When you hand your employees a corporate mobile device, you might be doing more than enabling them to stay in touch with the business – you may be opening a door to cyberbullying. While it’s true that more companies than ever are relying on mobile activity to keep employees connected and working outside the office, problems begin when business and personal life mix, and it’s difficult to enforce a “work only” policy once a smartphone leaves the office. Once a corporate device with access to a network and company file storage is out in the wild, it’s up to the employee to keep it safe – which means it’s up to you as the business owner to educate and trust your team.
It can be tough to get employees to see the line between personal and professional device use, especially now that social media is blurring the area between work and play. However, it’s vital that you consistently reaffirm IT policies in order to avoid potential data breaches or company hacks. Let’s examine what could be at risk, and go over some do’s and don’ts of mobile security to pass along to your staff.
The Potential Risks
Once you entrust an employee with a corporate mobile device, you absolutely must ensure that it has the correct security protocols in place. Although you can control some of this on the IT end, a measure of security needs to be held up by the employee, and enforcing these policies can sometimes be a challenge.
A 2015 blog post at Breezy outlines some of the problems when it comes to getting employees to take mobile security as seriously as IT does, and points to a Spiceworks survey that found that IT professionals were far more concerned about mobile security than employees – noting that “IT pros worry most about mobile attacks from malicious file downloads (57%), malicious apps (50%), intentional/inadvertent leakages of sensitive data (49%) and email (48%).” On the other side, an Ipsos Mori poll of large-enterprise employees found that 73% downloaded personal apps to tablets issued by their employer, 62% downloaded apps to smartphones, and 50% used personally-owned smartphones and/or tablets to conduct company business.
The argument can be made that employees are not always being willfully reckless with their corporate devices – it’s more that once a company issues a mobile device for employee usage, it’s hard for the employee to not use it for personal reasons. If an employee’s corporate device quickly becomes their personal device as well, then it can be hard to resist firing off a few tweets or updating Facebook from the company smartphone – and possibly opening a door to information leaks or opportunistic hackers.
Also, according to CIO, in many cases a lack of security may be attributed to a lack of knowledge, saying that “people who move to smartphones after years of using feature phones with limited security requirements often aren’t aware of the need to install security apps.” While some of this needs to be taken care of by IT beforehand, constant vigilance is also necessary on the part of the employee, particularly when it comes to clicking on strange links, logging on to unprotected wifi networks, or opening unsolicited emails.
That’s why the importance of mobile security comes back to you, the business owner. When you have one side (IT) constantly worrying about security and the other side (employees) not worrying enough, then the gap needs to be bridged. Let’s take a look at some points that should make up the backbone of your company’s mobile security policy.
Do’s & Don’ts of Mobile Security
Don’t download any applications you’re unsure about. Although there are a wealth of apps available to download, not all of them have good intentions. Breezy quotes their CEO Jared Hansen as warning, “Sometimes it’s obvious where the app provider makes money – in-app purchases, encouraging users to browse ‘deals’ offered by the app developer, etc. But it isn’t always obvious. And there are apps out there where your data – acquired from your employees openly or covertly – is how the developer plans to make money.” Instead, get a list of secure apps that have been preapproved by IT.
Do install necessary security updates. The aforementioned preapproved apps often come out with patches and fixes to help keep their security strong, so don’t put off the updates. Also, if IT sends an email about a security risk, read it right away and take the required action. It could save you a huge headache – and possibly the need to wipe your device – later on.
Don’t fall for phishing scams. “They’re the #1 way cybercriminals steal data,” says the Breezy blog. “One ‘innovation’ is for a criminal to impersonate a company officer or someone from the board of directors, and create an email that creates a sense of urgency (for example: subject line: Get back to me ASAP). If the user doesn’t pay attention to the details, and clicks on the link inside, it’s easy for them to be lured into revealing sensitive information to the ‘boss’.” It’s important to constantly stay updated on the latest phishing scams, and frequently check for strange URLs and email addresses that look a bit off.
Do change your password regularly. It may be annoying to be prompted to change your password monthly, but it’s for a good reason – it keeps cybercriminals out. Your second line of security is to choose a strong password, preferably an alphanumeric mix and nothing as generic as “password” or “123.” There are plenty of password creator programs online that can come up with unique – and not easily guessed – passwords for you.
Don’t neglect the lockdown. Having your device automatically lock down after a period of inactivity is another good line of defense against theft. TechTarget recommends that you “should set the device to lock automatically after it’s been inactive for a predetermined amount of time, and require a passcode after that period of inactivity or whenever the user turns on the device.” If you don’t have a passcode enabled on your devices, check the settings and turn the feature on now. It could make a huge difference if a device is lost or stolen.
Do use a VPN rather than public Wi-Fi. “Unsecured wireless networks make devices more vulnerable to attack and can put an organization’s entire network at risk,” says TechTarget. Connecting a corporate device to unprotected public Wi-Fi can be an open invitation for hackers. Instead, if you’re going to do any work or access company files, log on to a VPN (virtual private network) first. This private network can be controlled by company IT, which reduces the risk that sensitive material will be leaked to the public.
Although granting corporate mobile devices to your employees is a smart move, it could come with unexpected setbacks if security protocols are not in place. Part of this relies with IT, but it’s just as important to educate your staff on good security practices with their devices. Take note of the above mobile security suggestions, and pass out your own list of best practices to your employees – it’s the best step to keeping company information safe.
How do you enforce mobile security policies within your company? Tell us about it in the comments.