Mobile Devices in the Workplace: What is at Risk?
By Patrick Cook
Let’s face it, smart phones and tablets have become a common part of life. It is not unusual to walk into a place and see a majority of the people with their eyes down, totally engrossed in a mobile device. This is something that happens out in everyday life and is becoming increasingly more common in the workplace. Laptops and desktops are starting to be replaced by tablets and laptop-tablet hybrids. No matter the business industry, just like computers, tablets and smartphones are becoming essential in almost all areas of business. Even if your business does not directly require your employees to have these devices to work, they are being introduced into your environment because they can assist in productivity.
Never has it been easier to get information from the workplace and have it widely distributed so quickly. Sure your organization may have email, web and computer security software in place to protect the information on the computers, but how many organizations have a solution in place that takes care of the mobile devices? There are inherent risks involved with allowing mobile devices in the workplace, but the reality is that businesses must accommodate some mobile devices. Outright banning of these devices may not always be an option, especially if one of these devices just happens to be an employee’s cellphone.
Most if not all mobile devices can be used as a mass storage device. Plug the tablet or smartphone into a computer, load it full of work documents and then walk out the door with it at the end of the day. Then you have the potential for that device to be lost or stolen, which would result in data loss. And what happens when it is time to upgrade one of those devices? If not cleaned properly, organization data could be left on the phone for the next owner to potentially have access to. Maybe the IT department has already put a policy in place to block USB storage devices on the network and wireless network access requires users to authenticate to a central authority. That does not keep someone from taking a picture on one of the mobile devices, then distribute it via personal email, upload it to cloud storage, or post it on a social media site.
Now let’s go a step further and address accidental loss of organizational data. The apps a user may have on their phone can have an impact on how secure or unsecured that mobile device can be as well. The permissions the user allows to apps when they download and install it on the device can vary based on app requirements. Most times an app at minimum needs storage and some type of network communication access. This gives the apps rights to read the local storage on the device and can sometimes openly communicate with other devices on the connected network. The majority of apps that are available are never intended to be malicious, but that does not mean they can’t be exploited for that purpose.
So what are the options for protecting vital information that can be easily taken or leaked outside of an organization? This is where having a Mobile Device Management (MDM) platform in place comes into play. The key to this being an effective practice though is requiring that any mobile device allowed on organization premises be managed by this MDM solution. There are so many MDM solutions available today that getting into all of them in this article would make it far lengthier than it needs to be. The companies that provide these MDM solutions have far better documentation on what their product offers than can ever be explained in an article of this type. But there are a few key features that will be most vital to most organizations.
One of the key features that one should look for when finding a worthwhile MDM solution vary based on what all needs securing on the phone. Most solutions employ some type of virus and malware scanner as well as a built-in web browser security. This should alleviate the concern with any security issues with web browsing and installation of apps from the app store. If the plans are to allow employees to Bring your own device (BYOD) to use on the network, it is very likely there needs to be a way to control which apps can be installed on the phone. And to go a step further, which apps on the phone are usable based on time of the day and GPS location. Most of the solutions give an administrator rights to “Blacklist” certain apps that are against company policy and disable others that do not need to be used while at work.
Another key feature that will be extremely important for most is a way to remotely locate, lock and wipe a device. This is a vital requirement if the device is going to be used to access organization resources and store documents. An administrator can be notified that a device has been lost and immediately lock the device until it can be found or wipe the device if has been stolen. With the rise in popularity of Bring your own device (BYOD), the ability of some solutions to allow the separation of organization versus personal data allows an administrator to wipe just organization data without a risk to any personal items that may be on the device. This feature is essential if personal devices are allowed to be used for work purposes.
There are many other features available that allow complete customization of the device to fit the exact need of the organization. There are tons of comparison charts available that go into great depths on how each product stacks up against the other. Prices on these products vary based on the feature set and sometimes can be had at a discount if you go through a third party vendor. I myself have recently been looking into the different features and can tell you first hand, you can spend more money than necessary if you don’t know exactly what the company requirements are before you start. Mobile Device Security is an important part of security in the workplace, so take your time, do the research and choose wisely.