Good security practices key to unleashing full potential of mobile business processes
South African organisations can drive massive productivity and efficiency gains by mobilising their ECM and BPM systems.
South African organisations can drive massive productivity and efficiency gains by mobilising their enterprise content management (ECM) and business process management (BPM) systems – but only if they adopt solutions and best practices that keep confidential corporate and customer data secure at all times.
That's according to JP Lourens, software product manager at Kyocera Document Solutions South Africa, who says that along with the convenience and productivity benefits of giving users the ability to access data and documents wherever they are, mobility also introduces new security risks. "Mobile devices can easily be lost or stolen, with the result that confidential data can fall into the wrong hands," he says.
"Companies that will be providing the workforce with mobile access to documents, should ensure that they adhere to global best practices in data protection and comply with local laws and regulations, such as the Protection of Personal Information Act (POPI). This is especially important when handling sensitive documents that contain financial data, personally identifiable information or contractual details."
Lourens says that a mobile ECM/BPM solution should offer tight security at two levels: user and administrator. Administrators should have full control over which features and data their end-users can access, so that unauthorised people cannot access sensitive information.
Some examples of the key features to look for in a secure mobile ECM/BPM solution include:
User permissions: The app should enable the IT department to set which documents and system features different groups of users can access. For example, HR directors who need administrative access to employee documents may have different permissions than HR clerks who only need to view certain documents. While the first group is allowed to perform any action including deleting and modifying documents, the second group can only view and print what their access permissions grant them access to.
Automatic log-in: Any mobile app with access to sensitive company information should feature an option to disable automatic log-in. This forces the user to type in the user name and password each time the app is opened. It is recommended to disable automatic log-in when using automatic log-out.
Data cache clean-out: The administrator should be able to configure the app to flush all data, including any open electronic documents, from the device in any situation. To continue working, the user will need to log back into the system and download the electronic document again if needed.
Automatic log-out: IT should set a policy that users must log out when they are finished interacting with the app. A good solution will allow the administrator to configure a server setting enabling automatic log-out and disabling automatic log-in and export for all users. It is best practice to pair these security settings with the security features offered by mobile devices, such as "Auto-Lock" and "Passcode Lock".
It should be possible to configure the app to log out automatically after a certain period of inactivity or when the user minimises the app. This should not only remove all documents from local storage, but remove traces of the document or folder that the user was last viewing. These features will stop unauthorised individuals from picking up an abandoned iPad or iPhone and view the data.
Data leak protection: When an electronic document is exported from a corporate-approved mobile app to another app, that new app takes control of the document. A robust platform should allow IT to control whether sensitive documents can be exported to other apps, from where they can be shared with other people or stored locally on the device.
Says Lourens: "In addition to using a secure platform and configuring it correctly, the organisation should have clear security and capture policies in place. It is important to educate users about the security settings and to show them how to keep corporate data secure. If users will access sensitive documents outside the office, they should also be instructed on how to set up a VPN on their mobile device."