Is Your BYOD Policy Prepared for Pokémon GO?

Young people using smartphones
The stories have been hard to miss. Hundreds to thousands of young people are gathering in places like New York City’s Central Park or even close to our headquarters to play the extremely popular smartphone and tablet game Pokémon GO. While the game has led to some scary real-life situations for users, it can also lead to something scary for businesses: the risk of a data breach.

While Pokémon GO creator Niantic has taken steps to make its game more secure and more respectful of users’ privacy, many other mobile apps that users might download don’t offer the same protections. That should be unsettling for any business that allows employees to connect to company email servers and networks with their personal devices — a practice known as bring your own device (BYOD).

Malicious apps that can access large amounts of confidential information or hold devices hostage with ransomware aren’t the only thing BYOD companies have to be concerned about. Here are some additional security risks of BYOD and how your company can prepare for them.

Do You Know Who's Prying?


Imagine this scenario: One of your sales reps is on the road, but she needs to access and update a contract that lives on your local network.  She stops at a coffee shop and connects to its public WiFi. Little does she know that WiFi hot spot is also the target of a hacker who is swiping unencrypted data from everybody who’s connected to that router. The data sent and received by your sales rep can be easily poached by the hacker and released to the public on the Internet, sold on the black market or held for ransom.

Public WiFi hot spots can be a scary place to connect, not because of the location but because you never know who is there to do more than check email. That’s why it’s important to have your employees use a virtual private network (VPN) to connect to the company network remotely. A VPN encrypts the data moving between the employee’s device and the company network, making it much more difficult for a hacker to access the data.

Do You Know Where Your Device Is?


Think you felt bad when you recently misplaced your iPhone? How do you think one Apple employee felt when he left an iPhone 4 prototype in a bar in 2010? Lost or stolen devices can give just about anybody instant access to company data if the devices aren’t properly secured. In fact, almost 70 percent of data breaches in the healthcare industry between 2010 and 2014 were caused by stolen devices. A $700 iPhone can feel pretty insignificant compared to millions of dollars in data recovery costs.

Personal and company-provided devices alike can easily go missing. A misplaced smartphone is practically inevitable. However, even minimal security practices can help keep devices from turning into goldmines for hackers. Locking functions such as the iPhone’s PIN code or the Android’s pattern lock can keep people out, while a remote memory wipe program can go a step further by deleting the device’s data from afar. Even if a hacker does gain access to the phone, there won’t be any data for them to corrupt or hold for ransom.

When Was the Last Time You Updated?


Unlock your iPhone and open the App Store. How many updates are waiting for you? Are you using the latest version of your operating system (OS)? Some of us obsess over getting everything updated as soon as possible, but not everybody is in a hurry when a round of updates appears in the queue. Many people resist updating apps and OSes because of functionality problems caused by past updates.

However, not updating OSes and apps can leave devices vulnerable to attack. Most updates exist to fix known glitches or close security vulnerabilities rather than to add or remove features. Even traditional PCs require occasional updates to improve security — smartphones, tablets and apps are no different.

If an OS update is released, have your IT department test it to make sure it doesn’t affect the functionality of any business-critical apps your BYOD employees use. If there are no issues, inform your employees that they need to run updates as soon as possible to help keep company data secure. Also remind employees to routinely update their apps to close any known security holes.

You Downloaded What?


Daniel was really interested in a particular smartphone app’s organizational features, so he didn’t pay much attention to the terms and conditions or the permissions he allowed when he downloaded it. Daniel unknowingly gave the app access to every bit of data on his phone — from web and search history to emails. What started as a quest to be more productive led to the risk of company emails with sensitive information landing in the wrong hands.

Apps that request broad permissions can be especially problematic if your employees access company email through their device’s built-in email app. These apps typically store email data locally on the device, meaning another app that’s been given access to that data can give hackers or malicious developers the ability to browse confidential corporate emails.

Your employees should always be careful about what they’re downloading to their personal devices, but you should have an acceptable use policy if they’re also accessing company emails or networks from the same devices. Require employees to double check the permissions and validity of every app they use. While it might be tedious and require the deletion of a much-enjoyed app, a security breach sourced from a remote personal device should be treated no differently than an on-site security breach.

Despite the risks, BYOD offers small- to medium-sized businesses an excellent way to avoid the costs associated with purchasing and servicing company-owned devices. However, without strict BYOD policies and procedures, you’re susceptible to data breaches that can turn into nightmares.