Mobile Devices in Business
Mobile devices allow users to take data that used to remain controlled within the four walls of the building out into the field. These devices include a common laptop, as well as smartphones and tablet systems. Prior to the advent of mobile devices, the IT department had a relatively easy time controlling data and how it was accessed.
Use of mobile devices is rapidly increasing. According to one analyst, smartphone sales grew 50 percent in 2011. Furthermore, in the United States, over half of all cell phone purchases are smartphones.
In business, smartphones are being used in many ways. From simply getting e-mail and calendar items to using the phone to establish a remote connection to a computer back in the office, there are numerous ways to leverage these devices in a business setting.
Tablets, while being relatively new to the business world, present an even greater opportunity for the mobile workforce. The larger screen coupled with the wide variety of business-friendly applications (or apps) mean employees can potentially have access to a significant amount of information in the field.
Additionally, there are multiple ways to implement smartphones and tablets. The traditional method is through a corporate-owned program. This is where the business provides the devices to the employees to use. However, a new area that is gaining momentum is the concept of bring-your-own-device, referred to as BYOD. In this situation, users bring their personal smartphone or tablet and connect to the corporate system. This method is often favored by business owners since the business may not have to bear the cost to purchase the devices or pay the monthly contract fees. However, connecting personal devices to corporate systems can raise additional security concerns, and should only be done after careful consideration of the risks and benefits.
The opportunities of smartphones and tablets are not without risks. Often, these devices are small, expensive and desirable, which make them common targets for thieves. As a result, businesses should take certain measures to protect the data on the devices. Furthermore, certain industries, such as financial companies and health organizations, have regulations in place that require certain security measures.
At a minimum, several factors must be present in almost any mobile device implementation. These include requiring users to agree to a policy regarding the acceptable use of the devices, requiring users to have a PIN code lock on the devices and the ability to remotely delete the devices’ data, should they be lost or stolen. Additionally, just like when using their business computers, users should be trained not to click on suspicious links or lend their mobile devices to others.
Another item to consider is what data are accessed by or stored on the device. As a general rule, the amount of data actually stored on the device should be minimal. Many email systems only store a certain number of messages on the device in an effort to minimize the risk.
While these security measures represent the minimum areas to be considered, there are many other options available. Business executives and the IT department should work together to identify and research their options. Careful consideration of the risks and benefits should be made before finalizing any decisions. If there are areas that are questionable, executives should seek guidance from experts.
With the right security controls and a proper implementation, smartphones and tablets can bring a new level of productivity to an increasingly mobile workforce.
| ||Gregory H. Soule, CPA, CISA, CISSP, CFE is a manager with Andrews Hooper Pavlik PLC. He specializes in financial and IT audits, penetration testing, information security and fraud examinations.|