Tue, Jul 26, 2016

Is Pokemon Go A No-Go For Your Company Smartphones?

You may have heard about the gaming phenomenon eating up the batteries of smartphones worldwide. Pokémon Go is an augmented-reality gaming app. In fact, Pokémon Go has turned out to be one of the most successful games of all time, with millions of players who seem to quickly become obsessed with it. But it turns out that the app may present risks to players—and your organization's mobile-accessible data—that were never intended by the game's developers.

If your company utilizes mobile phones for data or communication, you may want to consider the unintended hazards of this app.

The risks to companies and employees originate largely from two features of the game: mobile permissions and GPS location tracking. First, to sign up for the game, users must sign by using their Google account or by creating a Pokémon Trainer Club account. Given the greater ease of use, it will come as no surprise that most users elect to sign in quickly with their Google accounts. Additionally, many companies are utilizing Google Apps for Business, running their company email accounts and sensitive documentation through Gmail and other Google services. And when access is granted to an app using your Google account and password, a number of risks are immediately generated.

Second, the game utilizes GPS location tracking in conjunction with Google Maps – a feature that can't be turned off while playing. This feature not only detects your exact location while playing the game, it also encourages going to specific locations around you, and communicates metadata about your movements, where you live and what spots you frequent.

Businesses with company-provided smartphones and networks should seriously consider how these features present risks to their employees and to company data. Here are five questions to help you consider whether this game should be prohibited on your company devices:

1. What Kind of Access and Information Is Typically Stored on an Employee Phone?

There are apps and there is software that purport to help players improve their performance in the game, but these often involve giving the app or software developer access to a lot of information (phonebooks, SMS and more). They may also carry malware that can be used for identity theft or to obtain credentials to access corporate systems. Even though many apps tell the user the long list of data they are able to access, many people ignore that and allow the app to install. There are also websites that purport to provide game hints, inside information or even the way to cheat. Some may be exactly what they say, but others may be sites which will download malware onto your computer just by visiting the site.

2. Criminals Are Using the Game to Lure Players to Locations in Which They Can Be Robbed or Attacked.

If your company supplied the phone and doesn't have any well-known policies in place that would prohibit playing games like Pokémon Go on company-provided devices, what is your liability? Players have also been reported to have trespassed on private property, tried to enter buildings (all in seeking various game rewards). It was reported that one of the places that—without ever asking for the "honor"—became the site of a Pokémon "gym" where players match their Pokémon against each other was a police station. Given recent attacks on police, it should be evident that having a lot of people milling around the station with smartphones—or trying to enter the station—could well make for a tense situation.

3. In Some Instances Players Have Become So Involved in the Game That They Don't Pay Attention to the Real Hazards Around Them, Posing a Risk to Themselves and Others.

If an employee causes someone to be injured or becomes injured himself, can you find your organization named in a civil action suit as the provider of the smartphone—especially if there was no policy against using company equipment to play enhanced reality games? There is a particular risk if employees who are driving company-provided vehicles are involved in an accident while playing the game. This week, a player was so engrossed in the game while driving, he sideswiped a police cruiser. Fortunately no one was hurt, but it could have been a disaster. What if a player gets injured at one of your facilities (perhaps by walking into a plate glass window) because they were inattentive to the real world?

4. Games Like Pokémon Go Are Battery-intensive, Considering the Use of the Camera, Display, Gps and Communications.

Will they use more data than anticipated, leading to larger-than-anticipated billing from the mobile carrier? Furthermore, will playing the game use up employees' phone batteries, rendering them unable to use their phones? This can pose a particular danger for employees in volatile or foreign locations. Of course, you could also wonder how employees who use smartphones for business processes can do so with dead, or nearly dead, batteries.

5. Where does your insurance policy stand?

As a phenomenon that has gone from zero to a global obsession in only days, insurers have not had a chance to understand liabilities and risks, and it is probably not clear what claims relating to your employees playing it might be denied.

At the very least, companies may want to send out a notice to employees outlining the dangers that come with playing the game. Managers may also want to prohibit playing the game on company-provided equipment or loading the software—and particularly related "unofficial" software. Companies may also want to create rules for employees playing these games on company time or on company premises. The best solution may be to get the company's risk manager, human relations manager, CIO and general counsel together to come up with solutions for the risks associated with Pokémon Go and future games.

It's only logical to assume that other apps—perhaps other enhanced reality games—will emerge and will be characterized by explosive growth and problematic consequences for companies and for players. Now is the time to implement policies to protect your organization and your people. If you don't, it's likely that you won't have time to do so before the risks that come with such apps become evident. And by then, it may be too late.

Read the article

Cyber Risk

Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.

Forensic Investigations and Intelligence

The Kroll Investigations, Diligence and Compliance team are experts in forensic investigations and intelligence, delivering actionable data and insights that help clients worldwide make critical decisions and mitigate risk.