As seen in a recent report from CCS Insight, employees are more willing than ever to use mobile devices and apps for work purposes. In fact, 86 percent of respondents regularly use mobile apps for work purposes, and almost a quarter of employees request a business app within their organization.
With such an influx of personal device usage in the enterprise today, it’s vital companies have guidelines in place to help draw the line between securing corporate data and respecting employee privacy. Industries with strict security regulations and governance especially need to be aware of what data they should and shouldn’t pull or store from employee devices.
This piece discusses how companies and organizations can maintain data security in mobility programs while respecting the rights and privacy of their employees.
The Current State of Mobile Security
Mobile security is still in its infancy. Companies and employees still don’t fully understand how to protect and secure data accessed through mobile devices, and breaches and data loss occur more than one may think.
The figures are shocking- a recent study from the Ponemon Institute found 70 percent of respondents believe that the failure to secure company data on mobile devices results in data breaches. The study also found 67 percent believe it’s certain or likely that data breaches are caused due to employees using mobile devices to access sensitive and confidential company information. Only 33 percent of respondents believe their organization is vigilantly protecting sensitive or confidential data from unauthorized employee access.
In addition to lax monitoring of employee usage, there are other ways employees can invite hackers and breaches into company systems.
Accessing or using unsecured Wi-Fi in public places, such as airports or hotels, can allow hackers to view everything employees work on and download. Operating systems, no matter how secure, can also be susceptible to attacks.
One example is the discovery of the Trident vulnerabilities in Apple’s iOS earlier this year. Application downloads are risky as well, especially when they originate from unknown sources. Employees downloading the latest gaming app can provide a direct path to confidential company data through malware or open hacker access.
Just because there are flaws in mobile security doesn’t necessarily mean companies have the right to track or monitor all employee usage within the workplace or through mobile devices used for work purposes. While there are always holes within them, personal privacy laws help define what companies can and can’t access through employee’s personal devices.
With that said, there is a lot of confusion about what should remain private and what is free game. This is especially true for any device that has internet access or access to company email, applications and data. However, there are steps companies can take to ensure they are on the right track.
Corporate-Owned (CO) devices can allow companies to be a little more cut-and-dry when it comes to monitoring employee usage in a way that complies with data privacy laws. Companies should clearly define upfront what employees can access via CO devices, as well as what they will be tracking.
In some cases, it may be in a company’s best interest to insist employees only use CO devices for work purposes. Let employees know they are responsible for getting their own device for personal use. Either way, corporate mobile policy should contain a clearly defined set of rules and regulations that is distributed to and accessible by employees at any time.
Privacy through Bring Your Own Device (BYOD) programs is a little trickier. There is a grey area when it comes to companies monitoring employee usage on personal devices used for work purposes. Privacy laws rarely protect employees using the Internet, Intranet or work apps. This includes employee email, website browsing history and blocking access to certain sites (or limiting the time spent on them).
There are, however, restrictions to monitoring calls and voicemails of employees using personal devices at work or for work purposes.
The Electronics Communications Privacy Act (ECPA) has set limitations such as:
- Employers may not monitor an employee’s personal phone calls.
- This includes phone calls from telephones on work premises.
- The only time an employer can monitor phone calls or voicemail is if the employee is aware they are being monitored.
Again, it is important that all BYOD program rules and regulations are provided to employees upfront so there is no confusion on what will and will not be monitored.
Drawing the Line is in Your Best Interest
At the end of the day, it’s within a company’s best interest to establish a clear line between maintaining security and respecting an employee’s privacy. The use of Mobile Device Management (MDM) solutions can help maintain a separation of corporate and personal data. Mobile device containers can also be deployed to ensure a differentiation between CO and BYO data.
Additionally, Managed Mobility Services (MMS) providers can secure corporate data and automate data loss prevention polices to ensure that there is no leakage of employee data. Providers can even deploy privacy profiles to personal devices that do not pull as much data from the device, or enable dual personas to segregate employer and employee data.
While no solution is bulletproof, these services and solutions can help when used to their full capacity. They will, at the very least, establish ground rules that respect employees while keeping company data secure.
(About the author: Mitch Berry is vice president of enterprise mobility management at MOBI. He is an accomplished IT professional with success implementing global mobility IT initiatives that improve business functionality and process.)