Recently my employer stopped providing key employees (including myself) with a cell phone for use in their employment and switched to reimbursing a fixed amount for data roaming charges on their personal cell phone when used for business. Not surprisingly, many of our employees have opted to purchase smartphones where they can in addition to making voice calls – surf the web, receive and send emails, listen to music, play games or visit social networking site or use downloaded applications. Not long after I started using my iPhone for business related phone calls I started longing to be able to receive my work related email on the same device. Initially, this was met with some reluctance as our IT Department was worried about data security. Thanks to our IT staff that sorted through the security issues of allowing work related emails to flow through our secure servers, I was eventually granted access though a Virtual Private Network, VPN, mail program to be able to send and receive encrypted emails to my clients. Next up on my wish list is access to all my work files!
As I did the research for this article I discovered that this is a phenomenon that is taking place in literally millions of business across the global that has been dubbed – Bring Your Own Device, BYOD. If you consider (according to Nielsen’s) the fact that 62% of young adults (ages 25 – 34) own smartphones already, I would say that this is a trend that has legs. In fact, I would say that BYOD is a tsunami! And why not? Being able to access, manage and handle information from anywhere in the world certainly increases the productivity of the users and benefits the users, the company and their clients or customers. Now instead of carrying that bulky laptop on business trips or client visits my smartphone or iPad can now keep me connected to the information I need to do my job.
Unfortunately, waiting out there to make illegal profit from our new found mobility are the denizens of the dark side, cyber criminals, which covet our sensitive data and intellectual property for their own gains. Lost or stolen laptops, USB drives or smartphones present a clear and present security threat to your organization. In addition to the records lost or stolen from these devices, malware is popping up that easily targets unprotected smart devices and makes them vulnerable to losing sensitive data from the network. Unprotected browsing of the web is also a common way for these thieves to try to pick our pockets.
While both business and employee agree that these devices are rapidly increasing productivity and helping achieve business objectives, the unintended consequence is that during the past 12 months, according to a recent study by the Ponemon Institute of 116 global companies, 51% of the companies reported that they had lost data from these devices! The message is clear that every business that is using or contemplating using smartphones in the workplace needs a coherent data loss policy, DLP.
I hope you know me well enough that I am not going to leave you hanging and tell you to sit down immediately and write a DLP for your business. Yikes, who wants to do that when we have the Internet? Let’s look to an organization that has mitigated data loss for their organization almost down to almost zero – The Department of Veterans Affairs. (It will never get to zero but at least it can be controlled!) Credit Donald Katchman, Director, Security and Mobile Divisions, ESE Client Services who is responsible for mobile security for the 20,000 mobile devices currently in use by the VA. (That number is expected to reach 100,000 in the next few years.) We can learn all a lot from the DLP that he has put together for the VA.
Here are his 5 rules that we all can benefit from:
- When a device is lost, a user has one hour to report the missing device to the information security team. The data can be wiped off the device by the team and reinstated if the device is recovered.
- Every device must be encrypted.
- Use the software feature that prevents a screen from being copied, photographed or forwarded.
- Make sure a complex password is used that includes letters, numbers and symbols. Make sure it’s changed every three months.
- Adequate training is essential. They require every employee to go through refresher training every year, and if they run over the one-year deadline to schedule training, they are locked out of the system.
We are never going to be able to button down these devices 100%. Human nature and the skill and cunning of the bad guys will make that impossible. What everyone needs to do is admit that there is a problem, try to understand the risk, find cost effective technical solutions, implement some common sense rules and then train, train, train. Of course, Cyber Insurance can also play a key role in limiting financial loss if data is lost from a mobile device but you should make sure that mobile devices are covered by the policy. I know of at least one cyber policy that will not pay for claims stemming from unencrypted data being lost on a mobile device.