Employee smartphones can expose organisations to serious risks. Here are the measures IT leaders need to take to counter them
If harnessed correctly, smartphones can offer considerable benefits to businesses, making employees more accessible and improving their productivity. However, the growing use of these devices for business purposes also presents significant risks. Although most companies are aware that smartphones are easily lost or stolen, and that steps can be taken to mitigate the risk of loss or theft of confidential information (such as password protection or encryption), there are other threats that are less obvious but just as serious.
One such threat is that of malware - malicious software that masks ongoing intrusion and enables fraudsters to take control of a victim’s phone and make calls, send and intercept texts and voicemails, access data and browse and download online content. While the amount of malware targeting smartphones is tiny compared to that aimed at desktop PCs or laptops, it is a present and growing problem.
Get Safe Online, the national UK online security initiative, has estimated that malware on smartphones increased by 800 per cent during the last five months of 2011.
The essential problem is that the functionality that makes smartphones so attractive can also leave them vulnerable to various forms of attack and weaken an organisation’s security. Organisations need to assess smartphones and choose the most secure technology. For example, smartphones running Android appear particularly vulnerable to malware, while RIM BlackBerrys have also been found to be vulnerable to maliciously-designed websites. Employees should also be trained and educated to avoid activity that is likely to compromise the security of their devices.
Beyond these wider issues, the ability of an organisation to maintain the strict controls that are necessary to respond to security threats such as loss, theft, or the downloading of malicious software, will largely depend on implementing clear guidelines setting out an employer’s rights and employee’s responsibilities in relation to the use of smartphones. These guidelines are normally implemented through workplace policies.
Who owns the smartphone?
The starting point when drafting a policy addressing the use of smartphones for business purposes should be consideration or review of ownership. Is your organisation allowing employees to use their own smartphones for business purposes or does it prohibit them from doing so?
In general, it is better from a legal perspective to provide employees with the devices they are permitted to use so that the smartphone belongs to the organisation. If an employee leaves, taking their own smartphone with them, recovering company data may prove problematic, as will claiming ownership of any telephone numbers used for business purposes. It may also be harder to enforce any restrictive covenants contained within the employee’s contract of employment.