September 10, 2012
BY Teresa Thompson and Norah Olson Bluvshtein
IBM’s recent demand that its employees turn off Siri on their iPhones has stirred much debate. IBM feared that the iPhone’s voice-activated assistant, Siri, “who” uploads your queries and user data to Apple’s servers, could reveal confidential or sensitive business information. While perhaps a bit overhyped, even smaller companies can look at how IBM deals with employee use of personal smart phones and tablets while managing the complexity of corporate security.
Here are just a few of the lessons we can learn from IBM’s security policies. Recognize and acknowledge that your employees will use their personal electronic devices for company use. Ignoring this trend may lead to corporate security breaches. Understand that employee use of personal devices will not save company money. The trend simply poses new challenges because personal devices are filled with software not controlled by the company. Understand that your employees know next to nothing about electronic security. IBM surveyed its employees and found many employees were “blissfully unaware” of what popular apps did, and the potential security risk for each. Establish guidelines about which apps employees can use and which to avoid. Do not let employees auto-forward company emails to personal email addresses or let them use their phones for wi-fi hotspots, which poses a potential for unauthorized intrusion and snooping. Educate your employees as to why certain activities are inherently dangerous, and what harm may come to the company and its employees if there are unauthorized intrusions. Treat each individual employee and their devices differently. The higher the risk, the more security protocols required on the smart phone or tablet. It is good practice to think about what risks are presented by different employees, and then develop standards for each group. To that end, well-thought-out, and conveyed, standards ultimately give your employees the tools to protect sensitive and secret information.
So how does IBM implement its policies? IBM requires each personal device be configured with appropriate security protocols before an employee can use it. If the device is lost or stolen, the IT department can then wipe or erase the device remotely. IBM’s IT department also disables public file sharing platforms and Siri. Disabling these services limits the potential for accidental distribution of sensitive or secret company information.
Advertisement
The concern over Siri arises from how Siri-launched searches, emails, and queries are stored on Apple’s servers, and for how long. Siri also collects other information—names of people from your address book and other unspecified data. While some believe that Siri is not spying on you—but simply “learning” from you—other experts are not so sure. What prevents Apple from trolling important corporate information from competitors, and using it to its advantage in developing new products and services?
In the end, employee-owned smart devices are here to stay. Your company’s IT department will ultimately need to address issues of security, privacy, ownership and the like. We recommend addressing these issues proactively rather than after suffering a major breach. Remember the adage about “an ounce of prevention.”
Authors: Teresa Thompson, Nora Olson Bluvshtein
Attorneys, Fredrikson & Byron
tthompson@fredlaw.com
nolsonbluvshtein@fredlaw.com
Advertisement