Apps that seem harmless can hurt your organization’s security.
Educating employees about cybersecurity isn’t a one-and-done proposition. As hackers and cybercriminals get more sophisticated, even the most conscientious organizations and workers can fall prey. Take the recent situation with FaceApp, a popular mobile application that can transform faces in photographs to make them appear older, younger, etc. It sounds innocent enough, and it quickly became a hot item in the Apple and Google stores. However, it wasn’t long before privacy experts sent up red flags. Not unlike some other apps, FaceApp has the ability to share information from your phone with others. As this can be concerning—even devastating—in an industry where privacy is essential, now is a good time to remind your employees that innocent fun can mean lost privacy and serious problems.
According to Geoffrey A. Fowler, a Washington Post technology columnist, there are five basic questions consumers (such as your employees) should find out about any app or service they download or access, particularly when these applications request or require personal information. These questions are:
1. What data do they take?
2. How long do they hold on to your data?
3. What are they doing with your data?
4. Who has access to your data?
5. How can you delete your data?
It is important to have company-wide policies and standards for employees to keep them from downloading apps that put your organization’s privacy at risk. A few steps can help:
· Work with your IT people to enact mobile device management solutions. Determine the extent to which mobile devices will be permitted for business purposes and how they will (and will not) be used. Limit access to certain applications and implement encryption and password management, as well as remote wipe and lock features.
· Train and train again. Again, training isn’t a one-time activity. Make sure employees understand the potential for damage when they download a new app. Consider putting restrictions on app downloads for company mobile devices. Limit downloads to those apps available from a specific organization-approved list or store.
· Consider developing your own apps. This may or may not be possible; but if you do it, do it right. Avoid problems or gaps such as insecure data storage, weak controls, poor authorization/authentication, and broken cryptography.
· Make security audits a regular thing. Conduct regular security audits that include evaluation of your mobile infrastructure, assessing security of mobile devices and apps, and evaluation of any gaps between current policies and best practices.
Clearly, it is important to ensure that employees understand the urgency of cybersecurity and the importance of their role in preventing hacks and privacy breaches. However, be careful not to create a culture of fear where people are afraid to confess a mistake (such as they downloaded a new app or opened a phishing email). When errors are made, focus on correcting them and ensuring that employees have the knowledge and training to avoid similar situations in the future.
