With many organizations providing services such as company email, address books and calendars to staff with smartphones, it’s worth considering how this affects you and what you should be doing for personal data protection.
When you link your smartphone to corporate services, it’s very likely that you’re pulling all types of information. Most connections also give IT admins some technical capability to look into your phone and have some control over how it works. In almost every case, the company also has the ability to remotely wipe your device — erasing everything on it, whether corporate or not.
All of this should be detailed in the corporate mobile security policy, so your first step in learning about personal data protection is to read it thoroughly. The important questions you want answered are:
- What obligations do you have to allow the company to “reach in” to your phone when you connect it to the network?
- What will the company do to your phone if you are fired or quit your job?
- What will the company do to your phone if it is lost or stolen? What obligation do you have to report loss or theft, and in what timeframe?
- Under what circumstances will the company wipe your phone? And what kind of remote wipe will they use?
- Who is responsible for backups of your phone, both company information and any personal information you might have?
If you don’t find answers to these questions in the mobile security policy, sit down with your IT manager and ask them. No matter who owns the device, there is a shared responsibility between you and your company to protect both the phone and the data on it.
Phone Wiping and Personal Information
When reading these policies, you’ll often see two terms: remote wipe and enterprise wipe. It’s important to know the difference. Remote wipe usually means a complete wipe of everything on your phone, including any inserted SD cards. That means your own and the company’s data.
An enterprise wipe is supposed to be more surgical: It wipes out only company data. For example, it would delete your corporate email profile and any stored corporate email, while leaving your personal email account untouched. Many companies prefer to use enterprise wipe where possible, but that’s far from a universal policy.
It’s generally true that, even if the company paid for and manages your smartphone, you will have some personal data on the phone. This can be as simple as a to-do list, or important as family photos and email. Your enterprise mobile security policy should cover personal data protection, and have a section that details what type of information is allowed on corporate-owned phones.
Protect Your Data
Obviously, the company cares about protecting their data on your smartphone. But you should also take specific steps to be sure that your own files are protected. Some of these will be easy. For example, your organization’s security protocol most likely already requires a PIN or biometric to unlock the phone, so you won’t need to configure that.
An important part of personal data safeguarding is backups. With Android devices, there are two main strategies that you can pick from based on how you use your phone: online and local backups.
If you use Gmail, the simplest approach is to use the built-in features in Android and Google Sync services to automatically backup most settings and data to the cloud. You’ll need to specifically enable backup of photos, but simply allowing your phone to use Google Sync covers a lot of bases quickly.
A variation in the online approach uses non-Google cloud-based services. If you don’t have access to Google, then you can find a different online service provider, download their client and backup files that way.
The alternative to online backup is local backups. With this method, you typically install a client, connect a USB cable between your phone and a desktop computer, and the entire phone is saved on your own computer. It’s a great strategy to get a complete snapshot of your phone, but it has a downside: You have to remember to do it, and when you want to do it, you have to be near your computer.
Keep Your Eyes Open
Guarding your personal information from loss or exposure is one thing; protecting it from an eavesdropper is another. If your company has installed a mobile device management (MDM) or enterprise mobility management (EMM) tool, you should be aware that they have the capability to monitor smartphone activity.
If you want to reduce this type of surveillance, Samsung Knox Workspace can help protect personal data. With its containerization technology, you can easily place a barrier between all professional work documents and personal photos or emails. Not only will this reduce security risks, but it can also make device management easier for enterprises, as they can simply oversee the work container.
Ultimately, enterprise IT managers care about their data on your smartphone first, and your data second — if at all. With any mobile device, keeping personal data safe needs to be your responsibility too.
Are unpatched security vulnerabilities worth the risk? Known issues can cost businesses big time; find out how organizations are changing the way they secure mobile devices to fight back.