Jamie Herzlich Newsday columnist Jamie Herzlich

Herzlich writes the Small Business column in Newsday.

A seemingly harmless app downloaded onto an employee's phone may not appear to be a big deal.

But it can be, considering that nearly 40 percent of large companies aren't taking the right precautions to secure the mobile apps they build for customers, according to recent research from IBM Security and the Ponemon Institute.

This poses a risk when employees download apps -- whether to their work phones or to personal devices used for work -- that could provide a gateway for hackers to access user, corporate and customer data.

"Mobile apps are rapidly becoming the preferred attack vector, simply due to their prevalence and types of information they contain," says Caleb Barlow, vice president of security at IBM's security headquarters in Cambridge, Massachusetts.

Educate employees about the risks and put mobile device management systems in place, he advises.

Create an app policy

advertisement | advertise on newsday

According to the study, though most employees said they are "heavy users of apps," more than half (55 percent) said their organization doesn't have a policy that defines the acceptable use of mobile apps in the workplace. And 67 percent of companies allow employees to download nonvetted apps to their work devices.

Having a policy in place can help hedge risk, says Marc Schein, a risk adviser with Chernoff Diamond ... Co. LLC, a benefits and risk management advisory firm in Uniondale and a member of the Ponemon Institute's RIM Council, a research center dedicated to data protection, privacy and information security.

"It's understanding, identifying and quantifying what your exposures are," he notes.

Consider a BYOD -- bring your own device -- policy, to control employees' use of personal devices for work, Schein says, and create an incident response plan in case there's a data breach. Assess all potential entry points including apps, notes Schein. "It's an exposure that's there now," he says.

Make it part of the culture

Companies should incorporate data/mobile app security into their company culture, Schein says.

According to a recent report by Flexera Software and IDC, 61 percent of organizations haven't identified which app behaviors they deem risky and 55 percent haven't identified specific mobile apps that exhibit risky behaviors that would violate their BYOD policies.

"Risky behavior can vary from organization to organization," says Maureen Polte of Itasca, Illinois-based Flexera Software, a maker of licensing, compliance and installation software.

When considering an app, analyze its configuration settings and understand how it's interacting with your device and data (for example, is it pulling your location or accessing your contacts), she says. Flexera's AdminStudio is one product to help with that.

"Learn what these apps are doing so you can define what risk means to your organization and create policies based on where you set your risk acceptance," Polte says.

advertisement | advertise on newsday

Set up your own app store

Consider creating an enterprise app store with only approved apps employees may download, she suggests.

Kevin Edwards of Flexible Systems, a Hauppauge information technology firm, adds that employees should be taught to download apps only from designated stores (for example, the Apple store) and not from random sites. Also consider creating a "blacklist" of apps employees can't download, he says.

Mobile device management tools such as those offered by IBM and others can help separate corporate from personal data on mobile devices, Edwards says. It can "containerize" the data, so if hackers got in through an app on a personal device, they couldn't access corporate data, he says.