Employee Cell Phone Policies: Reducing Cyber Risk and Factors to Consider

Recently, I had the opportunity to review the International City Manager’s Association (ICMA) webinar regarding Employee Cell Phone Policies.  A few things stood out to me that are worth sharing here for you to consider in your own public and private organizations. One of the most critical areas that is often overlooked is cyber security. The webinar was produced by Baker Tilly Virchow Krause LLP for ICMA in 2016 with speakers Kyle O’Rourke and Allison Lemay.

Cell phones are not new technology so why is this important now? The model cell phone policy is one of the most downloaded documents from ICMA’s website, however, it was developed in 2006. In 2006, the leading cell phone technologies were the Blackberry Pearl, the Motorola RAZR, and the HTC TYTN 100. None of these are the smart phones of today and they do not touch the access or capability of Android and Apple Smart phones many of us use today. Therefore, the policy did not contemplate many of the functions that our phones are capable of today along with the much broader information and applications today’s phones can access.

This brings us to cyber security.  Increasingly, we are providing our employees with access to smart phones and tablets so they can do more in the field or as a work-life balance benefit so they can do more flexibly from home. It is worth stepping back and doing a data inventory of the systems and information our employees will be accessing from these devices with particular attention to high risk data.  High risk data can include but is not limited to personally identifying information for a our citizens and employees, health department information, critical infrastructure systems management, banking, and credit card information.

In larger municipalities, it is more likely that these systems may be more accessible on mobile devices. If you are going to enable this access, you should be sure to educate the end users about cyber risks and how to avoid threats and schemes they may encounter that could exploit this information. For smaller governments, with less information technology capacity, it is more practical to avoid this risk altogether by not enabling it. Enabling two factor authorization on the devices is also recommended. The new Iphone 10 face recognition capability may be an option as well.

Cyber threats are serious, just a couple years ago Russian malware was found on a laptop  at Burlington Electric (Burlington, Vermont) that could have wreaked havoc on their utility systems and done extreme economic damage to the local economy. I am also aware of a community who had their system taken hostage and shut down until they paid the hacker/hijacker a substantial sum of bit coin.

Other things to consider to manage access to the technology and costs are developing criteria of who should have access to mobile technology and why. One useful suggestion is developing tiered reimbursements say between $50-$75 a month depending on the expectations for how the technology will be used and how often. Since we perform so many different functions, different justifications should be developed for different types of personnel and different types of technology (cell versus tablet), whether a department head, building department staff, or a first responder.

Procurement should be centrally managed for all departments according to the need in order to achieve an economy of scale and cost with the service that makes the most sense for your service area. Another factor to consider and consult with counsel about is emerging case law requiring employers to compensate their employees for time spent on their company issued or private phones outside of normal working hours for work purposes.

The webinar goes step by step through a new modal policy that can be adapted based on a series of choices and decisions you should consider to make the most of it for your organization. I would suggest you get in touch with Kyle O’Rourke or Allison Lemay at kyle.orourke@bakertilly.com or allison.lemay@bakertilly.com for the new model policy. If you have an Information Technology Department or equivalent, it is worth having them tune into the On Demand Seminar on ICMA’s website (www.icma.org) so they can work through the model policy options and provide some insight to management and training to your employees who will be using the technology.

Leave a Reply

Your email address will not be published. Required fields are marked *