Mobile Technology in Corporate Environments - Risks of Disappearing Privacy

Mobile Technology in Corporate Environments

Risks of Disappearing Privacy

Flavio Gerbino
by Flavio Gerbino
time to read: 18 minutes

The borders between work environment and private life appear to disappear before our very eyes. The strict division of private, business and public life is basically impossible to maintain. This tendency does not come without consequences.

Smartphones, tablets, netbooks and notebooks are increasingly present in our everyday lives. This tempts people to use all these devices for both personal and professional matters. This is an effect that experts call IT Consumerisation. Using privately owned mobile end user devices (henceforth called smart devices) and gadgets in a business environment can lead to serious risks concerning confidentiality of business as well as compromising of the user’s own privacy. In addition to that, employees can unwittingly violate standing data protection rulings in a corporate environment.

The main motive for the use of smart devices by employees are comfort, mobility, flexibility, productivity, convenience and commodity as seen when working outside the office. In addition to that, the younger generation expects that equipment and technology is located where they are located. It appears unacceptable to not be able to rely on the many features of a smart device during office hours.

But: When do office hours end if the division between work and leisure has disappeared? Without the limit of time, the creed appears to be that the same thing that provides advantages, efficiency, mobility, fun and distraction in our private lives also provides use in a business environment.

Despite the many apparent advantages, the invasion of smart devices in a corporate environment can be problematic due to the fact that these are consumer devices and therefore not manufactured to be used in said environment. They often lack basic security features such as access restriction, encryption or virus protection. In addition to that, the devices have open, unsecured interfaces to social media providers as well as public cloud and collaboration services and private mail accounts. The applications – usually referred to as apps – are not tested for corporate use. Using certain apps runs the risk of transferring data to third parties.

This leads to an uncontrollable risk.

Paradigm Shift

Regardless which concept of integration of smart devices we’re talking about, they’re variants of the same basic schemes:

In order to better understand the melding of the formerly strictly divided spheres of leisure and business, we can look at the technological as well as cultural development.

Technology

Past Present
Single device type Multiple device types
Fixed, stationary workspace (Desktop PC) Mobile and Home Office
LAN Access Multiple access points (LAN, Wi-Fi, VPN, Mobile Data Internet EDGE, GPRS, UMTS, LTE) etc.
Company-provided Mix of BYOD, COPE, CYOD and Company-provided
On premise, in-house engineered solutions Software as a Service (SaaS) consumption, on- and off premise

Society and culture

Mobile Devices in Corporate Environment

Company   Employee / User
Wants to be an attractive employer   Wants the newest devices
Wants to increase flexibility and mobility of employees   Wants to be mobile, use home office or perform work tasks during a commute
Considers risks in mobile technology   Wants to be able to work at any time
Looks for reasonably cheap solutions (TCO)   Wants quick and mobile access to corporate data and resources
Necessity dictates division into user groups   Access regardless of device or physical location (coherence)
Looks for solutions to business problems. These solutions might not be compatible with the needs of employees’ private use cases   Cost efficiency (personal perspective when device is being paid for by user)
  Influences on the Use of Mobile Devices in Corporate Environment  
Technology   Compliance, Laws and Regulations
High speed of innovation   Stricter laws and regulations
High rhythm of innovation   New standards and best practises (cyber security)
Innovation occurs in waves   Raised awareness (Cybercrime in the media, sensitive data, personal data)
Is being adapted by employees much earlier than company adopts it   Federal Act on Data Protection
Regulators of all kinds such as FINMA at banks

Security Requirements

Efficient security measures must therefore be much more extensive than the synching of related areas of technology such as versioning of operating systems and apps, support, device management, public and private networks, virtualization. They require an encompassing inclusion of technological, legal, conceptual and societal factors.

Regulatory measures, laws, standards and checks of current risk management strategies are also a requirement.

The fact that privacy of employees is to be protected is also something that can’t be missed. This, however, can easily lead to collateral damage. Meaning that the wrong handling of personal employee data and violation of their privacy can lead to unpredictable reputational damage when this data is available to the public.

Related, it stands to mention that the intended raised availability of employees even after they’ve left the corporate environment – which is supposed to bring great advantages in mobility and flexibility – can lead to violations of employee rights. Business related enquiries outside of the employee’s designated working time can be perceived as an unwelcome factor of stress.

Pragmatic Approach of a Design for Measures in Corporate Environments

Security measures can be approached in any number of ways. One is the categorizing of employees on the basis of sensitivity of their data access with their smart devices.

On these basic categories, we can define a set of general rudimentary measures that apply to both categories

Fore more specific measures of protection of both user types, further distinctions can be made depending on whether an employee gets data read only access or data storage access on their smart devices:

Depending on that decision, controls with different specifications and protection levels are to be put in place. Because listing them all would make this article almost endless, I will give you some food for thought in form of an incomplete list:

Again, privacy of employees must be maintained in a structured, planned way. If IT support has access to the device during a support case, support will also have access to personal data.

Risk Based Approach

In order to compile a risk management strategy, there needs to be a method that explains how to deal with risks on smart devices in the corporate environment. The approach using a risk matrix appears to make the most sense.

One side explains the exposition criteria such as possible implication. These are the corporate requirements. The other side lists the impact the information itself can have. Confronting the two will result in a potential risk.

Likelihood

Rudimentary and general corporate requirements themselves can be divided into two short questionnaires that serve as an indicator for the likelihood of an incident.

Device and Functionality Properties
Privately Owned Device Yes No
Offline Storage Yes No
Remote Access Yes No
Encryption Yes No
Other (e.g. Cross Border) Yes No
Third Party Access
Likelhood of Theft High Medium Low
Likelihood of Accidental Loss High Medium Low
Likelihood of Malware Infection High Medium Low

Based on this, we can assess the Likelihood.

Assessed Likelihood High

Potential Damage

The potential damage describes the risk that information itself can have for corporate interests, be they internal or external.

Potential Damage Classification
Classification Public Internal Confidential Secret
Data Records None One Few Many
Impact on Reputation None Low Medium High
Confidentiality None Low Medium High
Integrity None Low Medium High
Availability None Low Medium High
Other (e.g. CID) None Low Medium High

Based on this, we can assess the Information Risk.

Assessed Information Risk Medium

Combining the Corporate Risk and the Information Risk, we can use this matrix to visualize the classifications.

  Potential Damage
None Low Medium High
Likelihood High      
Medium        
Low        
None        

Summary

From a corporate point of view all employees can cause extensive damage with their personally owned smart devices in a corporate environment. The smart phones, tablets and other smart devices can compromise business data, client data and personal data of employees. And as we all know, this has happened repeatedly. To disregard this clear and present risk is undoubtedly going to lead to huge risks.

In order to find and successfully exploit the advantages of privately owned devices in a corporate world there needs to be a solid strategy that includes technological, legal, cultural and societal aspects and trends. And, of course, an intelligent balance between freedom of employees to use whatever smart device they see fit in a corporate environment and limitations in order to protect business and personal interests.

From an employee point of view the blending of private and business life seems to be full of advantages at first glance. It appears as if using privately owned devices expands personal freedom into their users’ business environment. However, the opposite can be the case. In a globalized, largely digitalized economy where borders between private life and business disappear, personal data is a considerable resource that can lead to extremely lucrative business. Therefore, employees should be made aware of the fact that they should keep their private lives private. Sadly, the trend goes in the opposite direction.

As we can see in media, accents are put on problems with data protection and protection of privacy. At the same time, hopes for simple and quick solutions that can be of technological, societal or legal nature such as Privacy by Design vanish into thin air. Even though the discussion about mass surveillance by secret services rages everywhere, along with the subjects of data protection and the steady mixing of private, public and business life, many feel as if they’re unaffected by this.

This indifference regarding privacy seems highly problematic to me.

About the Author

Flavio Gerbino

Flavio Gerbino has been in information security since the late 1990s. His main areas of expertise in cybersecurity are the organizational and conceptual security of a company.

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
Isn’t business continuity part of security?

Isn’t business continuity part of security?

Andrea Covello

Trapped in the net

Trapped in the net

Michèle Trebo

Privacy Enhancing Technologies

Privacy Enhancing Technologies

Lucie Hoffmann

How I started my InfoSec Journey

How I started my InfoSec Journey

Yann Santschi

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here