Over the past decade, we’ve all grown accustomed to having our mobile devices at our side with all of the convenience of instant access to virtually everything. More recently, this convenience has been extended to the corporate world where employees are encouraged to be available 7×24 (with the quid pro quo of freedom to attend to personal matters during the traditional workday). I see dad’s making quick calls and then forwarding a file or two from the bleachers of a Little League game, mom’s multi-tasking from the soccer fields and parking lots and we’ve all learned how to be productive waiting at airports and restaurants.
Few of us think about the process or risks to corporate data and email as a result of mobile access and storage. I do, an unavoidable requirement of my job heading CIOs2GO, a strategic consulting and staffing company. While we understand the convenience as well as the desire to provide flexibility to employees, recent reviews at client sites have consistently uncovered access to corporate data from mobile devices as a significant risk.
Consider this. A nationwide survey by Consumer Reports showed that 34% of people take absolutely no actions to secure their mobile devices (see their infographic). This study also showed that there is an increasing amount of cell phone theft, and why not with over 300 unattended kiosks across the U.S. where you can get cash for a used cell phone. The operative assumption of most people is that the focus of the theft is to gain access to personal information or to get cash for the device; but what happens when the mobile device is shared with an employer? Corporate data and email files are now accessible and one third of them, if stolen, have no barrier to the data being accessed.
Few employers, especially start-ups to mid-tier businesses, provide their employees with a dedicated work cell phone or tablet for obvious cost reasons. Employees are allowed access to email systems from their personal mobile devices. As the company grows, more corporate resources are available leading to employees being able to expense some portion of their mobile rate plans. The next step is to supply company provided mobile devices but this is usually as a perk for senior management or road warriors, not as an IT policy for risk management. Things continue on this path until one day a marketing manager asks IT to help load a new cell phone or tablet, the first indication that the previous device was stolen or lost. Suddenly IT has a full blown emergency on its hands as the device likely had email addresses for everyone in the company and a host of server passwords.
I don’t mean to pick on the marketing manager, the stolen phone can happen to anyone. I was recently with a friend, telling him a story of an Executive Director of a major public agency who insisted having a passcode on his phone was an inconvenience (and yes the phone had access to privacy protected medical files and names). My friend shot back that he saw no issue with that and became somewhat upset by my perspective that it was a serious problem. Fast forward and what are the odds; a half hour later my friend left his phone in a cab. He immediately realized what he’d done and using a colleague’s cell phone called his mobile number; the cabbie answered it and returned the phone. But get this, the next day when I offered to look at the phone I found an active spy app. It may not have been the cabbie but my friend insisted the phone had never been out of his possession otherwise. After the shock wore off he realized how exposed his personal and business information was and even scarier, he had personal contact information about his teenage daughters on his phone. For the sake of avoiding a two second passcode he had endangered his family and his business.
I tell this story for a simple reason, it catches people’s attention. But mobile security isn’t just protecting against lost or stolen devices. A far more common problem is employee turnover. Every time an employee leaves a company there is a risk of lost IP (Intellectual Property), whether it is brazenly stealing secrets, a customer list for a competitor or simply wanting to keep a few business templates to be more efficient at a future job. Mobile devices can be used to transport a lot of data and it is all outside the security firewall.
Many of you are also familiar with the discussion of an industry original equipment “kill switch” for mobile devices. While we are likely years away from such a solution, your policy will need to address when you can kill a mobile device that is shared with an employee. A mobile device management policy must deal with this. And then there is spy craft, a simple Google search for the terms “iPhone spy app” will provide you with a list of spy tools which can be easily loaded to an unprotected phone and turn it into a tracking, listening or character capture device.
We find that the average $10 – 25M organization does not have technology, policy, and procedure in place to protect itself and its corporate data in relation to mobile technology. The emergence of Mobile Device Management technologies has come a long way. We strongly recommend that all companies review their policies and procedures to ensure conduct related to mobile devices is clearly addressed. As we stated earlier, the statistics as of 2014 indicate there are a large number of data security risks present. We have been advising clients on mobile device management for years and I would be pleased to talk to you about protection. Or feel free to comment on this blog and I will respond; ideas and challenges welcomed.