InformationWeek recently released the findings from its 2012 Mobile Security Survey which examined the mobile security technology trends and strategies employed at over 300 organizations across North America. Of this group, 86% currently allow their employees to use personally-owned devices for business purposes or are in the process of adopting policies which allow this practice.
With the rapidly growing popularity of this so-called BYOD trend, one might assume that IT departments across the country would be tightening up mobile device security policies to keep pace. Unfortunately, this does not appear to be the case. According to the InformationWeek survey, an alarming number of companies are simply making minor adjustments to their policies as opposed to implementing new ground rules that better reflect the capabilities of the smartphones, tablets and laptops their employees are using.
Why is this such an important issue?
By allowing employees to supply their own devices, an organization inherently loses control over the hardware and how it is used. Governing the fine line between personal and professional use on the same device can be challenging. But without clearly defined policies in place companies are making themselves vulnerable to a number of security risks.
For instance, 48% of respondents in the InformationWeek survey indicated that employees within their organizations had their mobile devices lost or stolen in the past year, with 12% of those cases requiring public disclosure, causing inevitable harm to the business. If proper security measures are not in place, the information contained on that device could become accessible to unauthorized parties and the company's reputation may suffer irreparable damage.
Additionally, there are many security risks involved in using one’s personal device for business purposes that most users may not even be aware of. Many popular smartphone apps, such as Dropbox – a public file-transfer service – could allow sensitive information to be easily intercepted. In a recent interview with MIT’s Technology Review, Jeanette Horan, chief information officer at IBM, shared that many IBM employees who use personal devices in the workplace were found to be automatically forwarding their work email to public webmail services. Others were using their smartphones to create open Wi-Fi hotspots. Both of these (not uncommon) practices make a company’s data extremely vulnerable to hackers.
What can your firm do to protect itself from BYOD security threats?
Today, nearly all employees have personal smartphones, tablets and laptops, and it is becoming more convenient to handle both personal and business tasks on those devices. Whether your firm chooses to adopt a formal BYOD program or not, it is crucial to have clearly defined policies in place to govern what is acceptable, and what measures must be in place before using personal devices in a professional manner. Here are some tips for tightening up your firm’s mobile security:
Educate employees about mobile device security, as they may not be aware of the vulnerabilities that exist on their personal devices.
Remind users to employ many of the same cautions they would when working on company-owned devices. For example, use discretion when opening email or text message attachments or clicking on links - especially when they are received from an unsolicited sender.
Ensure appropriate physical security measures are in place to prevent theft of mobile devices and enable data recovery. Users should lock their devices and use secure passwords. Additionally, firms can install software on the devices such that, if they are lost or stolen, their contents can be erased remotely.
Employ encryption tools to ensure all emails and text messages are sent securely and cannot be easily intercepted.
Only connect devices to secure Wi-Fi networks.
Be careful with downloads. Only download apps from reputable developers. It may be useful to develop a list of unacceptable apps or vendors so that employees understand which ones to avoid.
Update devices regularly, or set up automatic updates where applicable.