Estimated Reading Time: 4 minutes
By Arley Turner
According to an article titled “Planet of the Phones” featured in the 2/25/15 edition of The Economist, by 2020 over 80% of adults will have a smartphone, and 80% of current smartphone users reach for their phones within 15 minutes after waking up. I am one of them. After waking up I immediately reach for my phone. I glance at the weather forecast, peruse the headlines, and check my favorite social media sites. I even check my work email, all before I get out of the bed.
While checking work email from my personal device is super-convenient for me, are there security risks for my employer? Introduced in 2007, the iPhone has become the most used electronic device in the workplace. And while at first it was hard for criminals to hack into smartphones to steal valuable data assets, this is no longer the case. New smartphone malware is created every day, and the theft of data from your smartphone is a very real risk. The biggest problem is that the average user isn’t very concerned about the security risks associated with their handheld connection to the world. According to the article, “The Spy in Your Pocket,” featured in the same 2/25 edition of The Economist, “Consumers have learned the hard way that personal computers are vulnerable, but that realization has not yet sunk in for their phones. Smartphones use a single cable to charge their batteries and to transfer data. That means that plugging in to unfamiliar charging points can be a security risk.”
With too little concern about these security risks, employees at small and large organizations alike are often unsupervised in their use of personal devices for important nonprofit business. And if your organization permits the use of personal devices for organization business, your critical and confidential data may be carried on and wiped off these devices. This leaves it up to organizations to enact policies to help protect their data. These policies, commonly referred to as BYOD (Bring Your Own Device) Policies, are the best way for an organization to limit access to privileged information and applications. Here are a few tips on implementing a strong BYOD policy at your organization:
Don’t be Naïve – The first step is to stop naively believing that use of personal devices for work purposes is akin to a “free lunch.” Or remind yourself that there is no such thing as a free lunch! While you’ve avoided the cost of purchasing smartphones for your staff, the cost-savings may have a surprising, hefty price tag in the form of exposure to data loss.
Set Clear Expectations – Many staff simply don’t realize the security risks associated with smartphones. By raising awareness about this issue as you develop and roll out a new BYOD policy, you’ll increase the likelihood of buy-in. As you develop your policy, be explicit about what organization information may and must never be accessed on personal devices. For instance, you may allow employees to retrieve and send email messages from their phones, but strictly prohibit signing on to the human resources or donor databases, both of which may contain personally identifiable information (PII).
Enhance Security – Does your entity regularly encrypt data prior to sending it via mobile devices? Do you require employees to download additional anti-malware software to their personal devices? These are extra security steps you can take to help protect the confidential and PII information in your nonprofit’s possession. Also, consider whether it makes sense to install remote-wipe and GPS location finders onto employee-owned mobile devices. That way if the device is stolen or lost you can help find it and remove any data that could expose your entity to legal claims, or worse. Keep in mind that before taking these steps you should obtain written consent from the owner of the device.
The most important thing to remember with any BYOD Policy is that technology isn’t static: the technology landscape is always changing. Risks associated with smartphones today may be amplified when wearable technology becomes the norm. Remember that flexibility is an essential component of your BYOD policy. To minimize the risk of your policy quickly becoming dated, focus on security concepts, rather than naming specific devices in your policies.
For information about the Nonprofit Risk Management Center, visit www.https://nonprofitrisk.org/ or call 703.777.3504.
“First let me congratulate you on a conference well done. I had a great time at the Nonprofit Employee Benefits Conference and walked away with some valuable tools and questions that we’ll need to be addressing in both the short and long term. Thanks to you and your staff for all you do to provide us with quality resources in support of our missions.”
“BBYO’s engagement of the Center to conduct a risk assessment was one of the most valuable processes undertaken over the past five years. Numerous programmatic and procedural changes were recommended and have since been implemented. Additionally, dozens (literally) of insurance coverage gaps were identified that would never have been without the work of the Center. This assessment led to a broker bidding process that resulted in BBYO’s selection of a new broker that we have been extremely satisfied with. I unconditionally recommend the Center for their consultative services.
“Melanie Herman has provided expert, insightful, timely and well resourced information to our Executive Team and Board of Directors. Our corporation recently experienced massive growth through merger and the Board has been working to better integrate their expanded set of roles and responsibilities. Melanie presented at our Annual Board of Director’s Retreat and captured the interest of our Board members. As a result of her excellent presentation the Board has engaged in focused review which is having immediate effects on governance.”
“The Nonprofit Risk Management Center has been an outstanding partner for us. They are attentive to our needs, and work hard to successfully meet our requests for information. Being an Affiliate member gave us access to so many time- and money-saving resources that it easily paid for itself! Nonprofit Risk Management Center is truly a valued partner of The Community Foundation of Elkhart County and we are continuously able to optimize staff time with the support given by their team.”
“The board and staff of the Prince George’s Child Resource Center are extremely pleased with the results of the risk assessment conducted by the Nonprofit Risk Management Center. A thorough scan revealed that while we are a well run organization, we had risks that we never imagined. We are grateful to know that we have now minimized our organizational risks and we recommend the Center to other nonprofits.”
Great American Insurance Group’s Specialty Human Services is committed to protecting those who improve your communities. The Center team has committed to delivering dynamic risk management solutions tailored to nonprofit organizations. These organizations have many and varied risk issues, hence the need for specialized coverage and expert knowledge for their protection. We’ve had Melanie speak on several occasions to employees and our agents. She is always on point and delivers such great value. Thank you for the terrific partnership and allowing our nonprofits to focus on their mission!