Background
Summary:
Internet-enabled mobile devices are commonly used by people in a business environment to do business work such as communicating with clients and co-workers involved in same or similar projects.
Description:
Business issued mobile devices are commonly used by employees and business associates in performing normal business functions. It can easily happen that a person is not aware of all the security policies and procedures, or perhaps the person makes a mistake in observing these security policies. Sensitive data may be exposed, or the business employer may become vulnerable, as a result.
Sometimes a user may carry only one mobile device which is used for both business and personal use. Even if this does not violate company policy, it may involve security risks.
Risk – How Can It Happen?
There are a number of possibilities that may lead to these situations, as follows:
- Lack of a security policy for the organization
- Lack of awareness of existing security policies
- Forgetfulness or other error on the part of the user
- Complacence, and the notion that “nobody will hurt us”
- Pressure from work schedules or from management, and the need to rush through things.
The list is not necessarily complete.
Example of Occurrence: Scenarios
Helena works remotely and commonly uses the mobile device issued to her to conduct client meetings and access the customer database. She is on the go a lot, and instead of using the secure 4G network issued by the company, she often uses the open access Wi-Fi network wherever a network might be available, such as at a Starbucks.
There is no company policy against the personal use of company mobile devices. She knows it is against company policy to download applications, such as games, that have not been approved by the IT department. She has done this in violation of the policy, but she only plays the games at work.
Answer the following questions:
Question 1:
The company has issued Helena the mobile device to work remotely to interact with clients and access the database. Is this the right thing to do?
A. No, the company should require her to be at her desk inside the firewall.
B. It is acceptable to do client meetings remotely, but database access has to be secured.
C. Considering that the company has issued her this device, they expect her to use it remotely provided she follows security procedures.
D. There is no problem. There is no need to be paranoid.
Question 2:
Is it all right for Helena to use the company issued mobile device on an open access network that is not password protected?
A. Absolutely not. Even if she does not access clients and client data, she is possibly exposing the device and the data it contains to other users.
B. She could be doing personal work, just not access any secure company data.
C. It is all right if she does it quickly. Keeping the connection open a long time could be risky.
D. Some people are so paranoid. The only people in Starbucks are coffee lovers, not snoopers.
Question 3:
Is it all right for Helena to be downloading games that have not been approved by the IT department?
A. It is quite all right to download the games, but she should not be playing them at work.
B. There is nothing wrong with downloading the game as long as she is playing within the security firewall.
C. Everyone needs to relax with games. This is an example of an improper security policy.
D. It is very wrong for her to disregard the security policy and the IT department. Games can come with spyware or malware. This is the big concern, bigger than her playing games at work.
Sample Solution