Cloud computing and smart phones — Has your business updated its IP policy?
In Brief — Smart devices and IT policy
The increasing proliferation of smart devices poses a new security risk for businesses. To deal with this risk, you may need to update your company’s IT policy and ensure that it is implemented.
Use of smart devices in business
Most businesses are offering either Blackberrys, iPhones or tablets such as iPads to employees, either as part of the employee’s remuneration package, a subsidised employee plan or simply by allowing employees to access their work email accounts via the device. These developments create concerns for the integrity, security and confidentiality of business IT systems in their use by both current and exiting employees. A particular vulnerability is also created when employees upgrade their smart devices.
In addition to email access, the burgeoning market for information sychronisation and sharing applications for smart devices, such as Dropbox, Instapaper, Evernote and Quickoffice Mobile Suite, has further changed our notions of where the boundaries of the office lie and what is required for effective and secure document management.
Security of your IT system and network
At a user level, this comes back to the use of effective passwords. You must implement a strong password system for any device or network access and require your employees to change the password every quarter as a minimum. A strong password is one which contains a combination of numbers, upper and lower case letters and special characters like # or $.
Phones and tablets that are lost or stolen need to be protected from unauthorised access. You need to consider having the ability to wipe or reconfigure devices remotely, particularly if they are lost or stolen.
What is cloud computing?
Cloud computing is “a means of accessing a shared pool of configurable computing resources (including networks, servers, storage applications and services) that can be rapidly provided, used and released with minimal effort on the part of the users or service providers.” (Australian Academy of Technological Sciences and Engineering report: Cloud Computing: Opportunities and Challenges for Australia (2010). The full report can be downloaded from Victoria’s eGovernment website.)
A simple example of use of a “cloud” is Dropbox (www.dropbox.com), which allows you to store information by dragging and dropping files into a virtual folder held in “the cloud”. If you have a copy of the folder on each of your devices, such as work computer, home computer, iPad and smart phone, the folder will update automatically and the documents can be accessed from each device. The folder can also be accessed by logging in to the website from any internet enabled location. This means that documents can be accessed, stored, moved between multiple devices and on-shared with third parties easily and the business loses control over their dissemination.
IT policy on applications that can be used for work purposes
Most internal IT policies allow for both personal and work related use of the IT systems. Previously, taking copyright material or contact lists from work computers required burning a disk or copying files to a USB stick. However, today’s businesses which are considering cloud computing to decentralise their document management and back up systems must keep in mind that they need to be able to control and carefully trace exactly how their information is being distributed to a variety of devices.
One example of a prudent response to this situation is our firm’s own IT policy, which states that at this stage, such cloud computing services cannot be used for business purposes on devices that our staff use to access the Swaab network. In view of our confidentiality obligations, we have decided that we are not comfortable with the security status of such work methods and technologies at this stage of their development.
Security of smart devices that are destroyed, sold or redeployed
Smart devices are a pressing concern because of their capacity for storing information, including “deleted” information. At the moment, consumers can recycle their devices, but what happens to devices when they leave your control? Have you restored the device to factory settings, wiping the data? What happens when an employee leaves your employment and takes their device with them?
All of these matters and other issues in identifying and investigating risks of the increased use of mobile technology for work purposes can be addressed by effective, comprehensive IT and communications policies. Such policies need to be informed by your business practices and must complement them. What is crucial is that your IT policy deals with and appropriately manages the technology risks faced by your industry in general and your business in particular.
If you need any advice in relation to drafting an IT use policy or need advice regarding the implementation of new technologies, please contact us.