The way we use technology for our business needs has changed dramatically in the past five years. Personally, I read emails on my phone throughout the day whether I’m near my laptop or not. In fact, I probably read the majority of my emails on the go compared to the days, which don’t seem that long ago, when I was only responding to emails while sitting at my desk.
Working for a professional services firm, where the confidentiality of client information is paramount, I am required to sign our corporate IT policy. The way we use technology in our firm is changing frequently, and our IT policy is updated accordingly to keep pace.
If you can’t remember the last time you were asked to sign your organization’s latest and greatest IT policies manual, perhaps some of the questions below will spur conversation about your organization’s IT:
- Do employees at your organization access email on their phones or tablet devices?
- Is a password required to access your device?
- If your device is unused for a certain period of time, does it time out and require a password to log back in?
- What is the maximum length that should be allowed on your device before the screen automatically locks?
- If the device is personally owned but the organization’s data are accessible, can other members of the employee’s family also use this device?
- If the device is owned by the organization, are employees also allowed to use it for personal use? If yes, how liable is your organization as it relates to the employee’s personal usage?
- Are data on your mobile device encrypted?
- If your device is lost or stolen, can sensitive data be remotely deleted from your device?
- Is your mobile device operating an intrusion detection/prevention system?
- Does your mobile device have anti-virus and/or malware scanning?
Even if you have certain controls in place related to data security on your device and can answer yes to some or all of these questions, does the same hold true for the other individuals in your organization? If the answer to that question is “no,” then that highlights the need of an organization-wide policy related to such controls.
There is a universal risk in your organization regarding sensitive data falling into the wrong hands, but your personal risk tolerance might not be the same as the other individuals in your organization. Incorporating mobile devices into your organization’s policy can be a highly effective way to make sure that everyone is on the same page regarding data security.
As with any internal control system, you have to weigh the benefits received from these items against the cost of implementation. Organizations vary drastically on the level at which they use mobile devices or tablets and the sensitivity of information that is accessed and stored on such devices. The items listed in the questions above are obviously not all requirements, but there may be some items that would likely be prudent to add to your organization’s internal control structure.
Whether your organization just needs to dust off its IT policy or if it feels it is necessary to implement a robust mobile device management system, the changes your organization implements will be an appropriate level of response in relation to how individuals are using technology to access company data and the sensitivity of such data. Then, the next time that you or a colleague loses a mobile device, the impact of that loss will reach no further than the cost to replace the device.