A recent study reported 28 percent of all respondents would give up their significant other before giving up a smartphone. Even if that might not be a completely serious answer by some users, there is no doubt that mobile devices - smartphones and tablet computers – have become pervasive and a critical part of the modern business environment."Smartphone and tablets have become our primary personal computers," says Randy Johnston, a partner with consulting firm K2 Enterprises. Colorado CPA Richard Oppenheim underscores the definition that a smartphone "is more computer than phone" bringing with it all the issues the businesses face with computer usage. But there is an but addition – smartphones are a lot easier to lose. And for many people, it's probably easier to forget they are computers and carry valuable data that can be lost or stolen
Like other computing devices, smartphones and tablets hold an increasing amount of data. But these devices introduce an issue that affect almost no other piece of business technology. And that is the degree to which employees utilize devices they own in their jobs the well-known concept of Bring Your Own Device.
BYOD is pervasive. The Aberdeen Group says 75 percent of companies allow employee-owned smartphones and tablets at work with Gartner predicting the level will reach 90 percent next year, according to K2 Brian Tankersley, who believes the businesses at which employee devices are used without official sanction or knowledge raises the level significantly.
There are a variety of sources for statistics regarding smartphones lost by accident or stolen. According to a survey published late in 2011 by McAfee and the Ponemon Institute, 4.3 percent of all smartphones at 439 participating organizations were lost in a 12-month period. The survey noted that 60 percent of missing smartphones were believe to contain sensitive and confidential information, but 57 percent were not protected with easily available security features.
Insecure
Because they are computing devices, smartphones can be hacked; their data can be stolen; apps they contain can infect corporate networks. In general, they represent a major security threat for businesses.Security it is absolutely a nightmare," says Johnston and that is because of BYOD.
Organizations often sanction BYOD because they can't stop the use of personal devices. Cost is a major reason. For smaller businesses, it is cheaper to let users utilize their own phones than it is to purchase company smartphones. Moreover, many users will opt to use their own devices even if the business provides its own.
The most important discussion about security on smartphones does not start with smartphones. It starts with good business practices. And technology practices with technology often turns into a discussion of policy and behavior.
"You need to have a written policy and you need to have a written plan," says Mark Burnette, partner of security and risk services at Nashville, Tenn.-based accounting firm LBMC.
Burnette notes security issues must concern small firms as well as a big ones. A hacker may ask "Do I want to attack a big firm which has the money and time to monitor systems or smaller ones that do not?" In many cases, devices used by employees at small firms may contact Social Security numbers and other information that can be used in identity theft.
Widespread Policy Issues
Policies are important, along with signed agreements with employees, about their enforcement. "If you don't have a policy, you may have data you can't control later," says Tankersley. That may mean later that a firm can't search an employee's private device for data.
Policies must also cover issues about what the firm will and won't pay for and how much it is willing to reimburse an employee. "If they drop the phone do you pay to replace?" asks Tankersley. "If not, do you require a phone as a condition of employment?"
Oppenheim rattles off a series of issues surrounding device ownership that need to be addressed by businesses: "Who owns the phone? Who is responsible for fees, over charges for data or text, late payments? Then there are issues involving accessories, covers, headsets, power plugs; standards for apps, website access, personal versus business use and liability for misuse.
Burnette notes that threats to smartphone data and firm security can arise in places many businesses have considered. Malicious apps have been written and placed on the Android store, which are offered for free, he says. After being downloaded, the app asks the user for permission to access their data, including contacts. The malicious app can suck data from the system and be used to whatever purposes the author intended.
Removing data from misplaced or misappropriated smartphones is an important component of preventing the loss of data. There are ample applications and techniques for wiping the data from the phone. Some businesses set deadlines for how soon an employee must report a lost smartphone, particularly in the banking and financial services.
Burnette points out that most business are subject to regulations about dealing with lost client data. "Forty-six of 50 states now have breach notification provisions," he says. If lost devices have data on individuals that may have been viewed or accessed, the business must publicly acknowledge the breach and notify affected individuals. These regulations cover issues ranging from the exposure of confidential tax data to personal data falling under privacy rules under HIPAA.
Some devices limit the number of attempted logins on a telephone. Burnette says Apple assigns a limit of 10 tries. value of 10. "After more than 10 times the phone deletes the memory and resets itself to a fresh phone," he says.
At a breakout session conducted by Tankersley at the CCH Connections User Conference, members of the audience even challenged that limit saying anyone with a three-year old in the household could quickly find the limit exceed when a toddler gets their hands on the unit. Another participant also challenged the idea that a company can wipe data from an employee's smartphone, even if there is a written agreement.
"That's a lawsuit waiting to happen," one commented.
Limiting the data that can be placed on a employee-owned device is another step firms should consider. "You don't have to make everything available on mobile. I probably am not going to put credit cards and SS numbers on your device," he comments. Tankersley also says firms may want restrictions on use of camera, browsers and Bluetooth, along with requiring use of anti-malware apps.
Sandboxing
Private and corporate use can be combined. Burnette says some third-party software can create a private section on a phone. That way, if there is a need to wipe data from a lost or stolen device, that can be accomplished without touching the employee's personal data. That is a technique known as sandboxing.
Security remains a major issue because smartphones are susceptible to breaches. "Data ends up on these devices and you cannot control them," says Johnston. "In almost all cases, there is a back door to the data." The combination of business and personal use on the same device also present issues. Employees can download malicious apps and infect a business network.
And as in other areas, security, starts with the basics. These include a pass-code for logging on and making sure that encryption is turned on. Encryption is especially important, Burnette says. That way, "Someone with physical access to the phone can't tether it to computer," and transfer data, he continues.
Burnette also finds big differences in the security built into platforms. "You would have thought Google would have learned from Apple's mistakes," he comments. But he continues while Apple "eventually layered in security, you would think Google would have look at that. They are still behind Apple in terms of security features they offer out of box," he says. Because of Google's lag, companies that allow Androids in their system often use a third party to create a sandbox.
A show of hands at Tankersley's session showed what formal surveys have found – a significant number of businesses do not have written policies and agreement. Help, however, is available, and he cites the mobile security policy templates available from the SANS Institute.
However, at the end of the day "There is no substitute for you doing your own homework," Tankersley says.
