Hidden risks within your mobile use policy
TECHNOLOGY BULLETIN |
Implementing mobile use policies for your organization can be a tricky endeavor. Many think that a mobile device policy shouldn’t be more complicated than regulations for laptop computers, but there are several subtleties that bear consideration. The following are some of the unique challenges that require organizations to be nimble with mobility policies, adjusting regulations as new risks surface.
Traditionally, mobile devices provided by organizations were corporate property. However, now with the push for bring your own device (BYOD) policies, the landscape gets complicated. What do you do when a device is lost that was being used for both personal and business purposes? Is the employee responsible for replacing the device or the organization?
More importantly, who has ownership of the data residing on a personal mobile device, and how do you monitor it? Information from your corporate email moving into various repositories on a mobile device can make it much harder to audit and control potentially sensitive data.
Data loss prevention
Many mobile devices allow for removable media cards. Some of these cards utilize encryption, which can provide a level of security; however, the encryption level across all devices is not consistent. You must account for the differing levels of protection between platforms within your mobility policy to minimize the risk of data loss.
iOS devices provide for encryption as soon as a password is required on the device. Android products may or may not enable encryption, depending on the device. If the same password to unlock the device is used to also encrypt the media card on RIM phones, it could lead to a brute-force vulnerability in which hackers crack the device password from the storage media card. Windows Phone 8 devices do not support encryption for external media cards.
There are a host of security measures that organizations must consider when designing a comprehensive mobile use policy. For example, how long should a password on a mobile device be? When it comes to these devices, what are the right types of password lengths and combinations of characters?
A four-digit numeric password of 10,000 possibilities can be iterated in about 40 minutes utilizing a brute-force attack. A five-digit numeric password would take six hours (40 minutes times 10), and a six-digit numeric password would take 2.8 days (40 minutes times 10 times 10) to crack. It is important for your organization to implement security guidelines that have the right balance of practicality and protection.
Device wiping and disposal
As mentioned earlier, the complexity that BYOD presents makes it more complicated to wipe a device or dispose of it. Employees need to understand the risks and limitations of utilizing their own device on the job, and that they may lose personal data when a device has to be wiped or disposed of. Policies must be clearly defined to avoid any confusion if a device is lost or a data breach occurs.
For corporate security measures, devices should be tracked to enable device monitoring and wiping if necessary. Employees have to understand that this could mean that their personal location may be captured even during non-work hours if utilizing a BYOD device.
Enterprise app stores
Consider implementing a policy to restrict the mobile applications that can be installed on the device to only come from an enterprise app store. This enables better control of the distribution of internally developed mobile apps to employees without having to release them on a public app store.
Texting and driving accidents are becoming almost as common as drinking and driving incidents. The challenge organizations have is making sure their policy stipulates that they will not conduct any business-related activity on a mobile device while driving or operating a vehicle or machinery. The importance of documenting the company’s position is twofold; it could help to further discourage such behavior and release the company from liability should an incident occur.
As mobility demands and the implementation of BYOD strategies increase, you must consider these and other challenges when crafting your mobile device use policy. With the expansion of capabilities comes increased risk, and adapting your policy quickly can be a challenge. Consulting with a qualified advisor can help your mobile device use policy account for your specific concerns and protect your organization.