The growing trend of employees using personal smartphones for work purposes is a headache for IT departments, and a data security nightmare. With an estimated 2.7million personally-owned smartphones in the UK currently containing confidential company and client data it is time for businesses to act.
How well protected is my data?
This is already a question that will be disturbing the sleep patterns of executives and privacy conscious citizens alike. Businesses in a variety of industries depend on data security and the trust of their customers - many of whom are all too aware of the increasing amount of data collected by businesses with each interaction. The results of a recent GfK survey, which found there are approximately 2.7 million personally-owned smartphones in the UK carrying confidential company and client data, are guaranteed to give even the most laissez-faire something to think about in the dark hours.
As discussed in TechTalk in August 2011, the ‘Consumerisation’ of company IT resources is generating significant issues for IT policy makers. For the first time, and to an increasing extent, employees personally own devices such as smartphones, laptops and tablets which provide equal or better functionality than the devices provided by their employers. This brings all kinds of policy and regulatory concerns for decision makers as employees become freely able to access company email, intranet, and remote access portals from their own devices – and often without subjection to any kind of employer control or management.
There are currently approximately 16 million personally owned smartphones amongst the 29 million people employed in the UK (*2). A recent GfK survey found that 44% of these employed owners of smartphones (around 7 million) use their personal device for business purposes – i.e. to access work email or company files; and that 39% of these people (around 2.7 million) have saved company or client data to their device.
Frightening numbers indeed, especially considering a recent O2 survey which estimated that 6.2 million Britains lose at least one tech gadget per year. Mobile phones top this list – with 5.2 million being lost every year – favourite places to lose them (and therefore the first place to look if you lose yours) being bars & clubs, taxis, parks, shops, & trains. How long before the finders of these devices, or indeed those who come into possession of ‘lost’ phones by less legitimate means, realise the data contained within could have much greater value than the device itself? (*3).
Are company policies well established enough?
The urgency with which businesses need to address policy issues and policing is confirmed by the fact that only half of those who use their personal phones for work agree that their employer has clear and established guidelines on this issue, and, more worryingly, 17% saying they continue to use personal devices to access work files, despite knowing it is not permitted by their employer.
This is a huge headache for IT and business policy makers. Until recently, more often than not, they were providing their employees with smartphones based on one operating system (most frquently BlackBerry devices), and managed all devices using server software which enabled security, management, and remote wiping capabilities – everything they needed to do their job in a secure, effective, and cost-efficient way. They must yearn for a return to these days, but, with increasing pressure from employees for access to a wider range of devices, they will also be well aware this is not an option – so, how do they stem the tide or have things already moved too far and too fast?
What can decision makers do to minimise the impact?
IT decision makers will need to galvanise themselves and address these issues, and may soon be helped by awareness amongst other senior colleagues of the dangers of having loose or non-existent policies. It can’t be long before a lost smartphone is found to contain confidential or sensitive data and becomes a high profile story – we all remember recent cases of high ranking civil servants and policemen being forced to resign after leaving their laptops in taxis, and there’s no reason why smartphones can’t similarly become smoking guns.
It would seem decision makers have two realistic options which they can offer, alongside the unavoidable tightening of in-house legislation related to the use of personal devices for business purposes and the aggressive policing of these policies:
As an acknowledgement that greater flexibility is required to satisfy all end-users, outlaw the use of personal devices but allow employees to select from a wider range (but limited selection) of devices than have traditionally been available – with no exceptions, which is where the problems start. The CEO may think that using his iPad at work does no harm because he knows the rules, but it’s often the start of a trend that spreads quickly amongst those who don’t
Allow the use of personal devices, as long as they meet specific criteria, possibly a list of permitted devices. Then ensure that all personal devices being used are registered with the company IT department, and subject to the same regulation and control (including remote management) as those devices provided by the company.
However, for either of these policies to be viable and effective, and to minimise the risks associated with employees accessing confidential data on a personal device, companies will be required to deploy two pieces of software:
Software that links and synchronizes company servers with all mobile devices being used by employees for work purposes, and allows management of the data on that device, remote wiping, access policies, etc – in the case that a device is lost or stolen this will be critical
On-device software that separates work data from personal data. This would identify which data, communications, contacts, & files have come from the software above vs. that which was accessed externally, and ensures that these cannot become mixed or copied and pasted from one to the other – putting an end to those decision maker nightmares about critical business communications or data being inadvertently put on social networking sites. This software will be needed on all devices, particularly those personally owned.
An accident waiting to happen
This is a big issue with a low profile - possibly because businesses are reticent to highlight their own lack of security; and also because employees love the convenience (especially those not given a company phone). However, it can’t be ignored much longer, and it is time for decision makers to rest the initiative back from their end-users before it’s too late – this issue needs to be resolved while it remains an accident waiting to happen.
Where data unreferenced it is from GfK TechTalk Omnibus January 2012