There are lots of reasons why businesses are adopting cloud and Internet technologies in great number, and supporting mobile workers is one of the big ones. In order for traveling sales people or workers in remote offices to have access to business applications and data, many organizations are turning to hosted and cloud solutions to centralize systems and make enterprise-wide access easier to deliver and manage.
What many businesses are just now realizing, however, is that allowing individuals to use their own mobile devices to access corporate data is exposing the enterprise to new (and often unknown) risk with each and every device and app that gets used.
Most businesses recognize the need to secure corporate systems while allowing users to remotely access resources from home or mobile computers.
Many CIOs and IT managers are failing to address the vulnerabilities introduced through the proliferation of tablets and smartphones in the business. Some enterprises initially embraced the concept of “bring your own device” [BYOD], as it tended to encourage users to work from home or while on the road, increasing employee productivity and keeping workers more “attached” to their jobs – all without the business having to pay for the device.
With growing numbers of reported “rogue apps” and apps that secretly collect and pass data, the potential benefits of allowing workers to use their own devices is rapidly being overshadowed by the risks involved.
Earlier this year, Apple, Facebook, Yelp and several other firms were sued for privacy-infringing apps that, among other things, pillaged users’ address books. …but what if the app uploads a sales representatives’ contact list and the developer then sells it to a competitor? That’s a new type of data leakage that most organizations aren’t ready for.
Phones, in particular, have not traditionally been viewed by most business owners as a primary platform for information theft or damage – other than when an employee uses one to tell someone something they shouldn’t. But in terms of intrusion, data theft, application hacking and things like that… not so much.
But that was before phones got really smart.
Phones that most folks carry around now are actually computers with a great deal of processing and storage capacity, and as such are just as capable of running bad programs and being vulnerable to attack as their more obvious portable computer counterparts. Perhaps they are even more vulnerable because of the “connected” nature of the device, because by its very nature it is geared towards communication of information, not just processing it.
It’s not that hackers and developers of exploits (or just bad code) are necessarily focusing on stealing your business data (well, OK, a lot of them are). Maybe someone just got lucky one day, when they first realized that the employee phone was the “camel’s nose under the tent” which would get them inside, far enough to deliver access to confidential corporate information and data someone would pay for. People tend to be the weakest element in the security chain, and exploiting vulnerabilities under the guise of “making things easier” for the user has been a highly successful approach (would you like to sign in with your Facebook account?).
..because attacks that target employees may well end up targeting the employer as well, even if the employer wasn’t the original target.
Whether it is intentional or not, the risk is very present, and every business and enterprise has a responsibility to recognize the vulnerabilities introduced with mobile device use and to do what it can to mitigate that risk. It is also important to recognize that the risk is not a purely personal one, either.
Since the information held by most businesses also includes the information of others – customers, vendors, partners, etc. – it is essential that the business not expose itself to unnecessary problems (litigation, fines or penalties, or simply lost opportunity) caused by accidental leakage of confidential information belonging to 3rd parties.
For some businesses, the best answer may be to only allow use of devices the business provides, along with clearly written use policies and guidelines. This approach allows the organization to determine which applications may be installed and to dictate how the device is to be used for business needs.
There are even solutions available which can assist businesses in managing the expenses related to mobile devices in the enterprise, addressing not only security and privacy concerns but also helping to optimize expenditures on mobile devices by monitoring contracts and usage, identifying underused agreements or overage charges, or even identifying contracts still in force which should have been cancelled.
For many businesses, however, allowing users to continue accessing business resources with their personal devices may be desirable for a variety of reasons, cost being only one of them. If this is the case (as it is most often in small and growing businesses), it is important to make certain that users understand what is and is not appropriate device use, and to inform users on the policies relating to apps which may or may not be allowed and why.