Smart Devices and Risk in the Workplace

Despite Blackberry’s somewhat disappointing news recently, that it would take a capital infusion rather than a buyout from Fairfax, both Blackberry and Microsoft’s Office product are well-known and recognized tools of the workplace. Blackberry maintains a good portion of its government and corporate business by using a “symmetric key encryption algorithm that is designed to protect data in transit between a Blackberry server and a Blackberry device.” Though there may have been hiccups on the rollout of a new version of Office 365 to small and mid-sized companies, Microsoft Office maintains its lock on enterprise email through clever bundling and upgrades of both the operating system and integrated applications that Office provides.

Though these aspects of the workplace may be locked down on corporate laptops, workstations and Blackberry devices, we’re in a different world than we were five years ago. Though many still work on desktop computers connected to file servers, many companies have moved to third party applications served up from someone else’s servers; or to third party cloud services, making the data accessible to all kinds of mobile devices. Desktop computers and laptops have USB ports that allow users to plug into the secure corporate network and download data. Then too, the distinction between personal data (and where it is stored) and corporate data (and where it resides across multiple devices) has become increasingly blurred.

It’s not just that we love our Apple iPhones and iPads or our Android devices: Gartner estimates that by 2017, at least half of workers will be asked to supply their own device to work. The “convenience” of smart devices has changed the risk exposure for companies. If we look through the operational risk lens, here’s what we see: people risk = downloading corporate data and storing it on unmanaged devices or in the cloud in places like QuickOffice, iCloud or DropBox; process risk = bad or broken procedures for sharing information outside the office, in the field; systems risk = data is not encrypted or secure; and external events = employees vulnerable to “click here” scams in their email, which allow hackers access to the secure network.

A recent Ponemon Institute study, 2013 Fourth Annual Cost of Cyber Crime Study: United States, found that over half of the 60 companies from various companies in the survey had experienced a breach within the last two years. While the average cost has varied over the past three studies Ponemon has done, “the average annualized cost of cybercrime for 60 organizations in our study is $11.6 million per year, with a range of $1.3 million to $58 million.” As a result, Ponemon predicts that sales of cyber insurance will double over the next several years.

If we move away from external threats to look at the risk that Bring Your Own Device (BYOD) can pose from inside the network, then companies need to develop strong policies as well as solid training that goes to the heart of the risk, understanding that “convenience” is everything for the overworked employee. Employees move data off the corporate network for a number of reasons. They may be trying to get around file size limits so that they can get more work done at a remote location. Or they may be moving corporate data to the convenience of a personal device like a tablet because it is easier to work on that way or because it is difficult to connect remotely when away from the office. Those are both reasons connected with productivity rather than with devious or malign intent. There is, however, the risk of the loss of intellectual property when a departing employee gathers up everything that has already been moved off the corporate network and takes it to the new employer.

We’ve all heard stories where a laptop or smart device or USB device is lost or stolen; or where the device is hacked when used in a third place, like a coffee shop. Very few companies have installed sophisticated programs on devices to erase corporate data from lost or stolen laptops, particularly if it’s owned by the employee rather than the company.

Nonetheless, roughly half of employers legally monitor email and voice mail on the corporate network; and create policies that allow them to block sites that might be offensive or pornographic or inhibit productivity. Employers also have the ability to turn on security filtering and/or logging with parameters set to alert on the size of files being moved via email. On the New York Stock Exchange, for example, filters are used to detect illegal, unethical and offensive mail sent by brokers. Filtering is in place for both personal and business email, looking for such terms as “risk-fee” or for sexist/racist language.

Employees who use smart company devices may find themselves being monitored in other ways – turning on “location services” allows trucking companies to be able to find their drivers at any time; nurses and other medical professionals can be tracked by virtue of the badges they wear; and government employees may find that their cell phones are tracked so that employees can be found at any time.

If you’re a company trying to manage through the risk of smart devices, then strong policies and training is advised, to show an employee the risk and train them on how to keep their computer or device clean at work and at home. As a company, you may also be able to share some of the threat information on computer scams with other organizations and then jointly address the challenge. Finally, spend the time to create proactive security policies and build a strong incident response team that can educate employees and clients of the organization.

Annie Searle is Principal of ASA Risk Consultants, an independent consulting and research firm that provides confidential assessments of existing corporate plans, identifies gaps and offers customized road maps to increase resiliency. Searle is an affiliate faculty member at the University of Washington’s School of Information, where she teaches courses on operational risk, ethics, policy and law. She is a lifetime member of The Institute of American Entrepreneurs. She was inducted into the Hall of Fame for the International Network of Women in Homeland Security and Emergency Management in 2011.