Not a Member?  Become One Today!

Smart Phones Create New Security Threats for HR
Strong security practices cut the risks of HR data falling into the wrong hands

By Dave Zielinski  1/21/2011
 

As the use of smart phones for business purposes skyrockets, the task of protecting those iPhone, BlackBerry and Droid devices from malicious software, spying and data theft is growing apace.

Mobile security experts say that hackers and cyber criminals have turned their attention in force from computers to smart phones, which are far more vulnerable.

That’s an issue for human resource professionals because smart phones are used in the workplace increasingly to access and transmit sensitive corporate data. Whether they’re reviewing payroll information, performing shift-scheduling duties, processing approvals or handling back-end HR tasks, more HR professionals are using mobile devices to connect to corporate networks. HR vendors have fueled the trend with the release of mobile versions of their most popular software products.

“We now carry around miniature computers that just happen to make phone calls, and when you have smart phones that can connect to networks, store sensitive business information and run programs, you open yourself up to far more security issues,” said Aaron Titus, former privacy director for The Liberty Coalition and now privacy officer for Identity Finder, a New York City firm that provides data loss prevention technology.

As the connectivity and functionality of smart phones have increased, so have accompanying security threats. Titus says there’s been a huge increase in malware designed for smart phones as hackers look to exploit their security loopholes, which typically include less-than-optimal browser, user authentication and data encryption technologies.

In 2010, more than 1 million smart-phone users in China were infected with a “zombie” virus hidden in bogus anti-virus applications. In another case, a malevolent worm was able to connect infected iPhone devices to a server in Lithuania, enabling criminals to control the phones remotely.

“With the rapid evolution of smart phones and tablets, we are in a period of ‘devices gone wild,’” said Alan Brill, senior managing director of secure information services for Kroll Ontrack, an Eden Prairie, Minn.-based company specializing in data recovery.

“New smart phones are being built and distributed faster than security software can be created to keep up with them.”

Fewer Security Features

Compounding the security challenge is the Bring-Your-Own-Personal-Computer (BYOPC)-movement, where organizations allow employees to use their personally owned mobile devices in the workplace. That policy places more of the onus on workers to ensure that they aren’t infecting corporate networks with viruses or exposing sensitive corporate data to outsiders by storing it on phones or including it in unsecured e-mail messages.

John Kindervag, a senior analyst with Forrester Research who is an expert on wireless security, said HR leaders should prevent any smart phone from accessing what he calls “toxic” data. This is personally identifiable information that, should it be hacked, could put HR professionals in hot water with regulators or in violation of state data-breach laws.

“There isn’t mature enough encryption, remote access or authentication technologies yet for smart phones, and you are highly dependent on the phone carrier networks for security, rather than your corporate network,” Kindervag said.

Another problem is that web browsers on smart phones tend to be less mature than their PC-based counterparts in terms of privacy settings and user controls, Titus said.

“With a typical desktop browser you might be protected against accidentally clicking on a threatening link, for example, because that browser communicates with a central repository of blacklisted malware sites,” Titus said. “That type of protection is not yet robust enough for most smart phones.”

In some cases employees might not even be aware that sensitive data is still stored on their phones, which can be a problem when they upgrade to newer versions.

“As soon as you sell that old smart phone on e-Bay, it becomes someone else’s property, but it may still have an old e-mail attachment on it with payroll or other sensitive HR data,” Titus said. 
And just because you hit the “delete” key doesn’t mean data disappears from your phone. Without using more advanced wiping technology to destroy information, Titus said, criminals usually can find and retrieve it.

Take Security Steps

Information technology managers and HRIS specialists already face daunting challenges in providing security for Windows and Mac computer environments, but factor in various mobile operating systems and it’s a task that can often seem insurmountable. Most seek to limit problems by standardizing specific smart phones and single-operating systems. They view enterprise control as paramount, believing that employees don’t always take steps necessary to protect their phones from threats.

According to a 2009 survey by Trend Micro Inc., only 23 percent of smart-phone owners used the security software installed on their devices.
Kindervag and Titus said regular e-mail should never be used to communicate sensitive HR data via smart phones—even on BlackBerry devices, whose servers have more powerful security features. If remote workers need access to personally identifiable information on corporate networks, Titus suggested, they should use virtual private networks (VPNs) which is technology that provides remote, security-protected access to networks via the Internet.

“You have to remember that if you are connected to the Internet via smart phone, you live in a bad neighborhood,” said Kindervag.

Given growing security concerns, Brill suggested that HR departments think in terms of “data dieting” when deciding what information should be transmitted or accessed via smart phone. “You no longer can justify transferring sensitive data via e-mail just because someone is used to receiving it,” Brill said.

For example, while it might be imperative to e-mail a directory of certain HR functions to someone, Brill said, don’t include critical information like Social Security numbers.

“Do you really need to have direct deposit routing and transit information included in unsecured e-mail communication, or is that something that should be segregated, more tightly protected and probably even encrypted when it’s at rest?” Brill asked.

While it’s hard to keep mobile devices immune from all of today’s sophisticated threats, strong security practices greatly reduce the risks of HR information falling into the wrong hands. Education and common sense play as big a role as the latest security technologies, Brill said.

“Teaching employees to treat company information as being as valuable as their own sensitive personal information goes a long way to keeping your data safe,” he said.

Dave Zielinski is a freelance writer and editor in Minneapolis.

Related Article:
How to Keep Smart Phones Secure, SHRM HR Technology Discipline, January 2011

 

Copyright Image Obtain reuse/copying permission