IBM’s plan to manage smart phone security issues – not just about “is Siri an Apple spy?”

About a month ago, online media outlets were all aflutter about IBM’s demand that its employees turn off Siri on their iPhones.  IBM feared that the iPhone’s voice-activated assistant, “who” uploads your queries and user data to Apple’s servers, could reveal confidential or sensitive business information.  While I agree this is a potential problem, and admit that I now rarely use Siri, I think the media hype missed a much bigger point – IBM’s disclosure provides an outstanding opportunity to analyze how this Fortune 500 company deals with employee use of personal smart phones and tablets while managing the complexity of corporate security.  So, let’s dig a little deeper!

In MIT’s Technology Review, IBM Faces the Perils of “Bring Your Own Device”, Jeanette Horan, IBM’s Chief Information Officer, described what actions IBM took when it started to let employees use their personal smart phones and tablets for work purposes.  While IBM still furnishes a staggering 40,000 BlackBerrys to a small segment of its employees, some 80,000 workers reach internal networks using other types of smart phones and tablet devices.  Here are just a few of the lessons we can learn from IBM’s security policies (we are happy to see that they mirror the advice we provide to our clients during seminars on information security!): 

Recognize and acknowledge that your employees will use their personal electronic devices for company use.  Ignoring this trend may lead to corporate security breaches, and the potential for lost information and money.

Understand that employee use of personal devices will not save company money. Companies will spend as much or more on IT security than the cost of company owned smart devices.  The trend simply poses new challenges because personal devices are filled with software not controlled by the company.  (See our post: And Yet Another Security Risk to Mobile Devices … Malware).

Understand that your employees understand next to nothing about electronic security.  IBM surveyed its employees and found many employees were “blissfully unaware” of what popular apps did, and the potential security risk for each.  (What would a survey of your employees reveal?)

Establish guidelines about which apps employees can use and which to avoid.  IBM developed a list of banned applications, and tried to insure that employees understood why these products are dangerous to internal corporate security.

Do not let employees auto-forward company emails to personal email addresses.  IBM’s survey also revealed that employees violated protocols by automatically forwarding their company e-mails to public Web mail servers or using their phones for wi-fi hotspots, which poses a potential for unauthorized intrusion and snooping. 

Educate your employees as to why certain activities are inherently dangerous, and what harm may come to the company and its employees if there are unauthorized intrusions.

Treat each individual employee and their devices differently.  IBM created 13 different personas for the different types of its employees.  The company then matches the persona to an employee.  The higher the risk – the more security protocols required on the smart phone or tablet.  While most companies don’t need 13 different personas, it is good practice to think about what risks are presented by different employees, and then develop standards for each group.   Maybe your company only needs three or four different personas.  To that end, well thought out, and conveyed, standards ultimately give your employees the tools to protect sensitive and secret information.

So how does IBM implement its policies?  IBM requires each personal device be configured with appropriate security protocols by its IT department before an employee can use it.  If the device is lost or stolen, the IT department can then wipe or erase the device remotely.  IBM’s IT department also disables public file sharing platforms and Siri (now we come back to Siri.)  Disabling these services limits the potential for accidental distribution of sensitive or secret company information. 

Now what about Siri?  The concern over Siri arises from how Siri-launched searches, e-mails, and queries are stored, and for how long.  According to Apple’s iPhone Software License Agreement: “When you use Siri or Dictation, the things you say will be recorded and sent to Apple in order to convert what you say into text.”  Siri also collects other information – names of people from your address book and other unspecified data.  But why does Apple want this information?  Apple won’t say.  The user agreement simply says:  “By using Siri or Dictation, you agree and consent to Apple’s and its subsidiaries’ and agents’ transmission, collection, maintenance, processing, and use of this information, including your voice input and User Data, to provide and improve Siri, Dictation, and other Apple products and services.”  

While some believe that Siri is not spying on you – but simply “learning” from you, other experts are not so sure.  What prevents Apple from trolling important corporate information from competitors, and using it to its advantage in developing new products and services?  Nothing.  The sky may not be falling, but it is a little naïve to believe that corporate spying and espionage do not exist. 

In the end, employee owned smart devices are here to stay. Your company’s IT department will ultimately need to address issues of security, ownership and the like.  As I like to remind people, it is much better to address security issues proactively rather than after a major breach.  So, does your company need to review its mobile device policies or start by at least implementing some?