Why Mobile Device Security Is Everyone's Job

By Aliah D. Wright December 1, 2014

Did you know that 40 ​percent of employees at large companies in the United States use their own mobile devices for work?

That’s according to a new study of 4,300 U.S. adults polled by information technology research firm Gartner, and it’s a trend that’s unlikely to lose steam—even though experts say mobile apps now pose the greatest potential for security risks.

Yet despite the inherent risks, the bring-your-own-device phenomenon isn’t going anywhere, said panelists participating in a mobile security webinar titled Transforming the Federal Government: The Mobile Security Movement on Nov. 18, 2014.

According to the Mobile Work Exchange, which sponsored the webinar, many employees fail to take extra precautions to secure their devices, even though those devices may comingle data from work and personal information.

In fact, according to the Mobile Work Exchange:

  • 52 percent of poll respondents reported that they fail to use multifactor authentication or data encryption.

  • 31 percent of respondents said they use public Wi-Fi.

  • 25 percent of respondents admitted that they fail to use passwords.

  • 6 percent of respondents who use a mobile device for work said they have lost or misplaced their phone in the past.

With telework expected to grow within the next five years, according to the Society for Human Resource Management, and more people using their personal devices for work purposes, panelists said it is imperative that organizations address mobile security through education and training for employees, managers and IT professionals alike.

Education is Critical

“The mobile revolution is changing the security landscape,” said Dr. Sam Musa, branch chief of the Office of the CIO for the U.S. Equal Employment Opportunity Commission (EEOC). “It’s shifting the control from IT into users’ hands.

“The IT office does not have 100 percent control over these devices, and the more we rely on users’ help to enforce security measures,” the better, he continued. “Educating users is the highest priority.”

IT professionals should make sure that users can only access what is absolutely necessary for them to do their jobs, without putting certain information at risk of a breach.

“You have to know what data you need,” said Tarrazzia Martin, strategic advisor for Enterprise Planning and Change Management for the Department of Housing and Urban Development. “If we can get our hands around the data to perform our mission, and who needs access to that data … based on their role … we’re ahead of the game 100 percent. It’s more about organizational structure—what kind of data you need to perform your jobs.”

Companies can take certain steps to make sure confidentiality, integrity and security of data are maintained.

“Encryption can be implemented, mobile device management products can be installed to control these devices, remote desk wipe can [be deployed] if a phone is lost or stolen or compromised, and frequent awareness training is a necessary measure to protect the users,” Musa said.

“People tend to be reactive rather than proactive,” added Amy Price, a solutions architect for the computer maker Dell. “Security is something people don’t take seriously until an event … happens. It is absolutely an organizational change issue. We have to get people to realize the value of the information on their device … to protect it, and what they need to do.”

Be Wary of Apps

“Mobile security is at greatest risk on the app level,” said Jose Padin, senior systems engineer in the public sector division of Citrix. “Sixteen percent of employees have used a rogue app [one unapproved by the company] and 22 percent have used a rogue service,” on their personal devices. “At the end of the day, people are trying to get their job done and if we don’t offer them a secure way to do that, they’ll find a way to get it done,” and that way may not always be secure, Padin said.

Price noted, “I know people are trying to do their job in the best way possible and sometimes what is perceived as a security threat is something that they think gets in the way of them doing their job. We need to remember that IT should be an enabler to this.”

Personal responsibility is important, too. Companies need to determine exactly what types of data can live on a device “and what needs to be protected,” Price said, “and train employees on the difference between the two. Once you get alignment on that, you can make the right choices on technology.”

Aliah D. Wright is an online editor/manager for SHRM.


Job Finder

Find an HR Job Near You
Search Jobs


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect

HR Daily Newsletter

News, trends and analysis, as well as breaking news alerts, to help HR professionals do their jobs better each business day.