Anything that becomes suddenly popular tends to generate fear. Rock and Roll, microwaves, Donald Trump. Most recently it is the wildly popular mobile computer game Pokémon Go that is spurring concerns. The International Association of IT Asset Managers (IAITAM) has recently warned that the game should be banned from mobile devices used in business.
Usually, these fears are irrational. Pokémon Go is a case in point. Beyond its popularity, there is nothing particularly frightening about it. If your organizations has a comprehensive, enforceable policy for software loaded on business devices you should not be threatened. If you are making decisions on an app-by-app basis you probably are going to lose this game.
Why Pokémon?
What is the concern over Pokémon Go? IAITAM head Barbara Rembiesa called the game “a nightmare for companies that want to keep their email and cloud-based information secure.” Why? “There are just too many questions and too many risks involved,” she said.
The risks, it turns out, boil down to the excessive permissions that originally gave the game’s developer, Niantic Labs, access to all Google profile information. Niantic said that was an error that has been corrected. There also are the risks of malicious pirated copies of the software and of “encouraging bad behavior;” i.e. downloading apps.
None of these concerns are specific to Pokémon Go. Excessive permissions are a problem with many apps, and before installing users should check what each app wants access to. Most apps will have to be rejected because they are far too nosey. The same with pirated software and indiscriminate downloading. These concerns apply to all software and organizations should have policies in place that address all software and not rely on ad hoc decisions. If Pokémon Go is placed on a blacklist, the reasons should already be spelled out in an enforceable policy.
And be warned: “No” is not an enforceable policy. Workers tend to see blanket prohibitions as a challenge and will find ways around them.
What is “enforceable?”
Enforceable means that your policy should be reasonable enough that employees will be willing to go along with it. It has to be communicated to workers so that they understand it. Finally, the organization has to be willing and able to enforce it.
A reasonable policy recognizes the large and growing overlap between business and personal technology. It should be tailored to the security requirements and risk tolerance of the organization. An organization can expect to have stricter rules for company or agency-owned devices than for personal devices used on the job. But the idea of a strictly business-only device probably is not tenable for most organizations. Some leeway should be expected. Legitimate restrictions can be placed on personal devices that are allowed for business use, but these probably will be less strict.
Communication is key. Workers have to know first of all what the policy is, and secondly why it is. They don’t necessarily have to agree with it (although that would help), but they have to be able to make informed decisions based on it. The policy shouldn’t be just a binder of legalese and boilerplate that an employee is handed when being hired on. It should be a living document, easily accessed, and top-of-mind.
A policy that is too complex or not important enough to enforce does no good. Being able to enforce it usually requires having the right technology in place. There are tools to scan and assess the status of devices connecting to the network, to quarantine or restrict the access of devices that are out of compliance. There also are tools to partition devices to keep business and personal data separate.
Is Pokémon Go okay for you?
That’s your decision, of course. But that decision should be based on policy and not on panic. And remember, there’s no point in pissing off your workers any more than you have to.