5 Recommendations for Mobile Computing Devices in the Workplace

By Pat Morin, Risk and Business Advisory Principal, and Carl Chatto, Audit Principal
December 2011

They used to be big cell phones, connected to your car. Now they are mobile computing devices that can surf the web and send emails with attachments and store thousands of pages of documents. Earlier this year, the American Institute of Certified Public Accountants (AICPA) conducted its Annual AICPA Top Technology Initiative survey and for the first time, mobile devices cracked into the top ten concerns, immediately going to No. 1.

In many cases, IT departments are struggling to keep up with user demands for mobile device access to work email and documents. Continued stories of hacks into corporate and government networks highlight the need for security at just the time when data is distributed over more devices. In addition, well-intentioned employees often forge ahead using their own mobile devices to access, send and store corporate data.

If you and your employees and co-workers use mobile devices for work-related matters, consider the following recommendations:

  1. Consider what types of mobile devices to allow and revisit that periodically. Many businesses have allowed Blackberry phones for a while but are now considering whether to allow iPhone and Android phones. iPhones, iPads and Android phones are becoming more popular, but they have a different security protocol than Blackberry. Blackberries use built-in security features as opposed to separate apps used by Apple and Android devices. There are advantages and disadvantages to each type of mobile device that you and your IT department should consider as part of the periodic re-evaluation. All individual devices should be approved by the IT department before being allowed access to the corporate network.
  2. Consider what type of password protection is required for the devices—device specific or application specific. Also consider number of failed password attempts, how long of an inactive period is needed before passwords need to be re-entered, and password strength.
  3. Set up encryption, or remote wiping abilities, or both, for mobile devices. Implementing corporate control over mobile devices can help ensure that corporate data can be secured, even if a device is lost or stolen.
  4. Users should sign a device usage policy that spells out corporate and user responsibilities for data but also, device usage and reimbursement policies. The policy should include examples of what to do in case the device is lost and require users to keep software patches up to date.
  5. As you evaluate security matters, it might be worthwhile to give your mobile computing policies a good general review as well, such as who is allowed to have mobile device access to the corporate network, whether a policy of corporate ownership of mobile devices is preferred over employee ownership, and review overall costs of an existing program.

For more information, please contact Carl Chatto or Patrick Morin.