Do You Need a Mobile Devices Policy?

Smartphones have become a ubiquitous sight in public and in the workplace. IPads and tablets are similarly common now in the office. These are all examples of mobile devices, and more companies are making these devices available to their employees and allowing remote access to system servers.  Increasingly, employees have devices of their own, and expect to be able to use them at work.  Most agree that these mobile devices are an indispensable tool, and many argue that they could not imagine working or running a business without them. But few people – and perhaps fewer employers –realise  the potential hazard they hold in their hands.

In most cases, the explosion in the use of mobile devices has run well ahead of any attempts to limit or regulate it. A recent survey conducted by nCircle in the US showed that 71% of the companies surveyed had a mobile devices policy. ( A link to nCircle’s survey results is here.)  This figure looks pretty good until you realise that this was a survey of companies involved in the IT security industry! There aren’t many comprehensives surveys around, but we think that a similar survey carried out on a broader range of companies in Australia would produce alarming results, showing that relatively few have a mobile devices policy.

So what are the risks? And what can you do about them?

If you lost your phone, you might think about the loss of all of the contacts, phone numbers and other personal information on it. With other types of mobile device, this loss might be larger: you probably had larger amounts of personal data such as photos and movies stored on it. And given that the majority of people use mobile devices at work, it’s likely that you would lose this information as well. But the bigger risk can be appreciated when you realise that a mobile device can be a pocket-sized key to a company’s entire IT system.

Mobile devices are small, powerful and valuable to thieves and hackers because they can carry so much data in their own right as well as providing an entry-point to other data sources. What’s worse in terms of security, they’re mobile: a device can be used anywhere, undetected. A company smartphone left on public transport could:

• provide access to confidential emails and send emails that could damage the company’s relationships with other staff, customers and competitors
• provide access to commercially valuable information such as customer lists, price lists and costings, business plans, financial reports, tender documents and other sensitive material
• facilitate access to the company’s internal IT system to hack, steal or damage systems from the ‘inside’
• facilitate unlawful activity using company systems – or worse, by doing so in the name of the company
• provide unauthorised access to the company’s website or social media pages enabling significant damage to be done to the public face of the company.

It is worth noting that a well-written and implemented social media policy would necessarily cross reference other company policies. As noted above, employee use of social media via mobile devices presents many potential risks to a business or company, and these risks may primarily be dealt with under a social media policy .

It’s not the device – it’s the user

The issue is not any inherent security defect in the devices – the technology exists to secure devices adequately for most commercial purposes – but rather the danger lies in the way they are used. And this is why it is so important to have a mobile devices policy, so that employees understand the risks and how to avoid them.

Why have a policy?

Like any other workplace policy – eg an anti-discrimination policy, drug and alcohol policy or social media policy  – a mobile devices policy prescribes what an employee must and must not do.  A mobile devices policy can lock down the circumstances under which the company is willing to provide access to its valuable information: for example, by setting standards for the use of security measures and encryption on all devices, outlining the company’s expectations in terms of how employees should look after equipment, and what they should do in the event that a device is lost or stolen.

Policies provide for a transparent and consistent application of the company’s operational procedures. A policy is also a reminder to employees about the potential issues associated with mobile devices. And where employees fall short of the requirements, a policy provides for a disciplinary process which may include withdrawing access rights to company systems or even termination if the policy breach amounts to serious misconduct.

Author: Andrew Gordon For more information, please contact us at [email protected] It is intended as a guide only and does not replace specific legal advice.

BlandsLaw offers a comprehensive suite of workplace policies, including a Mobile Devices Policy and a Social Media Policy. If you have any questions about how policies can help your business, please don’t hesitate to contact us.