The use of personal mobile phones in order to access work email is a contentious issue. On the face of it there are a couple of really great advantages – namely a reduced cost to the employer and convenience for the user. We’re sure there are others.
The decision to allow users access to work data on their own personal device is one that each business must take; when you make this decision you walk the line between data security on the one hand with low cost and high convenience on the other.
As you might expect, our own view is that data security is more important than cost or convenience. Take a look at any decent cyber security policy and it will ensure that mobile phones and tablets are “in scope” when assessing your businesses data security. Once they are in scope it is easy to poke holes in a weak policy. Consider the following sample requirements of a decent data security policy:
- Who influences and makes the purchase decisions for all handsets and are those people fully informed about the security capabilities and threats for each device?
- What is the make and model of each handset in use and also which operating system and version they run, is there an up to date audit?
- Have all non-essential applications, services and user accounts been removed from the mobile in order to make them as secure as possible?
- Is the operating system and are all the applications in use on the device regularly patched for security problems and are these patches applied by the user?
- Is the device protected either by use of antimalware tools or by limiting applications to an approved and documented set?
- Is a strong password or other measure employed to ensure business data is not compromised after the mobile has been left unattended or power cycled?
- If a device is lost or stolen, or an employee goes rogue, are you able to remotely track or wipe the device to ensure your data is secure?
If you are unable to ensure your business data is consistently protected by these polices then your data is at risk. It is for these reasons our advice is to set policy against the use of personal mobiles for business data and have tools in place to ensure that some or all of the boxes above are ticked.
If you are not convinced by the security argument, consider this: Employees who can switch off their work mobile at the end of each day can relax more easily and are likely to be happier and more productive. Checking emails in the evening, on the weekends, or especially on holiday never gives a member of staff the chance to fully disengage from work. Time spent away from work should be time to unwind and recharge; the constant checking of emails will risk employee burnout