How far should organizations go to ensure mobile device privacy?
The ability of IT departments to monitor employees is nothing new. Before mobile devices, these capabilities were typically limited to company-issued technologies like computers, emails, browser history and network traffic. However, today, as more employees use their own smartphones and tablets for both work and personal tasks, IT potentially has access to significantly more sensitive data. As company’s ability to manage the influx of devices used for work increases, employers should consider these three main actions:
Create and enforce a mobile device policy
Developing a clear and concise mobile device framework is a vital first step. Between having employees bring their own device or having corporate owned devices, there are different choices an employer can make. Regardless of which option you choose, including specific security measures in your policy will help protect the company and employee from dangerous cyber risks. Common themes a policy should include are:
- Require and enforce the use of passcodes to protect devices from unauthorized access
- Restrict the installation of certain apps to safeguard devices against malware
- Track the physical location of a device
- Wipe a device’s data if it is lost or stolen, or if the employee leaves the company
Develop data breach protocol
Directly after a data breach has occurred is not the time to develop an appropriate response plan. Be on the offensive when dealing with cybersecurity and plan ahead by developing a plan with your response team. The response team should include IT, legal, human resources, outside vendors, crisis response management and public relations. Additionally, it’s key to become familiar with relevant data security, data breach notifications and related law applicable to your business. In data breach situations, time is of the essence. Employees should be aware of a duty to notify their employer of a loss or theft of a device. Failure to enforce security policies may be legally cited in the event of a breach.
Plan for employee departures
A detailed data interview that lists all locations of company data, a written guide on the deletion of private data and a protocol for how to return devices should all be a part of the employee departure strategy. Finally, make sure employees know what they must do before disposing of a device that has access to company data and email. Lastly, including a data security and review as part of the exit interview when an employee leaves ensuring an employee complies and understands the process.
What are your thoughts? Does your organization have a mobile device use policy? If so, are you following it? If your organization allows staff members to bring their own devices, are they required to register them?