Where networking and knowledge intersect.
Pascal A. Bizarro, Ph.D., CISA, Andy Garcia, Ph.D., CPA and Jacob Nix
Mobile devices refer to a wide variety of handheld computing devices that allow people to access and process data by running various types of application software (apps). These devices include cell phones and tablets and often are equipped with Wi-Fi, Bluetooth and Global Positioning System (GPS) capabilities, allowing connections to the Internet. Specialized operating systems (OSs) manage the devices.
To grow and survive, enterprises must be proactive in improving their operations. By allowing employees to utilize personal mobile devices, (i.e., instituting bring your own device [BYOD]), enterprises are able to cut costs, improve productivity and improve client service. Before implementing a new policy that allows employees to use their personal mobile devices, enterprises should conduct a thorough risk assessment and understand the necessary controls that need to be implemented.
The benefits of implementing a mobile device in a corporate setting include improved employee productivity, enhanced client relations, additional recruiting incentives and increased employee morale. The specific risk factors that need to be addressed are possible loss of confidential company information if the device is lost and/or stolen, the vulnerabilities of the different mobile device OSs, and the weakness of apps that are not verified. The controls discussed include implementing a strong usage policy and controls over applications, requiring passwords, and utilizing data encryption. Given all of the information, best practice recommendations are made regarding the proper implementation procedures and risk analysis over business use of personal mobile devices.
Risk exists with the implementation of personal mobile devices in business, but with risk comes reward. One of the greatest challenges to management is finding new ways to improve the cost structure, increase efficiency and improve productivity. By allowing employees to access their work from their personal mobile devices, they can utilize time that would otherwise be wasted on long commutes, while waiting for client meetings or even waiting for their child’s soccer game to begin.
In a recent study at the Florida Institute of Technology, mobile devices were shown to increase respondents’ productivity 62.5 percent of the time and greatly increase their productivity 18.8 percent of the time.1 This is just one of the numerous studies showing that mobile devices increase productivity. Along with an increase in productivity, enterprises can help reduce their hardware costs by implementing policies that allow employees to use their own mobile devices. Employees want to be able to utilize their own phone for convenience. The entire smartphone movement revolves around minimizing the devices a person carries. Allowing employees to carry one phone that acts both as a personal and a business phone helps satisfy this demand. To help entice employees to utilize their phones, some enterprises reimburse a portion of employees’ smartphone plans.2 By doing so, it acts as both a benefit to employees and a cost savings for enterprises, which no longer have to pay for the entire phone plan as has been the case historically for company-issued phones.
Beyond saving enterprises money, mobile device usage can help employees better serve their clients. Not only can employees access their email, voice mail and receive calls no matter where they are, they can also utilize company-designed software to help better serve the needs of their clients. In a recent study, IBM redesigned its own application from a learning tool into a performance support system to help its employees better serve clients. “When client-facing employees lack comprehensive information sources on internal company networks or external web materials, the Mobile BluePages directory provides immediate access to IBM subject matter experts who can help with client-query issues.”3
The use of mobile devices to better answer client questions and serve their needs is beneficial in a client-serving business, for example, consulting. Consultants are supposed to have all of the answers for their clients and often when meeting face-to-face, the answer is needed on the spot. By utilizing mobile device technology, enterprises can better prepare and support their employees while they are in the field.
Beyond internally developed apps, mobile devices allow employees to improve their day-to-day operations with externally developed apps. Although the danger of apps needs to be discussed, there are beneficial apps for business use. A series of apps exists that can streamline current everyday tasks. For example, Cisco offers an application for mobile devices called Cisco WebEx. This application allows people to connect to meetings wherever they are, and use it to schedule and begin meetings, view documents, and access screen sharing. A variety of applications exist that allow users to access the cloud via a mobile device.4 When used properly, this could not only benefit an organization via an increase in productivity, but also could reduce the risk of data loss. Along the lines of minimizing the amount of technology that employees have to carry, RSA SecurID now has an app that replaces the RSA key fob, a type of security token. Utilizing the app allows users to continue two-factor authentication via a token that is sent to their mobile device instead of the traditional security token.5
Among the benefits discussed there are additional opportunities available to specific industries and situations associated with mobile devices. The versatility and flexibility that a mobile device policy provides an organization continues to increase as technology advances. The competitive advantage associated continues to grow as newer, smaller, faster and cheaper mobile devices are developed and produced, allowing for more efficient and effective technology that will increase the current benefits of using mobile devices in a corporate setting.
A major concern when implementing personal mobile device usage is the variety of OSs available on mobile devices (e.g., iOS, Android). For mobile device usage to be successful, some argue that organizations must allow employees to use the OS of their choice, creating a challenge for the IT department to understand the environment for each OS.6
Regardless of the OS environment, the most prominent risk that enterprises need to be aware of is the possible loss of confidential information due to employees losing their devices or having them stolen. In a recent report, European Network and Information Security Agency (ENISA) described the risk of a mobile device being lost or stolen and its internal or external memory being unprotected/unencrypted as “medium likelihood, high impact and high risk.”7 Historically, the loss of confidential information due to laptops being stolen has been well documented and publicized.8 This can cause a great deal of harm to an enterprise’s reputation. In contrast, mobile devices are smaller, lighter and more portable than laptops; therefore, one could argue that the likelihood of a mobile device being lost or stolen is higher than that of a laptop.
Employees using mobile devices for business and personal use can create opportunities for hackers to gain access to the enterprise’s network through the employee’s smartphone. Employees are using their mobile devices to shop online more frequently.9 The number of users who used their mobile devices for this purpose increased from the previous year to approximately half of all smartphone users. The risk involved with this situation is hackers developing malicious applications to steal personal information and gain access to the enterprise’s network.10 A risk of employees using their personal mobile devices is that they will use it for purposes that pose risk to the business information contained within the phone.
Although all OSs have weaknesses due to the possibility of malicious applications, some are more vulnerable than others. What some believe to be Android’s advantage is also what others believe to be its biggest disadvantage when it comes to security—the open source nature of the Android Market.11 It is estimated that “Android users are now two-and-a-half times more likely to encounter malware than they were six months earlier.”12 A virus that infected many apps in March 2011, called the Droid Dream, led to 50 apps being targeted by the virus.13 This is just one example of the issue of allowing employees to utilize their personal phone for business purposes. When employees have company information contained within the phone, as well as access to the enterprise’s network, there is a major concern that a hacker may access sensitive information when hacking the mobile device.
There are a wide variety of risk factors that can be specific to businesses, the most prominent of which are the variety of OSs that can be utilized, the loss of confidential data, the possibility of allowing hackers into the enterprise’s network through malicious apps and OS-specific vulnerabilities.
Before implementing a policy to allow employees to utilize their own mobile devices for business use, it is important to understand how it will specifically impact the business. The largest challenge in implementing a policy around mobile device usage is preventing the loss of data. Employees will want to continue to utilize their apps and carry their phone with them, so it is imperative to develop controls and address all risk by either mitigating, accepting, transferring or avoiding it.
As with any risk, organizations must decide how to address the use of personal mobile devices by employees. When addressing risk there are four methods organizations typically utilize. In this situation, however, only two options are applicable. Because of the confidential nature of the data, transferring the risk by purchasing an insurance policy or simply ignoring the risk is not an acceptable method for addressing the risk. Therefore, disallowing employee use of personal mobile devices for business activities to avoid the risk altogether, or mitigating the risk through a proper risk assessment and implementation of controls is the only acceptable option to address the risk.
The trends with this technology have shown that business use of personal mobile devices, or the BYOD movement, is here to stay and arguably the best approach to the risk involved is mitigation. A recent ISACA survey conducted about consumer behavior and BYOD “shows that two-thirds of employees between the ages of 18 and 34 have a personal device they use for work purposes. …However, the fact that the majority of respondents say the risk outweighs the benefits means that education and precautions are strongly needed.”14
To compete, organizations will have to implement a mobile device management (MDM) policy and software solution that allows for their use to at least some degree. It is imperative for organizations to understand how to mitigate the risk involved and this section focuses on the mitigating techniques in addressing the risk involved with BYOD policies.
The banking industry has been on the forefront of adopting this policy. One bank has taken an interesting approach in mitigating the risk by allowing only top management to utilize their own devices on a test basis to better understand the implications. Also, the financial institution does not allow employees to download corporate data onto their devices, making it policy for employees to have to sign into the company’s virtual private network (VPN) to access data.15 This approach, if implemented properly, can significantly reduce the risk of losing confidential information due to the phone being lost or stolen. This would have to be implemented on a technical level, not just in policy, to ensure that it is followed.
By not allowing downloads to mobile devices from the corporate server, the enterprise could effectively mitigate the most pertinent risk involved with implementing a policy of business use of personal mobile devices. MDM software provides centralized management of enterprise-owned or personally owned mobile devices offering services such as remote control (e.g., backup and restore, blocked and wipe functionalities, or GPS tracking), Firmware Over the Air (FOTA) updates and policy application. Sandboxing is another solution for keeping corporate data separate from personal data. The system works behind the mobile device’s operating system and maintains two distinct “containers,” allowing for seamless integration of both corporate and personal information while still providing proper risk control over the company’s data.
To mitigate the risk of malicious applications, there are several methods to consider. If the phone is to be used for enterprise purposes, it would be pertinent to require employees to abide by a white list of applications that can be installed on the phone.16 There is a challenge with such a policy, as employees may resist since the devices are personally owned. However, if the IT department frequently updates the list and allows employees to submit requests for applications to be added, this could be very successful in practice.
Multiple options are available when protecting against the risk of stolen data. A Google-based Android operating system offers the ability to remotely wipe a mobile device through Google Sync. This feature allows the user to wipe all device- based data by logging onto the Google apps control panel. This app does not, however, protect against files saved on a Secure Digital (SD) memory card. A second option to protect against the risk of stolen data is the app called Android Lost. This app allows the end user to control the device remotely and, among other features, remotely wipe the data on the mobile device as well as the SD memory card. After installation, the user has access to a simple user interface on the face of the phone itself (see figure 1). Once activated the owner can access and protect the mobile device remotely.
Apple’s iPhone also has a similar app available for free to users, called Find My iPhone. This app allows users to locate the mobile device, send a message to the person who finds the phone, remotely lock the device and wipe the internal memory (see figure 2). Apple’s mobile devices offer an additional layer of security in their hardware configuration by excluding an external memory card slot. Therefore, once the user wipes the internal memory, the data are no longer vulnerable to attack. This is unlike a device using an external memory card, which has the residual risk of the data being recovered via data recovery software after the wipe is performed. Not using an external memory card can remove this risk, although this may be difficult to control.
Passwords can be viewed as an interruption or a productivity killer by employees. However, one of the best defenses against the loss of data and the installation of applications while the phone is left unattended is a simple password mechanism. Both Apple’s iOS and Android systems offer a four-digit PIN system. Android offers a pattern or puzzle as a password instead of a PIN.17 Although these passwords are simple and can easily be cracked, it is a simple first line defense to help enhance security.
Even if an organization takes every precaution, including logical access controls with mobile devices, it is important to implement an encryption policy and method, especially for phones that allow external memory cards to be utilized, such as Android phones. “Encryption will conceal your drive’s data and make accessing the files almost impossible for anyone who does not know your encryption password.”18 Encryption is a powerful tool that should always be utilized, especially when it comes to corporate information and data to maximize security.
With all controls, it is important to verify that they are sufficient and working properly. The utilization of a Certified Information Systems Auditor (CISA) to review the controls and policies in place can help detect any weaknesses and strengthen existing practices through the auditor’s report and best practice recommendations. The inclusion of an IS auditor in the audit of an information system can make the system more effective, efficient, reliable and safe to use.19 Not only can the involvement of an IS auditor help ensure that the controls are in place and working properly but also improve the controls and system.
The bottom line when it comes to controlling the risk associated with employees using personal mobile devices is the implementation of a proper policy that is tailored to the business risk based on a risk assessment. It is not enough simply to have a security policy; enterprises must have a specific policy to address the risks involved with the use of mobile devices. It is important to focus on preventing the loss of data.20
The implementation of a policy that allows employees to use their personal mobile devices for business purposes can create additional benefits including cost savings. The business use of personal phones can create additional risk that companies must consider as part of a risk assessment. Currently, smartphone technology and the policy regarding business use of personal mobile devices in particular favors service companies; however, applications are being developed and released daily that can improve efficiency and effectiveness across all sectors, whether it be a scheduling application for construction jobs or applications that help customer service representatives better serve customers.
Because of the nature of the technology, it is essential to implement best practices to help guide the organization as mobile devices evolve. It is important to begin this process by evaluating the costs and benefits for the organization by implementing business use of personal mobile devices. Organizations should reevaluate this analysis periodically to verify that the benefits continue to outweigh costs. When implementing, it is also important to conduct a thorough company-specific risk assessment after identifying the risk factors. Additionally, a company should address risk by avoiding or mitigating risk and implementing appropriate controls. In this case, it is important to implement policies and controls to mitigate risk, as well as have an IS auditor review the controls and policies in place.
1 Kalkbrenner, Joseph; Atefeh McCampbell; “The Advent of Smartphones: A Study on the Effect of Handheld Electronics on Personal and Professional Productivity,” Journal of Applied Global Research, 4(8), 2011, p. 1-92 Quittner, Jeremy; “Bracing for BYOD,” Bank Technology News, January 2012, p. 6-83 Ahmad, Nabeel; Peter Orton; “Smartphones Make IBM Smarter, But Not As Expected,” Study, T+D, 20104 Buckley, Rob; “Facing Up to the Mobile Revolution,” SC Magazine, May-June 2011, p. 20-265 Ibid.6 SonicWALL Inc., 10 Best Practices: Controlling Smartphone Access to Corporate Networks, USA, 20107 Hogben, Giles; Marnix Dekker; Smartphones: Information Security Risks, Opportunities and Recommendations for Users, European Network and Information Security Agency (ENISA), 20108 Friedman, Jon; Daniel V. Hoffman; “Protecting Data on Mobile Devices: A Taxonomy of Security Threats to Mobile Computing and Review of Applicable Defenses, Information Knowledge Systems Management, 2008, p. 159-1809 Acohido, Byron; “Hackers Find New Path Into Networks,” USA Today, 30 November 2011, p. 1b, referencing ISACA’s BYOD survey10 Ibid.11 Ibid.12 Ramsay, Maisie; “Mobile Malware & the Looming Security Storm,” Wireless Week, December 2011, p. 22-2613 Ibid.14 ISACA, “ISACA Survey: Bring Your Own Device (BYOD) Trend Heightens Online Holiday Shopping Risk,” 2011, www.isaca.org/About-ISACA/Press-room/News-Releases/2011/Pages/ISACA-Survey-Bring-Your-Own-Device-Trend-Heightens-Online-Holiday-Shopping-Risk.aspx15 Op cit, Quittner16 Op cit, Hogben and Dekker17 Rodriguez, Armando; Nick Mediati; “Have You Seen This Lost Phone?,” PC World, November 2011, p. 79-8318 Mediati, Nick; “Secure Your Life in 12 Steps: Learn How to Lock Down Your Computer, Your Home Network, Your Identity—Even Your Phone,” PC World, June 2011, p. 58-6619 Kanhere, Sujata; “IS Audit and Security Professionals: An Emerging Role in a Changing World Order,” ISACA Journal, vol. 5, 2009, p. 1-420 Op cit, Buckley
Pascal A. Bizarro, Ph.D., CISA, is an assistant professor of accounting in the department of accounting and management information systems at Bowling Green State University (BGSU) (Ohio, USA). Bizarro is the main advisor for the information system audit and control (ISAC) undergraduate and graduate programs at BGSU.
Andy Garcia, Ph.D., CPA, is an associate professor of accounting in the department of accounting and management information systems at BGSU. He has published articles in The CPA Journal and Internal Auditing.
Jacob Nix is a Master of Accountancy student at BGSU. Nix has interned at several public accounting firms including Ernst & Young, where he will begin work in the second half of 2013 in the audit practice.
Enjoying this article? To read the most current ISACA Journal articles, become a member or subscribe to the Journal.
The ISACA Journal is published by ISACA. Membership in the association, a voluntary organization serving IT governance professionals, entitles one to receive an annual subscription to the ISACA Journal.
Opinions expressed in the ISACA Journal represent the views of the authors and advertisers. They may differ from policies and official statements of ISACA and/or the IT Governance Institute and their committees, and from opinions endorsed by authors’ employers, or the editors of this Journal. ISACA Journal does not attest to the originality of authors’ content.
© 2013 ISACA. All rights reserved.
Instructors are permitted to photocopy isolated articles for noncommercial classroom use without fee. For other copying, reprint or republication, permission must be obtained in writing from the association. Where necessary, permission is granted by the copyright owners for those registered with the Copyright Clearance Center (CCC), 27 Congress St., Salem, MA 01970, to photocopy articles owned by ISACA, for a flat fee of US $2.50 per article plus 25¢ per page. Send payment to the CCC stating the ISSN (1526-7407), date, volume, and first and last page number of each article. Copying for other than personal use or internal reference, or of articles or columns not owned by the association without express permission of the association or the copyright owner is expressly prohibited.