Greatest Threat to Enterprise Mobility: Employee’s Children

When you were in high school or college, your list of life goals probably did not include “navigate the Sandwich Generation phenomenon successfully.” If it did, you are a genius and we need to talk. For the rest of us, we had zero preparation for the moment of epiphany when we realized we were a card carrying member of the Sandwich Generation.

For me, the moment was when I sat with my mom and showed her how to use the iPad 2 for the first time. She was hesitant to interact with the iOS interface and every action she made was with extreme caution. Conversely, the first time my son was introduced to an iPad, at roughly 18 months old, he showed no inhibitions and started switching screens and moving icons with zero instruction.

As children get older and more adept at navigating mobile operating systems and various apps, they can also get themselves into some trouble. If you have a child, you have most likely experienced an “unauthorized” App or In-App purchase (thank you Freemium Apps). "Unauthorized" in this sense means that you, as a parent, did not give your child permission to make the App or In-App purchase. One example involves a seven year old that ran up a $400 In-App Purchase bill.

With Bring Your Own Device (BYOD) policies now becoming the norm within organizations, unauthorized App and In-App Purchases occurring on your employee’s smartphones and tablets is just the beginning of potentially unwanted activity involving an enterprise connected device. An unintended consequence of BYOD policies is that organizations are unwittingly allowing employee’s children to access the data contained on BYOD devices.

While children may not have malicious intent, they can expose your company to additional threat vectors that your employees may not typically expose enterprise and customer data to. For example, you provide information security awareness training so your employees understand that not all Apps found in an App Store or App market place can be trusted. But what about the employee’s children that can (and do!) download everything and anything because it just may be the next Angry Birds? We have seen Apps that are designed to obtain access to and remove data from a smartphone.

From a technical perspective, one solution to other individuals beside an employee having access to a BYOD sanctioned smartphone would be for an organization to deploy a Mobile Device Management (MDM) solution that includes the capability to sandbox (or isolate and protect) corporate data from personal data. Several products exist on the market today that includes such a capability. Other products are also available that provide sandbox environments that do not fit into the general MDM category, one example being RoverApps. RoverApps allows employees to leverage BYOD devices, while providing a secure means for the enterprise to deploy and manage Apps while ensuring the sensitive information related to the specific App and related back-end enterprise system is secured.

And what about teaching your children appropriate use of today’s technology, such as iPhones, Android devices, iPads, tablets, and gaming systems? In 2007 I started the 501c3 non-profit Savvy Cyber Kids to create educational materials for parents and teachers to utilize to teach their young children (ages 3 & up) safety and appropriate use before kids use the technology of today. So snuggle-up with you children and read The Savvy Cyber Kids at Home: The Family Gets a Computer and The Savvy Cyber Kids at Home: The Defeat of the Cyber Bully. Give your kids the head-start in today’s world you know they deserve. And don’t forget to get a copy for your child’s preschool or Prep-K classroom.

So, while you may not need to be as worried about your employee’s parents having free reign over an enterprise-connected smartphone or tablet, you do need to consider the impact of their children’s access to organizational and customer related data on a BYOD device.

Twitter - @benhalpert @savvycyberkids

Facebook - Savvy Cyber Kids

Youtube.com - SecExecCybrHero4Kids

Savvy Cyber Kids Homepage - SavvyCyberKids.org

Update Urged on Children’s Online Privacy

Aiming to catch up with fast-churning technology that touches children’s lives every day, the Federal Trade Commission on Thursday proposed long-awaited changes to regulations covering online privacy for children.

The Children’s Online Privacy Protection Act, or Coppa, was enacted over a decade ago, long before the advent of social media and smartphones. It requires companies to obtain parental consent before collecting any personal information about a child under the age of 13.

The proposed revisions expand the definition of “personal information” to include a child’s location, along with any personal data collected through the use of cookies for the purposes of targeted advertising. It also covers facial recognition technology. Web sites that collect a child’s information would be required to ensure that they can protect it, hold onto it “for only as long as is reasonably necessary,” and then delete the information safely.

The F.T.C. also suggested that parental consent should no longer be obtained through a two-step e-mail and authorization process, but through alternate methods, like getting scanned versions of signed consent forms and videoconferencing.

The commission said revisions to the law were required in light of “an explosion in children’s use of mobile devices, the proliferation of online social networking and interactive gaming.” Its chairman, Jon Leibowitz, described children as “tech-savvy, but judgment-poor.”

Parental dilemma: Whether to spy on their kids

For many parents, one of the toughest decisions is whether to spy on a child's computer and cell phone activity. It's common for some children to send more than 100 text messages a day, and a recent Associated Press-MTV poll found that about one-quarter of teens had shared sexually explicit photos, videos and chat by cell phone or online.

Walsh, the Minneapolis psychologist, says the best initial step for parents concerned about online risks is a heart-to-heart talk with the child, with monitoring used as a contingency measure only if there's clear justification.

"If it does make sense to use some spyware, I would never do that in secret way," said Walsh, whose own three children are now adults. "Tell your children you'll check on them from time to time. Just that knowledge can be effective."

Mary Kozakiewicz disagrees, saying deployment of spyware must be kept secret.

"You can't let them know it's there, or they'll do it at a friend's house," she said.

Indeed, one of the challenges for some parents is a technology gap — their children may have more savvy about cyberspace and an ability to thwart various spyware tactics.

Children should be taught importance of
privacy in mainstream education, ICO says

The Information Commissioner's Office (ICO) said that it was important for children to learn about data privacy and freedom of information (FOI) rights, and that both "should be embedded in the formal education process".

The ICO is responsible for ensuring organisations comply with UK data protection laws, FOI laws and regulations on privacy and electronic communications. It said that it was imperative that children learned about privacy after revealing the details of research into the use of social networks by students.

A survey of more than 4,000 young people showed that 88% of secondary school students and 39% of primary school pupils have a social networking site profile, the ICO said. Most respondents had not read the sites' privacy policies, almost a third did not know what one was, and nearly a quarter said they did not know where to find the information, it said.

"Young people today are growing up in an age where an ever increasing amount of information is held about them," Jonathan Bamford, head of strategic liaison at the ICO, said in a statement. "It is vital that they understand their privacy rights and how to exercise them.