This second blog posting examines the impact when law firms and companies have a BYOD policy, but fail to educate employees on how to protect mobile devices. It also examines the consequences of when mobile malware infects a personal mobile device and then jumps to the employers internal systems.
On average, most employees, whatever their field, are not particularly malware savvy, which means they are not up on the details of evaluating security on apps that they download. Typically these individuals do not have malware scanning technology on their mobile devices. Many companies today invest substantial resources in providing employees with robust anti-virus and malware scanning tools for their computers and information systems, but leave the employees’ mobile devices exposed and vulnerable to thousands of potential adversaries.
How, then, to protect against these potentially disastrous smartphones as avenues of information loss or internally directed malware? Most companies purchase anti-virus, anti-malware software for their computers. It seems logical, then, to extend that policy to mobile devices as well. Why not invest in protecting your employees’ devices? By extension, protecting employee devices provides insurance for the security of a company.
People bring their devices to work whether or not there is a stated policy in place, and whether or not they are able to actually do work on those devices. One solution is to mandate that every mobile device used by employees must have malware detection software installed. Of course, the solution is likely to require that a lawyer skilled in these issues review the policies, the underlying software agreements, and the privacy agreements involved with implementing this solution. It is critical that the lawyer advising any company has a firm grasp of the complex legal issues and the technologies to ensure a successful rollout.
Purchase mobile malware detection software and require employees to have this software installed and operational on their mobile devices. Educate them about the purposes and necessities of protecting themselves. If the first risk does occur – a company fails to sufficiently educate its employees or to enforce its BYOD-antivirus policies – a second threat can take place. In this example, an employee-owned Android device ends up getting infected with malicious malware over the weekend and the unknowing employee brings the device to work on Monday.
Maybe the employee turned off their antivirus program to save battery life, maybe they didn’t have one at all. Unfortunately, the end result is fairly worrying, because one infected phone in an unsecured BYOD workplace can serve as a vector of malware to the entire corporate network, as well as other BYOD devices. Malware can spread onto the network and infect multiple computers within the system, potentially stealing data, compromising systems, and crippling businesses until they are able to eradicate the issue. One possible solution is for a company to mandate malware protection software on every device.
It’s also important for the greater network to have malware and antiviral software, so that warnings will be raised if malware attempts to breach the system through an in-network device. Again, it is critical that the lawyer advising any company has a firm grasp of the complex legal issues and the technologies to ensure a successful roll-out. First, purchase mobile malware detection software and make sure it is deployed throughout the workplace; second, ensure that the internal company network is protected and that it is capable of raising an alert when a virus or malicious software attack occurs.
* By Daniel B. Garrie, the Senior Managing Partner at Law & Forensics LLC. He focuses on e-discovery, digital forensics, cyber security and warfare, data privacy, and predictive coding, and works with law firms, governments, companies, and non-profits around the globe.