Apps are an invaluable part of our world now. From work productivity apps to entertainment and game apps, these software programs are often exceptionally inventive and powerful in delivering efficiencies for organizations and also providing a lot of fun to users. However, games like this summer’s craze, Pokémon Go, and similarly viral apps serve as critical lessons for IT departments and organizations of any size as they continually address mobile devices and apps in their systems.
Organizations should assume that the next app craze will hit before they know it, and certainly before there’s a chance to thoroughly vet the risk factors associated with employees’ downloading it onto their mobile devices. For this reason, organizations should focus on coordinating internal efforts to deal with problems before they arise, rather than trying to chase or predict technology. With proper policies and training, organizations can be prepared with reasonable levels of security while balancing out the app and device flexibility that the modern workforce demands.
Before the next app sensation sweeps into the mobile world, here are three reminders:
Everyone shares in the risks associated with mobile devices
Surprisingly, people in organizations large and small continue to take the approach that data security is strictly an IT department concern. What might be worse is many IT departments often allow this mindset to perpetuate which, in this increasingly mobile-driven world, can lead to significant risks. Mobile devices are often mission-critical to performing certain jobs, but all employees must understand and be trained that their devices are vulnerable to the same threats that can affect any computing device – malware, botnets, malicious email, browser attacks, etc.
In the era of mobile and vastly popular apps, striking a balance between device control and employee flexibility is increasingly difficult. Policies, procedures, and practices regarding use of mobile devices in the workspace must be regularly reviewed, updated, and most importantly, enforced, to address potential risks before they become a problem. The initial step, however, is getting everyone to understand and perform their role in the organization’s security and risk management.
Actively manage mobile devices (both company-provided and BYOD) to limit potentially dangerous apps
There are likely many policies related to mobile security in your organization, but setting appropriate permissions is a critically important safeguard, whether employees are using their own devices or one is provided to them. All apps present issues for any network system regarding the permissions they seek. On their personal devices, people may give little thought to the permissions they give to their next downloaded game or app. For devices used at work, such indifference can be detrimental to the organization, because, in addition to many permissions being unnecessary and unneeded, some are potentially dangerous. Consider which app permissions make sense for devices used for work and give clear guidance to employees.It’s also a good time to think about what corporate data you permit to be stored on mobile devices. The old saying that no one can steal data that you don’t have is an apt one. The unknown next app craze could place corporate data on the employee’s device at risk, either through inappropriate permissions or through malware. Ask yourself if the data stored on the device needs to be there, or whether it could be stored on a server and accessed only on an as-needed basis.
Train employees…and then prepare to train them again and again
The instant popularity of apps only serves as a reminder of the importance of training because unique, novel games and productivity apps emerge every day. It is impossible for an organization’s IT staff to review each and every one. Plus, the most popular apps hit so quickly – and sometimes followed by malicious spoofs as well – that an organization will likely not have the chance to conduct a comprehensive review before employees start downloading.
Employee training remains a critical component in an organization’s cyber defenses. It helps ensure that employees have the information and tools they need to properly implement and maintain the privacy and security policies that apply to their use of devices that access corporate data and networks. The most successful organizations make regular training part of the culture as opposed to just reviewing a manual and signing an agreement. Also, it is important to construct a training program that is relevant to job function and the level of sensitive data handling. Employees need to be proactively reminded how they fit into the complex protection of the organization’s data. Generally, when reminded of certain risks, employees will get on board and work to avoid being the cause of data security issues.
There should be no doubt another app is waiting to be written that will become the next popular obsession. The only question is how well organizations will have prepared in advance and readied their employees to protect themselves from security dangers the app will potentially create for the organization’s data and networks.