% of Android phones in use today are running out-of-date, non-secure software.)

Meanwhile, apps can be risky, too. Unlike apps vetted for security by Apple and sold at the company’s store, Android apps are sold — without central vetting — through a vast range of unrelated outlets. This means that every time employees install new apps, they are increasing the risk to their employers’ intellectual property.

Can this Wild West environment be tamed?

No easy solutions (so far)

To date, although a handful of software products can manage the operating systems of a limited range of devices, such as iPhones or Blackberries, no full-scale enterprise software can manage all the devices in its purview.

However, a variety of partial solutions and tactics are being tried, such as encrypting email or creating special “profiles” for employees to use on their devices. Unfortunately most of these are still too expensive for small- and medium-size businesses.

Five steps in the right direction

Still, here are five steps you can take right now to “lower the threat level” at your organization regardless of its size:

1. Develop a policy

Developing a written policy is the single most important thing a company can do to set boundaries and help alleviate risk. Consider including the following:

• Define mobile devices, including smartphones, tablets, USB thumb drives, portable hard drives, etc.
• Require written approval before a device can be used on company networks or is given access to company applications
• Require employees to use passwords or PINs to protect their devices
• Where possible, require employees to encrypt confidential data
• Define what may not be downloaded to a device unless approved in writing
• Make sure employees read, agree to, and sign the policy annually

2. Issue and manage mobile devices

To truly circumvent many of the risks discussed here, consider purchasing and managing mobile devices and issuing them to your employees. Though this will require certain financial outlays for hardware, management software, and support, those costs will be arguably no greater than the potential liabilities created by the use of unsecured devices. Ownership means control.

3. Teach your employees how — and why — to secure their devices
 
Make sure employees understand their options for securing devices and the importance of staying up to date on software. Every operating system has choices (however limited) for securing its device. Some will even “wipe” the device after a certain number of failed logins (Apple has a free app for this for iPhones and iPads).

4. Post a written plan to address the loss or theft of a personal device

Such a plan should cover:

• Whom should employees contact at the company?
• What other steps should employees take?
• What steps should the company take?

5. Stay up to date on emerging solutions

Keep your eyes peeled. Over time, a form of device standardization will probably be developed.

At BerryDunn we’ve given years of thought to the fast-changing world of mobile devices and organizational security. To learn more, contact BerryDunn’s Eigen Heald.