Social Apps for Work - the fine line between professional and social communications
With employees opting to work from both mobile iOS and Android devices, it’s essential that organizations put in place and communicate a clear policy, especially when it comes to social media use. Whilst social media has been linked to increased productivity, the increase in BYOD means it’s essential that the same policies in place for network IT use are instilled for the use of apps.
As we’ve talked before about the value supply chain, with hackers penetrating at the weakest point to access more valuable data, mobile apps are also liable to open up a weak point in the infrastructure and introduce unnecessary risk. Snapchat was recently the victim of hacking and 4.6 million users’ personal information was exposed; it was also recently revealed that Angry Birds and other 'leaky apps' were targeted by US and UK security agencies for nefarious data gathering.
Whilst there are policies that can be put in place for BYOD (see here for further guidance), with the increase of apps being created specifically for work purposes, including apps dedicated to mobile working - such as Evernote and QuickOffice Pro- as well as the increasing use of social apps in the workplace – i.e. whatsapp, Viber and Skype. We need to ensure that these types of apps don’t open a gateway offering free access to business’ critical information.
Whilst there are a multitude of mobile security apps available, it’s essential that cyber security policy is instilled into employees, they need to understand the risks and consequences of using various apps. The way we work is changing, and whilst the line between work and home is increasingly flexible, the security policies must remain clear – critical information must remain safe and under the control of the organization at all times.
So... as a user, when you are looking at which apps to consider, here are some thoughts? (And if you happen to be the CIO/CISO then here are some thoughts –that you need to be communicating to employees!)
Know what you’re signing up to
When you sign up to download an app, do we read where our details go to? Logging in with Facebook gives the app developers access to the details posted on Facebook and then to that extent do we know what information we’re openly sharing? Whilst social media networks are obliged to be clear on what information is being used and accessed, it would be fair to assume that the majority of users skip through the fine print when downloading an app.
In essence... can the people who have created your app have unfettered access and use of the information you provide? We have seen instances where uploaded images have been used inappropriately – but this was in the ‘small print’.
Know who you’re sending information to
Whilst there may not be many who like to Instagram their weekly board meetings, there might be the occasion where you take a picture at work- perhaps it’s somebody’s birthday and you want capture the cake… But with apps linked to other photo-sharing networks, often automatically, how easy would it be to accidentally share to the world the business strategy scrawled on the white board in the background of the photo? Whilst someone obliviously sending updates to Facebook on every mile they’ve run using Endomondo is just mildly annoying, automatic linking and sharing to an entire address book of people can potentially be highly damaging when sensitive information is concerned.
Technology makes connecting with people in business incredibly easy and it’s important that people are able to take advantage of this in a way that facilitates further relationship-building and business, without making the critical information of a company vulnerable. How many of your ‘friends’ work at competitors’ organizations?
In essence... if you share (accidentally or otherwise) critical information with your ‘friends’ on a social networking site what will be the consequences – for you and your organization. While ‘automatic backup’ is great in theory, what would happen if it was compromised?
Don’t forget mobile in the IT Infrastructure: eliminate the risk of human error
Encryption can span across the entire mobile software suite and can protect information at rest on the devices. For information ‘in motion’, a Data Loss Prevention and Adaptive Redaction policy is also essential to remove the possibility of data leaks. Adaptive Redaction enables sensitive information to be automatically removed (redacted) – but allow collaboration to continue, even on mobile devices and what information is removed depends on the recipient and the content of the information, hence “adaptive”.
In essence... while you may have a comprehensive security solution for laptops, you also need one for mobile devices as well.
Take advantage of the mobile security options already available
One of the easiest things you can do to protect an Android or iOS device is to take advantage of built-in hardware encryption. This feature will turn the data on your phone into nearly unreadable junk—unless it's properly unlocked with your password.
iOS:
- If iPhone or iPad owners have locked their devices using a password, then the data is already encrypted.
- Consider activating the Erase Data setting at the bottom of the Passcode Lock settings screen.
- Once enabled, your device will erase all data after ten failed passcode attempts. Bear in mind though that this setting is irreversible!
Android: This process is slightly more complex and time-consuming.
- Android devices have to go through a lengthy disk-encryption process, just like you would with your PC or external hard drive.. The device must be plugged in during the whole process, otherwise, the encryption process could fail, and you could lose some or all of your data.
In essence... mobile devices have some essential security measures already built in and there are lots of articles on the web as to how to use them. Ensure that your security policies, even for those using BYOD, mandate the use of these features in order to protect the organization’s critical information.
Mobile devices and apps today offer some fantastic benefits for both the user and the organization, but they are not without risk. Understanding the risks and the consequences to both the user and the organization is essential. Security policies need to look beyond the traditional and encompass the new devices and blurring of home and business use. Policies need to be frequently communicated and updated – and enforced with technology. Otherwise inadvertent data sharing might make your organization front page news... and that wouldn’t be a good thing.