Mobile devices are everywhere. At every turn, you see people on their mobile phones and tablets sending texts, surfing the internet, checking their email and doing all manner of activities that the various apps allow them to do.
Giving into the wave of pressure from staff and recognizing the productivity improvements that are possible through the use of mobile devices, companies have increasingly begun arming their staff with mobile devices or allowing their staff to use their own devices during the execution of their duties.
Undoubtedly, companies have experienced a performance boost as a result. No longer are customers told that the person did not see the email because they were not in the office or that they will get a response on Monday when the person goes to the office.
Mobile devices are therefore a tremendous benefit to Caribbean companies, but they carry a risk that many companies are not recognizing. This risk is compounded by the fact that employees often bring their own devices to work and use them for work purposes.
Some employers view this “Bring your own device (BYOD)” approach as a cost saving mechanism to the organization because they think that now; they do not have to incur the cost of purchasing and maintaining mobile devices for employees.
The risk that some Caribbean companies are not recognizing is that mobile devices, if not properly configured, can open up unauthorized means of access to company information, which in turn can lead to damaged reputation, corporate espionage, loss of revenue or worse.
The unauthorized access can also lead to the introduction of viruses and malware on a Company’s system, which can actually shutdown a company’s IT system and cripple its operations. The risk is further magnified by the fact that employees, in seeking to reduce the usage of their data plans and thus save on their personal cost, will frequently use any open wireless networks that they discover and often have their mobile devices configured to search for open wireless networks and use those first. Open public wireless networks, however, are often unsecured and so frequented by hackers looking for victims.
There are several measures that companies should have in place if they are allowing the use of mobile devices. The first and simplest method is that anyone who wants to use a mobile device to access the Internet and the company network, should have installed and regularly updated antimalware software for their device.
The second measure is that mobile devices should be configured to avoid unsecured wireless networks, and Bluetooth should be hidden from discovery. In fact, when not in active use for headsets and headphones, Bluetooth should be disabled altogether. These measures, while good first steps, are not the only protective actions that companies should take with mobile devices.
Increasingly, individuals have realized that they cannot simply have mobile devices open to be picked up and used by anyone. People have caught on to the fact that if their mobile device is stolen, anyone finding it will have access to their personal information and be able to use their device and incur charges that they will have to pay.
As such, most individuals have configured their mobiles to require a password in order to use its services. Where a mobile is being used for work purposes, the access granting should go beyond just a password to ensure that possession of a mobile device doesn’t automatically grant access to important information and systems. Most modern mobile devices now include local security options such as built-in biometrics – fingerprint scanners, facial recognition, and voiceprint recognition and companies should require the use of one of these combined with the password.
Most experts recommend that “all mobile device communications be encrypted as a matter, of course, simply because wireless communications are so easy to intercept and snoop on. Those same experts go one step further to recommend that any communications between a mobile device and a company or cloud-based system or service require use of a VPN for access to be allowed to occur. VPNs not only include strong encryption, they also provide opportunities for logging, management and strong authentication of users who wish to use a mobile device to access applications, services or remote desktops or systems”.
The difficulty that is faced when companies opt to go the BYOD route is that the user owns the device, not the organization, which makes security somewhat trickier for IT to establish and maintain.
Other experts have therefore recommended that in those situations, companies should “require such users to log into a remote virtual work environment. Then, the only information that goes to the mobile device is the screen output from work applications and systems”. Given the fact that only screen output goes to the device, the data does not remain on the device once the connection to the company’s network is terminated. Since accessing a remote virtual work environment invariably occurs through VPN connections, communications are secure as well.
For companies that want to go further, they can implement mobile DLP technologies. These DLP applications provide data classification features to label messages and documents (metadata labeling), as well as features that analyze content and filter it when a mobile device interacts with a corporate server. Thus, they can prevent information that has been classified as Sensitive or certain types of emails from downloading to a mobile device. Some of the DLP products prevent sensitive information from being transferred to devices based on a user or group rather than a device ID.
Along with the technological measures, companies need to educate users on the dangers of data leakage. Employees should be taught what is considered sensitive and confidential information and about security of devices. Employees should also be taught about the implications of data leakage, not only to the organization, but ultimately the danger to their own job security. Most employees will help protect an organization’s assets once they understand what constitutes “confidential” information and the consequences of its leakage plus the risks that organizations face through unauthorized mobile access.