Pokemon Go represents a tremendous security threat. As with all tremendous threats, it can also be your greatest opportunity.
I have to admit that Pokemon Go took me by surprise. I had no idea why people just told me they were going out for no apparent reason. Younger people were more blatant, but it was not until early this week that I realized that it was a phenomenon that was impacting the workplace.
People of all ages, including your coworkers, are playing at record rates. Most important, they are bringing the app into the workplace, and using it on cellphones that also access work related information. It is a significant security vulnerability.
That being said, it means that awareness programs are at the front and center to protect corporate assets. At the same time, you can also appear to be the champion for the workers. Security awareness might never be more welcome. Even if people think the app is “stupid”, frequently they have family members or other loved ones playing the game.
People hear about malicious apps spoofing the actual Pokemon Go app. They hear about the app tracking them and having access to all of their data. They hear about people being mugged and finding dead bodies. People are excited, but they are concerned. This is your time to shine.
All security programs, led by the security awareness team, should immediately create information about the security concerns, and what to do about them.
Clearly, there is a focus on mobile device security, but there are also issues concerning privacy, password security, and safety. For this reason, I recommend that you create tip sheets for distribution to all employees. Possible content to include would be:
- Ensure that you only download the official Pokemon Go app
- Ensure that your cellphone operating system is up to date
- As the app preferably uses Google accounts for authentication and tracking, consider creating a Google account just for that purpose
- Ensure that your password is strong
- Review app permissions, and remove as many permissions as possible
- Consider installing anti-malware software on your cellphone
- Be aware of the potential for crime
- Remain alert. Carelessness will cause more injuries than crime
- Never drive while playing the game
Most important, if your organization uses Google apps, clearly state that employees should never use their corporate account for Pokemon Go or any other games. You may want to provide references to additional resources for mobile device management, creating a strong password, and other relevant issues. Providing contact information for the security team would be welcome. In defining the additional resources, consider that many people may want to share the information with their friends and family, so avoid using links and resources that are only available on your intranets.
It is a unfortunately extremely likely that some of your employees will eventually compromise information due to downloading malware on their mobile devices. It is guaranteed that the productivity of many employees will be impacted by the game. You can warn people about these issues, but you do not have ultimate control of them. You can however take advantage of the situation, and seem like their protector, and more than their overseer.
Personally, I am impressed by the business success of the game. I am also impressed that the gamification success. Pokemon Go would be a considered a huge gamification success for corporate wellness programs given how it encourages people to exercise. A companion article will be published shortly that highlights the true gamification principles used in Pokemon Go, and how it differs than most self-proclaimed gamification programs.
From a security perspective, Pokemon Go, itself, is as security nightmare. It is a productivity nightmare. However, you can take advantage of the situation and use it to highlight the importance of practicing good security behaviors. Don’t let a great opportunity go to waste.
Ira Winkler, CISSP is president of Secure Mentem and can be contacted at http://www.securementem.com