Cloud com­put­ing and smart phones — Has your busi­ness updat­ed its IP policy?

In Brief — Smart devices and IT policy

The increas­ing pro­lif­er­a­tion of smart devices pos­es a new secu­ri­ty risk for busi­ness­es. To deal with this risk, you may need to update your com­pa­ny’s IT pol­i­cy and ensure that it is implemented.

Use of smart devices in business

Most busi­ness­es are offer­ing either Black­ber­rys, iPhones or tablets such as iPads to employ­ees, either as part of the employ­ee’s remu­ner­a­tion pack­age, a sub­sidised employ­ee plan or sim­ply by allow­ing employ­ees to access their work email accounts via the device. These devel­op­ments cre­ate con­cerns for the integri­ty, secu­ri­ty and con­fi­den­tial­i­ty of busi­ness IT sys­tems in their use by both cur­rent and exit­ing employ­ees. A par­tic­u­lar vul­ner­a­bil­i­ty is also cre­at­ed when employ­ees upgrade their smart devices.

In addi­tion to email access, the bur­geon­ing mar­ket for infor­ma­tion sychro­ni­sa­tion and shar­ing appli­ca­tions for smart devices, such as Drop­box, Instapa­per, Ever­note and Quick­of­fice Mobile Suite, has fur­ther changed our notions of where the bound­aries of the office lie and what is required for effec­tive and secure doc­u­ment management.

Secu­ri­ty of your IT sys­tem and network

At a user lev­el, this comes back to the use of effec­tive pass­words. You must imple­ment a strong pass­word sys­tem for any device or net­work access and require your employ­ees to change the pass­word every quar­ter as a min­i­mum. A strong pass­word is one which con­tains a com­bi­na­tion of num­bers, upper and low­er case let­ters and spe­cial char­ac­ters like # or $. 

Phones and tablets that are lost or stolen need to be pro­tect­ed from unau­tho­rised access. You need to con­sid­er hav­ing the abil­i­ty to wipe or recon­fig­ure devices remote­ly, par­tic­u­lar­ly if they are lost or stolen.

What is cloud computing?

Cloud com­put­ing is ​“a means of access­ing a shared pool of con­fig­urable com­put­ing resources (includ­ing net­works, servers, stor­age appli­ca­tions and ser­vices) that can be rapid­ly pro­vid­ed, used and released with min­i­mal effort on the part of the users or ser­vice providers.” (Aus­tralian Acad­e­my of Tech­no­log­i­cal Sci­ences and Engi­neer­ing report: Cloud Com­put­ing: Oppor­tu­ni­ties and Chal­lenges for Aus­tralia (2010). The full report can be down­loaded from Vic­to­ri­a’s eGov­ern­ment web­site.)

A sim­ple exam­ple of use of a ​“cloud” is Drop­box (www​.drop​box​.com), which allows you to store infor­ma­tion by drag­ging and drop­ping files into a vir­tu­al fold­er held in ​“the cloud”. If you have a copy of the fold­er on each of your devices, such as work com­put­er, home com­put­er, iPad and smart phone, the fold­er will update auto­mat­i­cal­ly and the doc­u­ments can be accessed from each device. The fold­er can also be accessed by log­ging in to the web­site from any inter­net enabled loca­tion. This means that doc­u­ments can be accessed, stored, moved between mul­ti­ple devices and on-shared with third par­ties eas­i­ly and the busi­ness los­es con­trol over their dissemination.

IT pol­i­cy on appli­ca­tions that can be used for work purposes

Most inter­nal IT poli­cies allow for both per­son­al and work relat­ed use of the IT sys­tems. Pre­vi­ous­ly, tak­ing copy­right mate­r­i­al or con­tact lists from work com­put­ers required burn­ing a disk or copy­ing files to a USB stick. How­ev­er, today’s busi­ness­es which are con­sid­er­ing cloud com­put­ing to decen­tralise their doc­u­ment man­age­ment and back up sys­tems must keep in mind that they need to be able to con­trol and care­ful­ly trace exact­ly how their infor­ma­tion is being dis­trib­uted to a vari­ety of devices.

One exam­ple of a pru­dent response to this sit­u­a­tion is our fir­m’s own IT pol­i­cy, which states that at this stage, such cloud com­put­ing ser­vices can­not be used for busi­ness pur­pos­es on devices that our staff use to access the Swaab net­work. In view of our con­fi­den­tial­i­ty oblig­a­tions, we have decid­ed that we are not com­fort­able with the secu­ri­ty sta­tus of such work meth­ods and tech­nolo­gies at this stage of their development.

Secu­ri­ty of smart devices that are destroyed, sold or redeployed

Smart devices are a press­ing con­cern because of their capac­i­ty for stor­ing infor­ma­tion, includ­ing ​“delet­ed” infor­ma­tion. At the moment, con­sumers can recy­cle their devices, but what hap­pens to devices when they leave your con­trol? Have you restored the device to fac­to­ry set­tings, wip­ing the data? What hap­pens when an employ­ee leaves your employ­ment and takes their device with them?

All of these mat­ters and oth­er issues in iden­ti­fy­ing and inves­ti­gat­ing risks of the increased use of mobile tech­nol­o­gy for work pur­pos­es can be addressed by effec­tive, com­pre­hen­sive IT and com­mu­ni­ca­tions poli­cies. Such poli­cies need to be informed by your busi­ness prac­tices and must com­ple­ment them. What is cru­cial is that your IT pol­i­cy deals with and appro­pri­ate­ly man­ages the tech­nol­o­gy risks faced by your indus­try in gen­er­al and your busi­ness in particular.

If you need any advice in rela­tion to draft­ing an IT use pol­i­cy or need advice regard­ing the imple­men­ta­tion of new tech­nolo­gies, please con­tact us.