Rethinking Mobile Security

With mobile use and data breaches rising, should employees be allowed to use their own devices

By Leonard Webb May 9, 2014

By the year 2016, studies show, most people will access the Internet from smartphones. Today employers are increasingly allowing their employees to do so from their own mobile devices, but should they?

According to Fortinet, a network security firm, 42 percent of Generation Y employees surveyed last year admitted they do not and will not follow corporate security guidelines when it comes to securing the personal mobile phones they use to access corporate data. What’s more, 14 percent say they won’t even tell management if their device has been compromised so their companies have the option of wiping sensitive data from the device.

What’s HR to do? After all, you can’t effectively monitor what you can’t control, experts say, so control may have to return to IT.

For more than a decade, employees have enjoyed improvements in technology that give them the flexibility of working remotely from mobile phones.

However, a mobile workforce of this nature creates new challenges for HR and IT, including safeguarding employer data, complying with regulations, and securing IT systems from malware or cybercriminal activity.

Last year, information technology research company Gartner predicted that the bring-your-own-device (BYOD) trend would accelerate, with mobile devices surpassing PCs as the most common way to access the Internet. By 2015, more than 80 percent of handsets will be smartphones, Gartner added. And, according to the Pew Research Center, by 2016, 8 billion people will access the Internet from a smartphone. Unfortunately, according to Verizon’s most recent data breach report, the number of data breaches has risen from 400 in 2004 to more than 5,900 in 2013.

These trends present several key concerns every HR team should focus on, especially regarding mobile security, according to A Mobile Workforce: The HR and Data Protection Challenges, a report recently released by Global Data Hub.

Chief among them:

  • Are the devices employees use as secure as office-based computers?
  • Have companies considered data protection implications for those employees who access corporate data from mobile devices?
  • Have appropriate steps been taken to be sure the risk of data breach is at an acceptable level that’s comparable to office-based terminals?
  • Are specific systems in place to swiftly and effectively address breaches detected by mobile employees?
  • If employees use corporate-issued mobile devices, are there controls and policies to prevent them from installing their own applications?
  • If personal apps are allowed on corporate-issued devices, are IT teams satisfied they are authentic and free from malware?

With the workplace of the 21st century moving from the desktop to the most readily accessible USB port, the risk of data breaches has increased and monitoring becomes a complicated yet essential necessity, experts say. This is especially true where work-related activities and personal activities converge in e-mails, text messaging and the use of apps on cellular devices.

The only way to secure corporate handheld devices “is to get it in your hands before pushing it out to the employee,” said Jeremy Ames, president of Hive Tech HR and a member of the Society for Human Resource Management’s (SHRM) Technology and HR Management Special Expertise Panel. “That way you can implement whatever security measures you need and control what applications are on the equipment.”

But what of those employees who use their own devices?

“HR must establish a policy detailing the do’s and don’ts of BYOD and look into creating a ‘private/work’ switch function on the device to help define usage parameters,” according to the report from Global Data Hub.

But is that enough?

“Data security violations are happening in almost every company at almost every moment,” said Ames. “When you check an e-mail on a plane, who is watching in the seat next to you? When you’re outside the company firewall, do you know who is trying to hack into your equipment? When you’re on a public network, how do you know your data is secure?”

In the confines of the traditional office where work stations are tethered to the company network, security measures and redundancies are in place to create a reasonably effective firewall against harmful activity.

Experts say it might not be a bad idea for employers to rethink letting employees access sensitive corporate data from their own devices.

Global Data Hub notes that allowing such use “will inevitably result in an increased risk of third-party access to sensitive corporate data.”

Adam Baer of Tech Electronics Inc., agreed.

“Generally speaking,” said Baer, the director of business development in IT, “these home-based devices are not as secure as their business-grade counterparts. This can be a result of the operating system used, the lack of security policies inherently placed in those devices, and the many other unsecure applications that reside on those same devices.”

Get a BYOD Policy Anyway

Sixty-five percent of HR department leaders recently surveyed stated their companies do not have a policy in place that addresses personal electronic devices in the workplace, and 78 percent stated they have no immediate plans to implement such policies, according to AAIM Employers’ Association, a midwestern HR association.

AAIM CEO and president Phil Brandt believes this disparity represents “a bit of a Wild West mentality that finds technology moving faster than business.”

Whether they suspect employees are following the rules or not, companies need to know how employers are accessing corporate data. Policies are vital.

“It’s important to know how remote users are being connected to the company network and also the method in which the data is being stored,” Baer said, for a lot of reasons. “Extra logins may be required to enhance or add layers based on the sensitivity level of the data. Personal health records, for example, may require top-level security exclusive to a handful of employees.”

After all, by the time a breach is detected on a mobile phone, it may be too late—“at least for that mobile employee,” Ames said. “The bulk of the work that happens post-breach is to put in place the measures that should have been there in the first place, and to roll that out to all mobile employees.”

Leonard Webb is a freelance writer in Wyncote, Pa.


Job Finder

Find an HR Job Near You
Post a Job

HR Professional Development Education in a City Near You

SHRM Seminars are coming to cities across the US this fall.

Find a Seminar


Find the Right Vendor for Your HR Needs

SHRM’s HR Vendor Directory contains over 10,000 companies

Search & Connect