Introduction
Mobile devices have become a standard tool for business. However, there are a few things related to security that every business should be aware of. This article touches on some security related considerations. It is outside my expertise so I asked Mike Waithe to put some thought into it.
Mike is one of the principles with Western Industrial Solutions and is my “go to” for anything related to enterprise systems and tablet PC related information. Western Industrial has developed some great software for managing a safety program or environmental management system on a tablet PC.
BYOD
Bring your own device (BYOD)—also called bring your own technology (BYOT), bring your own phone (BYOP), and bring your own PC (BYOPC)—refers to the policy of permitting employees to bring personally owned mobile devices (laptops, tablets, and smart phones) to their workplace, and to use those devices to access privileged company information and applications. The term is also used to describe the same practice applied to students using personally owned devices in education settings. (Source)
Smartphones and tablets are everywhere; people are integrating them into their lives in every way imaginable. The integration is now at the point where people want to integrate their personnel devices into the office, or the office into their personnel lives. The devices are being used for
- Work calendars
- Work emails view and respond
- Take notes at meetings
- Work on projects
- Company documents
Employers like having employees doing work and keeping connected and the trend has been to integrate the office more and more into the employee’s personnel life. But…
This opens up a whole new world of risks and challenges. The number one risk from the company’s perspective is the loss of data.
As simple email list on an employee’s phone, this can give out your companies entire contact list of employees. So what?
A hacker could send out an email to all, that the company is closing, Monday is a holiday, the possibilities are endless, including embedded viruses. Virus protection only protects you if you are not in the first batch to get the virus. Now that he has sent the emails out, he can flood the corporate email system and bring it to its knees.
Customer and Client lists. The hacker could even have more fun with this one, I’ll let your imagination do its own work. End result you could be facing SEC investigation, having to change your complete email system, loss of contracts …..
Some other risks to consider.
Litigation
Many larger companies have Mobile Device Management. This allows the companies to encrypt, locate and wipe devices. Monitoring raises its own set of problems on an employee’s personnel device. If you monitor to much you are now invading the employee’s privacy. Giving the employee a report on what washrooms, (including stall GPS coordinates) and how long he spent in each would not be good for employee relations.
The employee has to be told and agree to the types of control that he will allow on his personal device. Items that need to be addressed how the device is being tracked, how the information is being used, where the information is stored and how it can be used.
The employee has to agree to the type of information that will be collect, the procedure that will be in place if the device goes missing, and the triggers that would wipe the device. Remember this is a personnel device so the family photos are on it as well as personnel contacts, and banking information.
The employee not only has to acknowledge the policies but they have to understand them as well.
APPS
The employee will be bringing their own apps, into the office with them on the devices. These apps are all over the place on what they can do and how they do it. From a corporate stand these are impossible for the systems group to control and monitor.
- Are you prepared to monitor how much time the employee is spending on games and social media?
- Can your IT department even track all the possibilities of games that can be put on a device?
- Would you like a device to turn on and record unknowingly?
Facebook’s legal agreement is 14,000 words. You have just agreed to allow Facebook to:
- Change the state of network connectivity
- Call phone numbers without your intervention
- Send text messages without your intervention
- Record audio without your intervention
- Take pictures and videos with the camera without your intervention
- Read data about your contacts stored on your device
- Get a list of accounts known by the device, even if created by other apps
Public clouds (DataStorage)
A lot of people do not even know when some of their apps are using public storage. There are several vendors that provide backup services for the clients devices, this storage would now be backing up company data to some one else’s servers who knows where. If your companies data is on someone else’s servers and you don’t know where or who’s, legally this could be considered compromised. As well this is now in the possibility of being hacked and shared to the world. Apple’s Siri which many people use to record notes send emails etc., stores all of the conversations for 2 years.
An employee takes a picture of a presentation, or records confidential information and stores it on something like DropBox. There is nothing the employer can do
Courts
If the employee is involved in a legal matter, the device can and probably will be seized. The information on the device will become part of the discovery process; the information can be part of the public record in the discovery process. Do you know what company documents are stored on the employee’s device?
On the other side of the coin if the company is involved in a legal matter, securities investigation the employee’s personnel information can now be part of a public record.
If you as the company try and wipe the device or part of it, charges would be laid ie tampering, obstruction.
Compliance
If the device is given out, sent in for repair and it contains corporate information that crosses into sensitive information area such as health or financial this could trigger reporting requirements. When a company lets an employee access data on a personnel device, you need to ensure that you are meeting all the requirements with data and privacy protection acts, as well as all government provincial, state and federal regulations.
Conclusion
BYOD – be aware – very aware of the potential for problems. Is your company prepared to get a call from the Newspaper or local TV station with some information obtained from an employee’s device?