HR, Beware the Wayward App

New applications can both disrupt and assist employees

By Aliah D. Wright November 14, 2014

We are a world driven by apps.

Apps help us schedule appointments, make reservations, find taxi cabs, and access our work hours, attendanceand pay information. As more people use mobile devices as their primary source of communication, HR is faced with yet another phenomenon to police: unauthorized apps in the workplace.

According to a news release from Netskope, a cloud-based security service, apps for use in the workplace usually have strong business features and back-ups in case of technology failures.

Unfortunately, the release continues, “many apps in use in enterprises lack sufficient safeguards, putting data at risk.” Netskope reports there are an average of 579 apps in use in each of their clients’ organizations. More than 88 percent, however, are not enterprise-ready. The quarterly report, issued in late October 2014, bases its findings on usage trends—tens of billions of interactions, which it calls cloud app events—that the company tracked from millions of users from July through September 2014.

Business leaders’ instinct may be to ban apps—such as Dropbox, Google Drive, Trello or social networks people can use to get work done—but experts say HR should welcome these new technologies, and create policies to manage them.

After all, as Nielsen reports, U.S. Android and iPhone users ages 18 and over spend 65 percent more time each month using apps than they did just two years ago.

Mitigate Risks with Understanding

So what should HR do? “First off, embrace it,” Gartner Research Director Yvette Cameron said during an interview at Human Resource Executive magazine’s 17th annual HR Technology Conference and Exposition in Las Vegas in October.

“And then poll the employees in a positive way. ‘What are you using? Help us understand the type of things you’re using so we can develop policies that are more encompassing,’ ” she said. If, for example, “you find that everybody’s using a to-do app, maybe HR needs to embrace one officially. If a lot of your employees are using wellness [apps], then why not foster some wellness programs that incorporate the personal technologies,” such as Fitbits or smartwatches that measure and track exercise habits?

Cameron said the use of these apps may prove to be a “better way to engage and connect with employees.”

Security Concerns Remain

Use the apps, but with caution, said Jonathan Villa, principal security consultant for 1030Tech, a consultancy specializing in the architecture, management, and security of web application environments.

“There are added benefits to using these service providers, ranging from accessibility to eliminating backup hardware,” he told SHRM Online. “I would, however, implement a corporate policy governing the usage/installation of approved software. This is part of a standard security policy. As a matter of fact, there are still many organizations that forbid the use of Dropbox because of the risk of data leakage.”

Villa added that “the data loss risk with these services is the same with any cloud-based service provider, for example, weak passwords, unattended or lost laptops, falling for a phishing attack, etc. A combination of corporate policies and access control measures from the service provider should be enforced,” he said.

A “least privilege” or “need to know policy” would prevent a compromised account from providing full access to all documents or information stored with any of these service providers, Villa said, adding that Dropbox and Google Drive offer multifactor authentication to safeguard accounts.

Simply reminding employees to be careful with their smart devices can go a long way, too, opined Joey Price, CEO of the HR consultancy Jumpstart: HR.

“Make sure that you train your employees to log out of apps every time they set their phone down and to use a special, hard-to-guess password that can’t be cracked by close family members or hackers.”

Trust Employees

David Thielen is chief technology officer and founder of Windward Studios, and creator of Windward Reports and the new Enforced Vacation app, which debuted in October. Enforced Vacation gives companies the option of allowing those employees who receive work e-mails 24 hours a day via their smartphones to shut off notifications or ‘pause’ e-mails when they’re officially off the clock.

Thielen said his policy is to tell employees to “put whatever you want on your computer,” but to also be responsible. Allowing employees to use unsanctioned apps is a “trade off. We will have problems on the flip side if somebody finds something that makes life better for them,” he said. “The last thing I need to do is take up time with other people” by policing apps.

“I expect people here to be responsible. I don’t expect them to be perfect,” he said, adding that restrictions can “annoy everybody. … If you treat everybody like children, they’re going to act like children. If you treat everybody like grown-ups, they’re going to act like grown-ups.” Thielen added that employees who repeatedly engage in “problematic” behavior are fired.

Beware Encrypted Apps

So-called disappearing encrypted messenger apps, such as Confide and Wickr, and anonymous messenger apps, like Secret and Whisper, may present a new wrinkle for HR professionals tasked with keeping sensitive employee information private and minimizing gossip.

“For employers, this means that information is traveling quickly outside of typical corporate controls,” Daniel Schwartz, a partner at Shipman & Goodwin LLP, told business law website Law360.

These messenger apps allow users to anonymously or privately send videos, messages and photos to other app users. In some cases, users can set a timer on the messages so they will disappear in a matter of seconds after they’ve been read. Confide messages, for example, disappear as soon as they’ve been read. Both Wickr and Confide prevent users from taking screenshots of the messages.

Because messages sent through Wickr and Confide promise to disappear once the user has read them, such apps “may give a false sense of security to employees to engage in misconduct—to send that dirty picture or funny joke or other inappropriate thing—believing that it will be destroyed so there is no proof,” Adam S. Forman, a lawyer with Miller Canfield Paddock & Stone PLC, told Law360.

Snapchat messages are supposed to disappear as well, but earlier this year the company settled charges with the Federal Trade Commission after it was revealed that while the messages disappeared from users’ view on their smartphones, they could be retrieved by third-party apps or by connecting the smartphone to a computer.

And while HR may be obligated by law to keep messages and pictures sent through apps, those legal requirements may not apply to those using their own devices at work, experts said.

Companies need to recognize, too, that “this is a phenomenon that isn’t likely to be contained just through aggressive policy and policing,” Maurice Uenuma, CEO for the Council on CyberSecurity, told SHRM Online.

Using new apps, he said, is simply “what creative employees do to get their job done. What [chief information officers] can do is work with business leaders to provide a balanced solution that works for the business. This includes providing a useful set of approved and secure enterprise applications which can be easily and safely provisioned by the staff members themselves,” he said. “Needless to say, there have to be policies to limit the introduction of unknown or dangerous tools into the workflow. But that will always happen if there are no good, secure, user-friendly options available to help people do their jobs.”

Aliah D. Wright is an online editor and manager for SHRM.


Job Finder

Find an HR Job Near You
Search Jobs
Post a Job


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect