Uncertainty over the use of private mobiles for work is rife as banks request access to employees’ phones and authorities clamp down on documentation lapses.
It's time to look at where the dangers lie in using our personal phones for work after recent events, including J.P.Morgan's $200 million dollar fine for not documenting conversations conducted on private mobiles, Credit Suisse asking to access employees’ devices and the Swiss army 's military-wide switch from Whatsapp to Swiss-made messenger service Threema.
Yet, to pinpoint the danger to a single area is impossible.
«The combination of hardware, operating system and apps installed on our phones, determines how safe our personal devices are,» Urs Kuederli, PwC Switzerland's cybersecurity and privacy lead, tells finews.com in an interview.
Banking Act Violation
For someone who works in a bank «the sheer act of installing Whatsapp for example on an unprotected phone can pose more than just a data breach,» he says.
Given that the messaging service goes through a user’s entire phonebook and uploads all contacts – potentially including client contact information - to a server located abroad, installing the chat app can represent a violation of the banking act and banking secrecy laws.
The storage of data on U.S. servers, which U.S. authorities can access, was also the reason behind the Swiss Army’s recent decision to shift internal communication from Whatsapp to Swiss based messenger service Threema, as «Tagesanzeiger» (behind paywall, in German) reported last week.
Practicality Vs. Security
Companies should ensure that employees can split functionalities and data used privately from those used for business purposes, by using device management systems, such as Microsoft Intune, MobileIron or Blackberrywork, » Kuederli says. These have so-called «container solutions».
«While these do not provide a one hundred percent guarantee, they offer a good balance between security and usability,» Kuederli adds.
There is also the option of carrying around two devices, one strictly for work and one for private use. While this might not very convenient, it is more data-secure.
Privacy Vs. Security
It could also be the better solution for those Credit Suisse employees who find that giving their employer access to their mobile phones is an intrusion into their privacy, as the «Financial Times» reported last month.
However, most of the Credit Suisse staff don’t use an additional work phone, but receive a monthly reimbursed sum to cover work calls on their personal mobile phones, the outlet wrote.
Lack of Standardization
Although the Swiss Financial Authority (Finma) prescribes that all communication related to securities trading or information with supervisory relevance must be recorded for two years, it leaves it up to the banks themselves to determine their own communication policies.
The financial watchdog supervises that internal requirements are adhered to and if it finds that an individual has breached an employer's policies, it can take action against the bank as well as against the individual.
Extra caution is now required as Swiss companies revert back to remote working.
Financial institutions have adapted their processes to the «new way of working» as well as improving their data security efforts since the first COVID-19 lockdown, yet «there are still lapses and the lack of standardization in the industry doesn’t help,» Kuederli says.
