Category Archives: Bring Your Own Device

Managing Disruption

Technology risks are evolving and changing so rapidly, it’s more difficult for management to assess new fraud threats and to adjust its strategies to manage and mitigate them. Applications that use disruptive technologies, such as artificial intelligence, advanced robotics, 3D printing, blockchain, and the Internet of Things, are being designed quickly and often generate new high-growth markets. CFEs and other anti-fraud professionals are struggling to stay abreast of the most recent developments and to identify anti-fraud policies, procedures and controls that add value.  Additionally, the exponential growth of computing power has enabled our client organizations to capitalize on the use of mobile devices and to leverage the ubiquity of the internet to reach their markets almost instantly.

While this is an exciting and challenging opportunity for marketers and business managers, it has injected new risk considerations for CFEs. Digitalization of data has created opportunities for knowledgeable investigators to improve their use of data analytics, use algorithms to facilitate cognitive intelligence, and to even create bot applications that perform automated fraud assessment tasks in real time. The essence of the risks and controls involved has not changed as much as the underlying technology. The new processes still need to adhere to organizational policies and procedures, change management practices are still a vital component in transitioning to new tools and processes, and system and access controls must continue to be enforced. However, some controls that were important in the past now take on a new level of criticality. Automated algorithms result in less transparency of the underlying process. When data is used and shared through these processes, accuracy and completeness become a necessity. An organization needs very specific controls to ensure a bot does not proliferate erroneous data. Anti-fraud focused information security and access control processes must treat the bot as if it were a person and only allow it access to appropriate data. Checks and balances must be integrated into the process to ensure the results are accurate, service level agreements are met, and contracts remain faithfully performed.

Advanced materials, 3D printing, and autonomous vehicles are other advances that are transforming the fraud prevention landscape. New businesses created by these technologies need to follow established governance processes and design fraud and abuse risk management and related internal controls into their business processes. As entirely new markets and products are developed, it’s important that risk managers with fraud investigation experience are involved proactively from the first. This blog has devoted several recent posts to blockchain technology.  Blockchain is a distributed ledger that maintains a shared list of records. Each of these records contains time-stamped data that is encoded and linked to every other previous transaction in that chain of transactions. The decentralized and distributed storage of these records provides visibility to everyone in the network and ensures that no single entity can change any of the historical records. While blockchain is already being used in numerous applications, most notably digital currencies, many other industries are exploring the technology.  Banks are testing cross-border financial transactions, and there is much speculation about the potential to use blockchain to eliminate the middle man in real estate deals, routine contract management, stock purchases, and other similar transactions. If blockchain is effective at eliminating intermediaries, the new business model will expose all the transacting parties to new fraud risks, which were previously being addressed by the middle man.

There are several ways CFEs can proactively help manage the effect of the fraud related aspects of disruptive technologies on their client organizations. By focusing on anti-fraud assurance, providing fraud scenario insight to management, and by demonstrating proficiency and expertise in innovative technologies, fraud examiners will be able to contribute significantly to the overall fraud prevention programs of our client organizations.

For many years organizations have been encouraged by economists to focus on what they do best. That is wise advice for the fraud examination profession, as well. By continuing to focus on governance, fraud risk, and preventative controls, CFEs can help ensure fraud prevention policies and processes are designed and operating effectively. Regardless of the nature or tempo of the changes, investigators will then be able to more effectively fulfill their mission. Moreover, proactively helping their organizations anticipate emerging fraud risks and technological changes can position fraud examiners as authorities and better prepare client organizations to better respond to disruptive events.

By aligning with the expectations of the profession’s key client stakeholders and working closely with those subject-matter experts who are implementing disruptive technologies from within and without, CFEs can remain focused on the most relevant and significant fraud prevention related issues.  For example, cybersecurity and data privacy are topics that every organization is managing. Identifying trends that will affect the organization, and collaborating with and providing insight to their stakeholders, can enable the CFE community to significantly affect the business agenda.  More than ever, fraud examiners must constantly pursue training to learn about recent technologies and the complex and emerging new risks being introduced into their organizations.  Additionally, chief investigators need to focus on developing an adaptive, flexible, innovative staffing model. This new model must tap into a highly specialized talent pool that has the technological competence to rapidly understand and leverage new tools, techniques, and processes.  Perhaps the most important thing CFEs can do to prepare for disruptive technological innovations is to embrace and leverage new technologies in their own work. CFE investigators need to be at the forefront of adopting artificial intelligence, cognitive computing, and smart robots.

All assurance professionals need to completely understand how technologies like blockchain work and how they can be used and analyzed in fraud investigations.  They must take advantage of machine learning and data analytics in their examination processes. Moreover, continuous fraud auditing should be the standard default for new review routines and real-time identification of fraud signatures and red flags should be a requirement as organizations implement new business processes.

In summary, the threat of disruptive technologies has arrived and will affect every organization regardless of its size or objectives. When Gordon Moore observed in 1965 that the number of transistors on an integrated circuit had doubled every year since transistors were invented, few thought that exponential growth would continue for more than 50 years. As computing power increases, technology becomes more mobile, data becomes more accessible and usable, and fraudsters capitalize on the opportunities that arise. Fraud risk managers will have to assess emerging threats consistently and continuously. CFEs will need to respond to emerging threats with new and better ways to perform our investigations and engage to redesign our own processes or face disruption ourselves.

Bring Your Own Device – Revisited

BYODI was part of a lively discussion the other night at the monthly dinner meeting of one of the professional organizations I belong to between representatives of the two sides of the bring-your-own device (now expanded into bring your own technology!) debate.  And I must say that both sides presented a strong case with equally broad implications for the fraud prevention programs of their various employing organizations.

As I’m sure a majority of the readers of this blog are well aware, the bring-your-own device (BYOD) trend of enabling and empowering employees to bring their own devices (e.g., laptop, smartphones, tablets) evolved some time ago into ‘bring your own technology’ including office applications (e.g., word processing), authorized software (e.g., data analytics tools), operating systems, and other proprietary or open-source IT tools (e.g., software development kits, public cloud, communication aids) into the workplace.

On the pro side of the discussion at our table, it was pointed out that BYOD contributes to the creation of happier employees.  This is because many employees prefer to use their own devices over the often budget-dominated, basic devices offered by their company. Employees may also prefer to reduce the number of devices they carry while traveling; before BYOD, traveling employees would carry multiples of their personal and company provided devices (i.e., two mobile phones/smartphones, two laptops and so forth).

I myself must confess that I brought a personal laptop to work every day for years because it contained powerful investigative support software too expensive for my employer to provide at the time and because a vision problem made it difficult for me to use my desktop. I used my laptop almost daily although it was never connected to the corporate network, making it necessary for me to inconveniently move back and forth between the two devices.

Our bring-your-own device advocates then went on to say that implementation of a BYOD program can additionally result in a substantial financial savings to IS budgets because employees can use devices and other IS components they already possess. The savings include those made on the cost of purchase of devices by management for employees, on the on-going maintenance of these devices and on data plans (for voice and data services). These savings can then be utilized by the company to enhance its operating margins or to even offer more employee benefits.

Another of the BYOD advocates, employed in the IS division of her company, pointed out that her division was freed by the BYOD program from a myriad of tasks such as desktop support, trouble shooting and end-user hardware maintenance activities. She too agreed that, in her opinion, this saving could be best utilized by the IS division to optimize its budget and resources.  She also pointed out that the popularity of BYODT is due, in part, to the fact that, in her experience, employees, like herself, adopt technology well before their employers and subsequently bring these enhancements to work. Thus, BYOD results in faster adoption of new technologies, which can also be an enabler for employees to be more productive or creative; a competitive advantage for their entire business.  In addition, her right hand table companion made the argument that employees can use their own, familiar device to complete their tasks more efficiently as it gives them the flexibility to quickly customize their device or technology to run faster as per their individual requirements. By contrast, in the case of company-provided devices and technology, such tailoring and customization is often time-consuming as individual employees have to provide proper cost justifications and then seek authorization through cumbersome and time consuming change requests.

On the con side, the internal auditor at our table pointed out that by allowing employees to BYOD, the employers implementing the program have opened a new nightmare for their security managers and administrators and, hence, for their fraud prevention programs. The security governance framework and related corporate security and fraud prevention policies will need to be redefined and a great deal of effort will be required to make each policy efficiently operational and streamlined in the BYOD environment.

Of course, I then had to chime in and offer my two-cents worth that concerns related to privacy and data protection could be perhaps the biggest challenge for BYOD. In industries like health care and insurance that deal with sensitive and confidential data under strict Federal and State guideline such concerns would have to hinder any rollout of BYOD. Such enterprises will be compelled by law to tread cautiously with this trend. With BYODT organizational control over data is blurred. Objections are also always raised when business and private data exist on the same device. Thus, this could certainly interfere with meeting the stringent controls mandated by certain regulatory compliance requirements.

Then our auditor friend pointed out that applications and tools may not be uniform on all devices, which can result in incompatibility when trying to, for example, connect to the corporate network or access a Word file created by another employee who has purchased a newer version.  And what about a lack of consensus among employees; some may not be willing or able to use their personal devices or software for company work.

After listening to (and participating in) the excellent arguments on both sides of the supper table, might I suggest that, the still developing trend and the very real benefits realized from BYOD suggest that the valid concerns (which this blog has certainly raised in the past) might best be considered as normal business challenges and that companies should address BYOD implementation by addressing these challenges. There are certainly steps (as the ACFE has point out) that can be taken to significantly reduce the risk of fraud.

First, establish a well-defined BYOD framework.  This can be done by soliciting input from various business process owners and units of the enterprise regarding how different areas actually use portable gadgets. This helps create a uniform governance strategy. Following are what many consider essential steps for creating a BYOD governance framework:

– -Network access control:

  1. Determine which devices are allowed on the network.
  2. Determine the level of access (e.g., guest, limited, full) that can be granted to these devices.
  3. Define the who, what, where and when of network access.
  4. Determine which groups of employees are allowed to use these devices.

— Device management control:

  1. Inventory authorized and unauthorized devices.
  2. Inventory authorized and unauthorized users.
  3. Ensure continual vulnerability assessment and remediation of the devices connected.
  4. Create mandatory and acceptable endpoint security components (e.g., updated and functional antivirus software, updated security patch, level of browser security settings) to be present on these devices.

— Application security management control:

  1. Determine which operating systems and versions are allowed on the network.
  2. Determine which applications are mandatory (or prohibited) for each device.
  3. Control enterprise application access on a need-to-know basis.
  4. Educate employees about the BYOD policy.

Create a BYOD policy.  Make sure there is a clearly defined policy for BYOD that outlines the rules of engagement and states the company’s expectations. The policy should also state and define minimum security requirements and may even mandate company-sanctioned security tools as a condition for allowing personal devices to connect to company data and network resources.  As far as security polices over BYOD go, such requirements should be addressed by having the IT staff provide detailed security requirements for each type of personal device that is used in the workplace and connected to the corporate network.

So, BYOD provides numerous benefits to the business, the key ones being reducing the IT budget and the IT department’s workload, faster adaptation to newer technology, and making employees happier by giving them flexibility to use and customize their devices to enhance efficiency at work. Of course, various challenges come along with these advantages: increased security measures, more stringent controls for privacy and data protection, and other regulatory compliance. These challenges provide a fundamentally new opportunity for innovation, redefining the governance structure and adoption of underlying technology.  CFE’s can add value to this entire challenge by on-going review of the overall corporate approach to BYODT for its impact on the fraud risk assessment and overall fraud prevention program.

RVACFES May Event Sold Out!

Liseli_2

On behalf of the Central Virginia Chapter and our partners the Virginia State Police and national ACFE, our Chapter officers would like to thank each of you, all our Chapter members and training attendees who made our May Event such a resounding success!  Taught by Liseli Pennings, Deputy Training Director for the ACFE, ‘Investigating on the Internet – Research Tools for Fraud Examiners’ presented a treasure trove of information for the effective utilization of hundreds of readily available on-line resources and tools to support every step of even the most complex fraud investigation and subsequent prosecution.

Liseli_1As the course makes clear, investigations today can be undertaken solely through the investigative resources a computer offers. But there are so many tools available to a fraud examiner beginning an online investigation that it can be difficult to sort out the applicable resources. By better understanding computer and Internet media, examiners can more efficiently conduct investigations and save valuable time and money. While fraud examiners can easily begin searching the Internet without a plan, they will benefit if they develop a strategy prior to conducting a search. Employing a focused search strategy can save time, maintain direction, and make better use of resources.

Liseli presented two analytical techniques designed to analyze the following in an investigative scenario:

SWOT Analysis

— Strengths
— Weaknesses
— Opportunities
— Threats

The SWOT methodology can help professionals achieve the goals of a due diligence investigation or when evaluating a company or person. SWOT is also suited for investigating a product, market, organization, or business venture. Additionally, investigations that entail comparing financial aspects to other companies or markets, such as analyzing one small business or cost in relation to the competition, can benefit from this type of analysis. If an investigator is conducting a search on an individual, it provides analysis into life aspects and characteristics of the person. This method can also be used to conduct a risk assessment that details what an organization can and cannot do, as well as alert the examiner to potential threats and opportunities.

CARA Analysis

Commonly used by law enforcement and private investigators to develop information on a subject, the CARA method analyzes:

— Characteristics
— Associations
— Reputation
–Affiliations

This type of analysis can be used to gain an understanding of an individual rather than a company.

Electronic evidence can change with usage and be altered by improper or purposeful mishandling and storage. Electronic evidence such as social media pages and blog posts can be deliberately removed or altered. Examiners should never assume that a website or post that was available one day will be there the next. Capturing information as it is found is essential because the subjects of an investigation often delete websites and social media profiles. Web pages can be preserved by selecting print screen and pasting the screen capture into a document. When possible, examiners should capture the time, date, time zone, or any other information that can prove when or where data was captured. Not doing so could lead to timeline inconsistencies and contradict alibis when used as evidence and could result in evidence being dismissed due to inaccuracies. It could also affect the examiner’s credibility and negatively impact the case if brought to trial.

When using public and paid-access databases to conduct research, it is important to determine the age of the information. If the date that the information was aggregated is not listed, examiners should look for other sources of information that do include dates.  Examiners must recognize that there are often delays in the reporting and dissemination of information from the sources used by these types of databases.

Some state or local databases might only compile information from certain cities or counties. Examiners who do not find the information they are looking for on a particular site might believe that the information does not exist or that the subject does not have an arrest record when in fact the jurisdiction in question is not included on that site or database. For this reason, it’s important to gain an understanding of exactly which jurisdictions a database covers and what type of information it provides. Determining how long the website or database retains information is also important. Some only retain information for a certain period of time (e.g., five, ten, or twenty years). Furthermore, many databases archive their records after a set number of years to allow faster searches on current information. In such cases, the examiners should search the archived database for information, try another source, or hire a service to conduct a manual record search at the local level. Examiners should avoid the assumption that a lack of records means that an incident did not occur when in fact the database simply might not have the records the examiners need.

Most websites and databases have disclaimers and disclosure statements that users should thoroughly review. Some public and paid databases contain disclosure statements informing users that the subject is notified when someone searches for their information. One such example is when credit header or certain background information is accessed online. The person to whom the information belongs is usually notified when searches pertaining to credit information are conducted with permission by an employer, but notifications can also be enacted when searching other databases for basic information. This could have a significant impact on an investigation. Disclosure practices vary from company to company and across various jurisdictions. It is crucial that examiners review all disclaimers as they will often indicate when the database was last updated or caution that information is not always current or accurate. As such, all information found online should be corroborated for accuracy and all disclaimers should be read thoroughly. Another important legal aspect to consider regarding public and private databases is the dissemination clause-if one exists. Finally, there can be legal ramifications for disseminating third-party information to attorneys or courts, or for using information compiled from certain sources. Sometimes permission is required before disclosing information. Therefore, it is important to read all legal notices and consult an attorney if unsure how to proceed.

Again, our thanks go out to all for making this May event one of our most informative and successful ever!

To Have and To Hold

SharingFiles2One of our CFE readers practicing abroad reports currently investigating the transactions of a key executive of a financial subsidiary of a large U.S. based company and finding that many documents critical to his examination simply have not been retained anywhere on the firm’s server farm; a problem much more common in our present e-world than many of us would like to think!  The documents weren’t on the servers simply because the firm’s document retention policy (DRP) published to its employees isn’t comprehensive enough to require them to be.

When our CFE’s client firm policy was written, the primary electronic document type was in the form of e-mail files stored on company servers. But today, electronic records also include text messages, instant messages, voice mail, and internet search histories, images on digital cameras, in cell phones and tablets, and scores of differing file types stored on a myriad personal devices and in the cloud.  In this environment, the importance of the DRP, as a living document, is right up there with other critical documentation like that concerning access control and physical security.  Each paper and electronic document type should be treated separately in the policy. Even in the case of e-mail – a technology that’s been ubiquitous for two decades – our Chapter members report finding retention practices are often spotty and messages sometimes difficult to search and retrieve. Rather than backing up all e-mails, for example, the policy might distinguish between e-mails with an attached signed contract and an e-mail inviting staff to the office holiday party. In addition, e-mails often end up residing in numerous locations.  Because real time monitoring of individuals’ personal computers would be impractical for any firm, a central electronic depository could be developed for contracts, tax returns, medical plans, pension statements, and other documents that have legal or regulatory holding limits, Also, all CFE’s must be constantly alert to new communication means and be prepared to adopt investigative modifications to deal quickly with them.

We’re all familiar with the many problems involving legal discovery.  Such requests primarily deal with centrally located files, but certain types of lawsuits, such as hostile work environment or sexual harassment, can also require discovery of personal files. Because no client management staff is large enough to verify that all employees follow prescribed rules, companies must rely on regular training to inform employees and confirm their compliance with company retention policy. Companies can reinforce this training by taking appropriate disciplinary measures against anyone who violates the rules. This reinforcement, of course, is based on the assumption that the organization already has appropriate controls in place and an effective process to gather the necessary data to monitor employee compliance. In the present case, our CFE reports that none of these controls proved to be in place; their absence will likely result in any subsequent prosecution of the targeted fraudster being either extremely difficult or impracticable.

Also, instant messages, like those used by our CFE’s executive target, illustrate the hidden complexity of contemporary document retention. Dealing with e-mail is relatively straight-forward compared with the issues surrounding instant messages. Instant messages provide a convenient way to transmit text, audio, and live streaming video, often outside the firewalls and other safeguards of a company’s main system, which creates greater technological and competitive risks. Of greater concern to CFE’s should be the content of the messages. An instant message constitutes a business correspondence; as such, the message is discoverable and must be included in any document retention plan. The organization should have an established plan for the recovery of the messages in their original form. The optimal time to formulate the plan is before legal action, not in the midst of it. Many organizations (again, like our CFE’s client) have document retention plans covering only paper-based correspondence or e-mail; management of the content of instant messages is not addressed.  In addition to instant messaging, individuals use text messaging, which takes place on personal devices like cell phones. If a company doesn’t have an instant messaging system (IMS), it should consider acquiring one. An IMS allows message backup and access in case of discovery. Storing the instant messages and allowing access to them after-the-fact can help mitigate organizational liability exposure and close fraud vulnerability and security holes in the system. At a minimum, this would demonstrate some due diligence to outside stakeholders. The issue boils down to having a clear policy, both in terms of digital media use and its retention. The retention policy would involve purging instant messages after they are a given period old. Use policies might include random monitoring – an important deterrent for abuse and a valuable means to gather sample data about use.

So CFE’s need to be aware that policy creation for present-day business communication technology is obviously much more complex and necessary than the document retention policies of the past. Past policies usually governed only workplace documents, whereas policies today also must govern documents that are generated and consumed on mobile devices away from the workplace. The document retention policies should include retention limits for each type of format. Employees should be trained and reminded of the policy and their responsibility to follow it. Targeted management reviews based on fraud risk assessments could be valuable and would reinforce the importance of following the policy. In addition to training employees to regularly cull e-mail and instant messages sent and received, Internet browser options should be set so cookies and images are purged when the Internet session is over and histories are discarded daily.

Retention policies also should stress the appropriate and acceptable uses of company equipment. During company training, employees should learn that sharing inappropriate texts, audio, or video files is unacceptable, and they should clearly understand the consequences for not following company policy. Unfortunately, the delineation between work time and personal time is often blurred. With more employees being on call beyond the standard 40-hour work week, employers need to be sensitive to employees’ needs to perform personal tasks while at work using corporate equipment, or to perform work-related activities with personal devices.  Certain questions must be asked, however, such as: If an employee uses a personal device and maintains personal and business files separately, would the personal files be discoverable? Would discoverability depend on whether the device was personally or company owned? It could be assumed that if the employer owns the device, all records are discoverable. If the employee owns the devise, privacy issues may come into play. Due diligence always demands that conservative guidelines be employed.

I recommended to our CFE reader that, in addition to consulting corporate attorneys and IT staff, he might consider providing management with recommendations about whether outside consultants are needed to help develop or modify a more up-to-date document retention policy. Also, because electronic data is often salvageable even after it’s been deleted, a computer forensic expert could provide valuable insights into both the development and implementation of a new policy. This expert would then have knowledge of the system and could provide assistance if the company is party to a lawsuit in the future. Contracting with a computer forensic expert on retainer allows the organization to receive regular feedback on changes in the state of the art in computing technology and best practices in the field. These experts are aware of the costs and burden of discovery under both poor and good retention policies, and they’re able to make recommendations that will save money should litigation arise.

Bring Your Own

woman-on-cell-phone-22A mention of the use of their own electronic devices by company employees in one of our recent Fraud in the News items prompted a reader to state in a comment that she was under the impression that a ‘bring your own device’ policy could be ‘quite risky’ for any company who implements one.  Our reader is right in that many of today’s personal devices are prone to security vulnerabilities.  I remember reading in the trade press not long ago that more than half of all Android devices have security flaws that could be exploited by malicious applications to gain access to the data stored on them.

In addition, unsecured portable devices may be vulnerable to security exploits such as unauthorized carrier billing charges charged by cyber criminals; illicit sign up of costly premium text messaging services and installation of spyware that can steal sensitive data, including credit card numbers, e-mail account log-on credentials, on-line banking credentials, and contact list information.  Another significant concern for organizations that we’ve highlighted many times in this blog, is e-discovery litigation associated with storing company email and data on devises outside company control. Moreover, unsecured storage of sensitive customer information increases regulatory exposure.

So why do companies do it?  Among other benefits, the main reason seems to be that businesses can save significant outlays on overhead resources when employees are able to use their own smartphones, laptops, and tablets to do their assigned work.  Other related benefits accruing to the client company include:

— Easing overhead by eliminating the need to manage a service provider.
–Eliminating overhead needed to monitor usage and cost overruns exceeding contractual limits.
–Eliminating the need to manage and pay for service plans, individually managed calls, and data usage.
–Increasing employees’ productivity by enabling them to work when traveling or away from the office.
–Eliminating or reducing IT infrastructure resources and associated costs.
–Providing a recruiting incentive for prospective employees who want to use their own devices.

However, bring your own device programs can introduce data security, compliance, and privacy risks such as data leakage when employees forward sensitive documents to unauthorized individuals or make them available through unsecured cloud file-sharing providers. Fraud examiners should consider recommending that, to mitigate these concerns, our client organizations need to have an effective bring your own device policy in place, including, if they can afford it, some kind of automated mobile device management solution.  For our part, as part of our fraud risk assessments, CFE’s should request and obtain technical support in evaluating compliance with the policy and assess the mobile device management system’s ability to provide multi layered security, policy enforcement, and control across a variety of devices.

A mobile device management solution is a fraud prevention best practice that can enable your client organizations to manage employee-owned portable devices and enforce security policies remotely once employees have installed the software on their devices and agreed to the organization’s terms and conditions.  Ideally, a mobile device management system solution should strike a balance between providing enterprise security and preserving the employee’s user experience, convenience, and privacy.  Indeed, some products can configure portable devices to have two separate logical “containers” that segregate business from personal data. This method permits the employee’s personal data to remain private while enabling the organization to control only the business container where the organization’s apps, data, and email reside.

So what security capabilities should CFE’s expect the mobile device management system to support?

— Anti-malware and firewall policy. Mandates installation of security software to protect the device’s apps, content, and operating system.
–App/operating system update policy. Requires devices to be configured to receive and install software updates and security patches automatically.
–App-vetting policy. Ensures that only trustworthy “white listed” apps can be installed; blocks “black listed” apps that could contain malicious code.
–Encryption policy. Ensures that the contents of the device’s business container are encrypted and secured.
–PIN policy. Sets up PIN complexity rules and expiration periods, as well as prevents reuse of old Pins.
–Inactive-device lockout policy. Makes the device inoperable after a predetermined period of inactivity, after which a PIN must be entered to unlock it.
–Jail break policy. Prohibits unauthorized alteration of a device’s system settings configured by the manufacturer, which can leave devices susceptible to security vulnerabilities.
–Remote wipe policy. Erases the device’s business container contents should the device be lost or stolen.
–Revoke access policy. Disconnects the employee’s device from the organization’s network when the mobile device management system’s remote monitoring feature determines that the device is no longer in compliance.

Clients who are too small or which lack the funds to implement a fully operational mobile device management solution can still take steps to protect their data on employee mobile devices by:

–Setting the Bluetooth feature to non-discoverable mode or disabling it altogether if it’s not needed. This can protect against connections with other devices that could upload malware.
–Using a virtual private network (VPN) or secured website connection when accessing company email and data through a public Wi-Fi hotspot.
–Not forwarding company email messages to non-company computer systems, personal email accounts, cloud service providers, or file-sharing services, which may cause data leakage.
–Protecting against unauthorized observation of sensitive information in public places.

Furthermore, organizations should advise employees to consult their owner’s manual or seek assistance from their service provider if they are unsure of how to configure their personal devices for optimal security.

Several clients for whom I’ve worked have instituted an equitable employee reimbursement policy to compensate employees for work-related activities on their personal devices when such work is mandated by the organization. Employees are accountable for paying their monthly bill to their service provider because a contractual relationship exists between them, not the organization. Two popular compensation models to consider are a monthly usage stipend or expense reimbursement based on the percentage of use for business purposes. Regardless of the model used, CFE’s should evaluate reimbursement practices to ensure controls are in place to prevent fraud or abuse, as well as to assess compliance with compensation policies.

Based on growth projections for the use of personal devices in the workplace and the associated risk, CFE’s should consider the adequacy of existing client policies to protect proprietary and sensitive information. Moreover, it’s important for the overall fraud prevention program that mobile device use policies and practices comply with privacy and data security requirements imposed by applicable industry standards, laws, and regulations.