Finders Keepers. Depending on your place in the pecking order, you either heard or recited that adage at recess. It was written somewhere in the playground Magna Carta. Usually, the “lost” item wasn’t really lost at all, but more likely lifted by an instigator during a moment of opportunity.

Now let’s fast forward to we’re all grown up. The list of things we lose or misplace has changed. For us, in no particular order, they include car keys, sunglasses, umbrella, smartphone, etc. Hey, it’s human nature, with some of us being a lot more “human” than others.

Unfortunately, when it comes to items like smartphones, laptops, and tablets that have access to, or contain data belonging to our employers and/or their customers, patients, etc., the stakes are a good bit higher. While it’s true in terms of the total number of breached records, on-line breaches still account for the majority of the risk. The ease with which a laptop or cell phone can go missing is a big cause for concern.

Technology is every-changing the data security landscape.

The way we use technology and store sensitive data in our business changes frequently. Personally, we read emails on a mobile device throughout the day whether near our desk or not. In fact, we probably read the majority of our emails on the go compared to the days when we only responded to emails while sitting at a desk.

Working for a professional services firm, where the confidentiality of client information is paramount, it’s required to sign a business IT policy. Our IT policy must be updated regularly to keep pace with the ever-changing data security landscape.

Why worry about a mobile device security policy?

Ask your IT staff and they will tell you that without one, it’s a free for all. Many organizations allow their employees to connect to corporate networks (especially for email) with their personally owned laptops and cell phones. This creates huge issues in terms of managing and securing the corporate data that ultimately can find its way onto these devices.

A good policy serves to educate the workforce and set boundaries for what is acceptable in terms of equipment and behavior.

One of the first questions to be answered is, “Are we going to allow our employees to access corporate systems with their personal laptops and/or smartphones?” Every business is different as are the risks. However, there are some significant benefits to allowing only corporately issued devices to connect. They include:

  • Device tracking and monitoring including retrieval of the device upon termination.
  • The ability to have standard configurations that include security controls such as encryption, passwords, etc. (you can sometimes enforce these with non-corporate devices, but it ’s easier if they are provisioned by the IT group).
  • Fewer compatibility issues.
  • Reduced support burden for the help desk.

Regardless of your decision related to the use of personal equipment, there are some universal considerations. If your organization houses sensitive data or data that is “protected” such as patient records, personal financial information, or information that could be used by identity thieves, you will want to take a more proactive approach to secure mobile devices.

For laptop computers, this means at a minimum the use of unique user IDs and strong passwords. With the ubiquity of the technology, full disk encryption should also be strongly considered. While not necessarily a regulatory requirement, encryption provides a “safe harbor” from having to report a breach under some data breach laws, including HIPAA/HITECH. For smartphones, consider mandating the following technical security controls in your policies:

  • Encryption of data stored on the device
  • A requirement for a password for access to corporate systems (e.g. email, VPN, etc)
  • Screen timeout with password required to re-access the device
  • Remote wipe feature enabled after a specified number of failed login attempts
  • Remote wipe feature if the phone is lost/stolen

From an administrative standpoint, there are also things that are important to include or reference in your mobile device policy. Some of these include:

  • Appropriate use
  • Download of unauthorized software
  • Procedures to report a lost/stolen/found device
  • Use in public Bluetooth and wireless environments

It is worth saying that it’s not if someone will lose their laptop or phone, but when. Since we know at some point we’ll be on the losing end of the old playground adage, with a little work we can cut out the weeping.

IT Policy Checklist

If you can’t remember the last time you were asked to sign your business’ latest and greatest IT policy, perhaps this checklist will spur conversation about your business’ data security.

  • Do employees at your business access email on their mobile devices?
  • Is a password required to access your mobile device?
  • If your mobile device is unused for a certain period of time, does it time out and require a password to log back in?
  • What is the maximum length that should be allowed on your mobile device before the screen automatically locks?
  • If the mobile device is personally owned but the business’ data is accessible, can other members of the employee’s family also use this mobile device?
  • If the mobile device is owned by the business, are employees also allowed to use it for personal use? If yes, how liable is your organization as it relates to the employee’s personal usage?
  • Is the data on your mobile device encrypted?
  • If your mobile device is lost or stolen, can sensitive data be remotely deleted from your mobile device?
  • Is your mobile device operating an intrusion detection/prevention system?
  • Does your mobile device have anti-virus and/or malware scanning?
  • If owned by the business, are there limitations as to what applications can be installed and from where they are installed?

Regardless of who owns the device that stores corporate data, is there a requirement to report lost or stolen devices to the employer? Even if you have certain internal controls in place related to data security on your mobile device and can answer “yes” to some or all of these questions, does the same hold true for the other individuals in your business? If the answer to that question is “no,” then that highlights the need for a business-wide IT policy related to such internal controls.

It is quite possible that organizations may receive some reluctance from employees regarding security measures implemented on their personal mobile devices. This is understandable. However, in our extensive experience in forensically analyzing mobile devices in numerous situations, it is obvious that individuals also store very sensitive personal information on their devices. Therefore, employees should understand that these measures not only protect sensitive corporate data, but also their sensitive personal information.

Businesses vary drastically on the level at which they use mobile devices and the sensitivity of data that is accessed and stored on such devices. The checklist items are obviously not all requirements, but there may be some items that would likely be prudent to add to your business’ internal control structure. As with any internal control system, you have to weigh the benefits received from these items against the cost of implementation.

There is a universal risk in your business regarding sensitive data falling into the wrong hands, but your personal risk tolerance might not be the same as the other individuals in your business. Incorporating mobile devices into your business’ IT policy can be a highly effective way to make sure that everyone is on the same page regarding data security.

Whether your business just needs to dust off its IT policy or if it feels it is necessary to implement a robust mobile device management system, the changes your business implements will be an appropriate level of response in relation to how individuals are using technology to access business data and the sensitivity of such data. Then, the next time that you or a colleague loses a mobile device, the impact of that loss will reach no further than the cost to replace the device.

LBMC’s Mobile Security Policy Checklist