The first simple steps for Mobile Device Security By Paul HillPosted by Brad C. Johnson

Most companies have policies that restrict what applications employees can install on desktops and laptops. Also, most companies have implemented technology controls to help enforce such policies.

Fewer companies have implemented similar controls on company owned mobile devices. Within companies that have adopted a Bring Your Own Device (BYOD) strategy for mobile devices, only a small percentage have created documented lists of approved or prohibited applications that may be installed.  And, still fewer use MDM tools to enforce such decisions on employee owned devices.

A number of companies document some general guidelines regarding prohibited applications in their policies. Such guidelines are usually addressing specific risks including data leakage or loss, reputation damage, and liability due to copyright infringement although they are rarely explained to employees in this manner.

Many guidelines prohibit peer-to-peer file sharing apps including BitTorrent, uTorrent, and Limewire. Typically, guidelines will also dissuade employees from using consumer grade cloud storage services such as iCloud, Dropbox, SkyDrive, and Google Drive.

Unfortunately, few companies discuss additional applications that leverage cloud storage, or adequately educate employees about the risks of using cloud storage aimed at the consumer market.  This creates a situation where employees, seeking to optimize their productivity, will adopt an attitude of begging forgiveness later instead of seeking permission before proceeding.

Applications that provide synchronization services across devices typically use some form of cloud storage. The trend is that more and more applications are doing this.  In some cases it may be obvious, in other cases users may not be aware how and where data is being stored.

Here are examples of some applications that either use cloud storage, or leverage cloud storage to provide additional integration capabilities with other applications:  SketchBook Pro, WeatherPro, PDFpen, Keynote, iBooks, Camera+, Contacts, Onenote, JotForm, Evernote, Zapier, UberConference, KustomNote, Azendoo, LiveMinutes, FileThisFetch, QuickOfficePro, GimmeBar, IFTTT, InSync, AutoCad WS, Nivio, Balsamiq Mockups, SmartSheet, SugarSync, Hoccer, Dictadroid, and CloudOn.

Companies should also be aware that dictation services, transcription services, and systems that perform voice recognition typically store data on the vendor's servers.  The software developers creating these services value a large data set from a variety of speakers in order to tune, enhance, and improve their ability to perform speech recognition.  It has been widely reported that Apple retains voice queries submitted to Siri for up to two years, although Apple says that after six months it disassociates the voice clips from the data that can be used to associate the clips with the original device from which the query was submitted.

Examples of voice transcription, recording,  and voice recognition applications: Siri, Dragon for Salesforce, Dragon Dictation, PowerScribe 360, SpeakWrite Recorder, Evernote, Voice Assistant, ShoutOUT, UberConference, and Winscribe.

Many of the example applications in each category also provide facilities for easily forwarding information to social media systems including Facebook, Twitter, and LinkedIn.

Companies do need to know what applications their employees desire to use, how the applications will store or synchronize data, and evaluate the risk.