When your employees are using smartphones and you are in charge of security
Those days when company data were only available on the employees’ desktop are over. Today, employees are mobile, and company data are therefore scattered across units that can in fact end up all over the world.
However, despite of the above, it is doubtful that anyone would like to see mobile units disappear from the workplace.
This article zooms in on employees’ smartphones to offer you an insight into ways for your IT department to secure your data on the small, hand-held supercomputers.
Two types of risk
To understand how you can secure the employees’ mobile phones, you must know the two types of risk lurking behind the screens.
1. The control risk. Modern mobile phones are so advanced that they are to be considered supercomputers. They often come with a rather large, built-in memory with space for a whole lot of documents and data. Add to that the fact that many phones automatically synchronise with services in the cloud, and we are not really in control of where our data are stored.
2. The app risk. Your employees’ smartphones are also used for private activities. The employees might want to install a wine app, or their children are allowed to hunt for the newest game in Apple App Store or Google Play. Obviously, the problem is that many third-party apps are beyond your control and therefore may constitute a direct security threat.
However, being the head of IT, you can take measures that minimise these lapses in security.
First step: PIN code and encryption
All experience indicates that it is a good idea to work with security at several levels – the common denominator is to enable you to protect your data to the widest extent possible.
First and foremost, you do that by making sure that:
- All of your devices are protected by passwords
- Your devices are constantly encrypted
- Antivirus software is always installed and updated
Second step: Allowed applications
The first step is to decide which data and applications your employees can access from their phones. Should it only be emails, or should they also have access to other apps? For administration, we recommend a Mobile Device Management (MDM) system.
The balance that you should aim for is between restrictions becoming unnecessarily annoying to the employees and something constituting an unacceptable security risk.
Third step: App management
The app risk is not insignificant. Although many people believe that Apple and Google’s control of their app stores is security enough, that is unfortunately not the case. Most of all because often, users will simply approve all access permissions asked for by the app and not be critical of permissions.
You can get around the app risk by only allowing download of the apps with which you feel secure to the company’s mobile units or by only allowing the phones to download applications from your company’s app portal. That will make it impossible to download public apps.
If that is your solution, it requires good communication with the employees so that they will understand why the company chose to control which apps are allowed on the company’s mobile units.
Last step: Learning and follow-up
Unfortunately, many security policies end up as unused documents. However, it is still important to have written agreements regarding the use of mobile units and the security risk involved. Only, the problem is that an unused document will not solve the security issue.
To make the security policies apply in your organisation, we recommend that you continuously engage your employees in ways to maintain good smartphone security. Have the employees offer solutions as a way to provide them with a thorough insight into the complexity.
Auditing entails commitment
We also recommend that you continuously audit your work processes and the ways in which smartphones and mobile units are used for work. Auditing emphasises the importance to the employees and enables everybody to stay updated – nobody wants to dump an auditing.
Provide the employees with training and then follow up and repeat. Continuous security is not implemented through one afternoon workshop.
So even though you might sometimes long for the simple days gone by without mobile units, there is a lot you can do to maintain a strong company defence. And if you involve employees from the entire organisation, you will also gain acceptance of the most secure solutions.