Bring Your Own

woman-on-cell-phone-22A mention of the use of their own electronic devices by company employees in one of our recent Fraud in the News items prompted a reader to state in a comment that she was under the impression that a ‘bring your own device’ policy could be ‘quite risky’ for any company who implements one.  Our reader is right in that many of today’s personal devices are prone to security vulnerabilities.  I remember reading in the trade press not long ago that more than half of all Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them.

In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges charged by cyber criminals; illicit sign up of costly premium text messaging services and installation of spyware that can steal sensitive data, including credit card numbers, e-mail account log-on credentials, on-line banking credentials, and contact list information.  Another significant concern for organizations that we’ve highlighted many times in this blog, is e-discovery litigation associated with storing company email and data on devises outside company control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.

So why do companies do it?  Among other benefits, the main reason seems to be that businesses can save significant outlays on overhead resources when employees are able to use their own smartphones, laptops, and tablets to do their assigned work.  Other related benefits accruing to the client company include:

— Easing overhead by eliminating the need to manage a service provider.
–Eliminating overhead needed to monitor usage and cost overruns exceeding contractual limits.
–Eliminating the need to manage and pay for service plans, individually managed calls, and data usage.
–Increasing employees’ productivity by enabling them to work when traveling or away from the office.
–Eliminating or reducing IT infrastructure resources and associated costs.
–Providing a recruiting incentive for prospective employees who want to use their own devices.

However, bring your own device programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. Fraud examiners should consider recommending that, to mitigate these concerns, our client organizations need to have an effective bring your own device policy in place, including, if they can afford it, some kind of automated mobile device management solution.  For our part, as part of our fraud risk assessments, CFE’s should request and obtain technical support in evaluating compliance with the policy and assess the mobile device management system’s ability to provide multi layered security, policy enforcement, and control across a variety of devices.

A mobile device management solution is a fraud prevention best practice that can enable your client organizations to manage employee-owned portable devices and enforce security policies remotely once employees have installed the software on their devices and agreed to the organization’s terms and conditions.  Ideally, a mobile device management system solution should strike a balance between providing enterprise security and preserving the employee’s user experience, convenience, and privacy.  Indeed, some products can configure portable devices to have two separate logical “containers” that segregate business from personal data. This method permits the employee’s personal data to remain private while enabling the organization to control only the business container where the organization’s apps, data, and email reside.

So what security capabilities should CFE’s expect the mobile device management system to support?

— Anti-malware and firewall policy. Mandates installation of security software to protect the device’s apps, content, and operating system.
–App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.
–App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.
–Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured.
–PIN policy. Sets up PIN complexity rules and expiration periods, as well as prevents reuse of old Pins.
–Inactive-device lockout policy. Makes the device inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.
–Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
–Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.
–Revoke access policy. Disconnects the employee’s device from the organization’s network when the mobile device management system’s remote monitoring feature determines that the device is no longer in compliance.

Clients who are too small or which lack the funds to implement a fully operational mobile device management solution can still take steps to protect their data on employee mobile devices by:

–Setting the Bluetooth feature to non-discoverable mode or disabling it altogether if it’s not needed. This can protect against connections with other devices that could upload malware.
–Using a virtual private network (VPN) or secured website connection when accessing company email and data through a public Wi-Fi hotspot.
–Not forwarding company email messages to non-company computer systems, personal email accounts, cloud service providers, or file-sharing services, which may cause data leakage.
–Protecting against unauthorized observation of sensitive information in public places.

Furthermore, organizations should advise employees to consult their owner’s manual or seek assistance from their service provider if they are unsure of how to configure their personal devices for optimal security.

Several clients for whom I’ve worked have instituted an equitable employee reimbursement policy to compensate employees for work-related activities on their personal devices when such work is mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, CFE’s should evaluate reimbursement practices to ensure controls are in place to prevent fraud or abuse, as well as to assess compliance with compensation policies.

Based on growth projections for the use of personal devices in the workplace and the associated risk, CFE’s should consider the adequacy of existing client policies to protect proprietary and sensitive information. Moreover, it’s important for the overall fraud prevention program that mobile device use policies and practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.

Leave a Reply