Today, it is fairly easy to carry out business tasks using smart phones. Emailing, browsing the Internet and even creating or editing documents is now a breeze. So technically, smart phones are now carrying a large amount of sensitive data that needs to be protected. Not only are smart phones subject to the same threats as PCs, but they are also quite easy to misplace and lose.
There are many reasons that this could be good or bad or downright terrible. There are always inherent risks when employers allow employees to use a personal device at work, especially if the device connects to the company’s private network or has confidential data stored on the device. Allowing employees to bring their own device can actually be very beneficial to your organization, but if you choose to allow devices, you must understand the risk and create rules that keep the device from being used maliciously.
It is best practice to create a Bring Your Own Device (BYOD) policy for employees that use their personal devices for work purposes. This will cover a variety of things including: proper use during and after-hours, what types of apps are allowed to be installed, which type of data the device will be allowed to use, and how to prevent abuse.
The most common breaches occur from stolen electronic health records (EHR) via direct access to critical systems, stolen equipment, common storage mediums (such as hard drive or discs), and mobile devices (like cell phones or laptops). Another method is simply “dumpster diving,” which is scouring for any information that can be found in dumpsters. More elaborate breaches occur with gaining unauthorized access to data via computer hacking or monitoring network traffic. According to a chart on Chris Poulin’s article, A Fresh Look at Healthcare Data Breach Numbers, it shows that a majority of breaches occurred with theft, unauthorized access, and loss of equipment. Other types included hacking, improper disposal of data, postal mail, and malware.
System Administrators also have the task of managing multiple phone manufacturers. A company needs to implement a mobile device management (MDM) solution to effectively and safely carry out a BYOD policy. There are several risks involved with using mobile devices without a MDM solution in place, such as the data that can be stored in those devices. Many users have their corporate email and possibly sensitive data on their mobile devices; this is typically found on their smartphones. Many MDM solutions have the ability to find and track connected devices in real time. In a worst case scenario, a smartphone could be stolen, but with the use of MDM, administrators can remotely lock the device or even wipe all sensitive data to prevent abuse.
Microsoft’s Intune MDM solution provides a sandbox feature that requires Web links, like those in email attachments to be accessed only from a protected browser. On the topic of data, there are also specialized ransomware disguised as mobile applications (or “apps) that targets mobile devices, meaning the data is held hostage until a ransom is paid. With MDM, apps can be controlled by the management console and only allowed and trusted apps can be installed and ran. This is especially important for company-owned mobile devices.
Risks emerge every day and this means that in order to be sure that the device is secure, you will have to continuously assess the risk for each device in use. There is always a risk that your employees could fall victim to social engineering. This is when they either knowingly or unknowingly give away confidential information to a party that is not allowed this information. All employees with a mobile device being used for work should be restricted to which applications they are allowed to download; the MDM solution mentioned earlier will be able to mitigate this risk.
In conclusion, many companies already allow the use of a personal device for work. Trying to implement a plan after allowing the devices is much trickier because you are further limiting a user on their own device. A plan is absolutely necessary to protect you from legal implications and you must be be up front and informative of the consequences for breaking any rules outlined in the BYOD policy. Letting your employees know what is expected will reduce the legal and liability risk that a company may face.
(Image Source: iCLIPART)