Security Concerns Using Personal Devices For Work

A surprising number of people use their personal phone for work to one degree or another. If it is for the occasional business call, most companies have nothing to worry about. If, however, they are using the phone to access corporate resources or store company information, it can be cause for concern. Tech Republic has a post with some interesting statistics on this unauthorized use of personal phones for company business.As I said, a surprising number of people are doing company business with their phone - 99 percent according to the article. Most people seem to be using it for phone calls. Roughly a third were using it for email or for note taking. Significantly less than that were using it to access company resources such as documents or to store customer information.

The alarming statistic for me was that 40 percent don't protect their phone with any sort of PIN or password, meaning that all of that data is there for the taking, or worse, data on corporate servers may be at risk. With a lost laptop, there is a good chance it is password protected and modern operating systems support encryption with relatively little effort

Phones generally don't, or if they do, the risk of data loss is too great. For example, Windows Mobile has supported storage card encryption for several years now, but if your phone dies, the data on the storage card essentially dies with it. Unlike Windows XP, Vista or Windows 7, Windows Mobile doesn't generate a recovery key that allows you to access the encrypted data from another device if you have the password. It also means that since the device is the only mechanism that can store or retrieve data on the card, all of the data has to be processed by the device. That can be a painfully slow process to transfer large amounts of data to a card through the phone, even over WiFi. The bottom line is, device encryption is still in its infancy and a pain to use, thus few people voluntarily enable it.

As for using personal devices for work when most companies provide a device, I think the reason for this is relatively simple. The phone is the new PC. Remember years ago when you got a PC from your employer? They were rarely locked down. The "P" stood for "personal" and people did just that. They made the PC their own, from simple things like changing wallpaper to installing applications. Yes, some installed games, but many, myself included, installed apps that enhanced our productivity.

Today, that is harder to do. Installing applications is out of the question and what fun is it to customize the UI of your PC when you cannot get your favorite shot of your kids on there for wallpaper? The phone is a different story though. In many respects, it is the untamed frontier. You can tell your employees not to use personal phones for work, but how can you really stop them? If they can email a document, they can get the document on their phone. They can call anyone they want with their personal phone. They may even be savvy enough hook their phone up to Exchange unless you take steps to block unauthorized devices.

What the employer should do in many cases though isn't tighten the screws. Companies should absolutely know what is accessing their data and what would happen to it if a device were stolen. The answer though isn't always to ban those devices by any means necessary. Phones are a very personal devices to many people. I've been offered devices from companies before that would just be a waste of money, because I'd never consider carrying them around outside of the office, and likely wouldn't carry them around much while in the office. They'd be expensive paperweights. I have certain needs from the device that I will carry around with me everywhere. I'll be able to install software that makes my life more efficient - both my personal and professional life. It will have email applications that are fun and easy to use, and can store both work and personal emails on the device. There are other examples, but you get the point.

Employers should recognize this and work with the employees to ensure that data is protected, devices are secured with a password and that applications aren't a security risk. I would have no problem working with an IT department that would work with employees to make sure company data is safe, while allowing the person some personal freedoms. Happy employees are more productive. Disgruntled employees, those that can't get everything they need out of a company provided device will just start using their personal device, the one that will give them what they want, for business. Whatever they can't get their personal phone to do due to security measures the company has taken to block unauthorized devices, well, those tasks just won't get done as much because that corporate phone will sit in a drawer while the employee engaged in personal endeavors.

Companies should sit up and take notice of where company data is being stored or where it is being accessed from, but they should avoid the knee-jerk reaction to batten down the hatches. They should instead learn what the needs of the employee are and educate the employee on either how a company device can meet those needs or how a personal device must be secured for safety of company data.