Sept. 27, 2012
It’s becoming more and more common for workers to store work-related documents on their smartphones, tablet computers and other devices they bring to and from work each day. While this can be convenient — employees can access important documents at home or on the road –it also creates greater security risks for businesses.
Employees’ devices may not be secure
Many employees’ devices have operating systems that are vulnerable to hacking attacks or viruses. This is especially true if the employee’s device isn’t running the latest version of the operating system. Phone and tablet users often don’t install the latest upgrades or even think about security risks because they’re using phones, not computers.
Both employees and business owners are generally aware of the risk to computers from viruses, malware and the like; however, they may not realize that their smartphones and tablets are vulnerable to the same attacks. Thus, they may not scan phones or tablets for viruses regularly or stay on top of upgrading the firmware on these devices.
In addition to operating system vulnerabilities, phones and tablets are susceptible to getting viruses from downloaded applications. Employees may be careful about downloading only legitimate applications; however, if a hacker attacks the application itself, users may end up downloading a compromised version of the application or an “upgrade” to a compromised version. If an employee’s device has business files on it, a hacker could steal the files. Worse, he or she could break into the business’ computer system and wreak havoc after retrieving login information from stored files.
Lost and stolen devices
Lost and stolen devices accounted for 50 percent of all security breaches in 2011, according to a Ponemon Institute study. If an employee loses his or her phone or tablet–or worse yet, if someone steals the device–that can lead to all kinds of security problems. For example, suppose an employee stored unencrypted files on his or her phone. If the employee loses the phone, whoever finds it might be able to access all the company’s files with just a few taps of the screen. This can happen very easily if an employee’s phone falls out of his or her pocket while sitting in a waiting room or riding in a taxicab.
Difficult to keep track of
BYOD security is also more difficult to keep track of. If a business manager has ten computers in his or her office, he or she can easily track computer use; IT specialists can pinpoint infected computers easily. However, there are an infinite number of tablets and smartphones that might become infected during an attack. For example, if an office has 50 employees and some employees have more than one device, it can become difficult and time consuming to determine which devices are infected. In addition, employees may share their devices with each other, making it even more difficult to keep track of who’s been doing what with the device.
The problem is compounded by the fact that there are no standardized security procedures that allow business owners to manage mobile device security. Each company must create its own security policies, and there’s no objective measurement of which devices are most secure. Thus, business owners may not know which devices they should ban employees from using at work.
While employers have the right to demand that company-owned devices follow certain security procedures, they may not have the same right when it comes to employee-owned devices. Since the devices aren’t theirs, they’re limited in what they can require.
For example, suppose an office handles a lot of confidential documents. The employer can require that all documents on his or her computer system be encrypted. However, the employer may not have the right to demand that all employees encrypt documents on their personal devices because those devices do not belong to the employer. Some states allow the employer to make rules about devices used on his or her system while others don’t; in many states, the best an employer can do is make rules limiting the type of devices that are allowed to be used on his or her systems.
In order to resolve security problems with BYOD, managers should consult with IT specialists prior to allowing any mobile devices to be used. Managers need to understand which devices are most secure to use so that they can create a reasonable BYOD policy. They may also want to invest in software that helps keep track of mobile devices that are being used in conjunction with company networks so that they can more easily track devices for security purposes. Some employers require employees to download applications that encrypt files or require passwords to access the device. These measures can help cut back on security breaches from lost or stolen devices.
Michelle Drolet is founder of Towerwall, a data security services provider in Framingham, Mass. with clients such as Bose, Middlesex Savings Bank, Raytheon, and SMBs. Contact her at [email protected].