With the rising use of smartphones and tablets and their related technology, the University is implementing a proactive policy change that will advance the protection of Emory data stored on these devices.
Smart device use has grown substantially over the past five years. Recent statistics show that 40 percent of U.S. cell phone owners now have smartphones, which are becoming the dominant general phone platform. Theft of these devices have also risen exponentially. Last year 2 million smart devices were stolen; that's one every 15 seconds.
Over 10,000 smart devices currently access Emory email and are also used to edit documents, collaborate with coworkers, and collect research data among other uses. As use of these technologies continues to increase, the Office of Information Technology is trying to ensure that sensitive Emory data is protected in the event of theft or loss.
"We want to embrace and support new technologies," says Derek Spransy, a security specialist on the OIT Information Security team, "and we want to do it while addressing the risks that come with them. Even five years ago most people hadn't heard of an iPhone, iPad or Android. Today these devices have become integral to our daily work and personal lives.”
The policy's immediate impact on users is that any smart device accessing Emory's Exchange email will be required to enable a four-digit PIN/password and encryption of data stored on the device. In the event that the PIN/password is entered incorrectly 10 times in a row the policy will also trigger a data wipe on the device. This policy will apply to all smart devices used to access Emory Exchange, regardless of whether or not the device is owned by Emory.
The OIT Information Security Team has already applied the policy to all OIT staff members and it is currently being tested in other areas across campus. Over the coming months the policy will be applied to all smart devices accessing Emory Exchange.
“Be on the lookout for communications about when the policy will be applied to your school or business unit,” says Spransy. To help make this implementation as easy as possible, the security team has created a “Smart Device Security Information” webpage to help users prepare for the various aspects of the policy.
Existing features of most smart devices make it highly unlikely that one can accidentally erase data by entering their PIN incorrectly. Modern smart devices typically progressively lengthen the interval between failed attempts or require the user to enter a specific word or phrase to continue after multiple failed login attempts. This makes it difficult for a small child, for instance, to accidentally enter 10 consecutive failed passwords.
Protecting the information of Emory's patients, faculty, staff and students is vital to the institution's mission.
An added benefit of the policy is that its requirements will also protect personal email, pictures, text messages, contacts and other accounts. Studies show that 54 percent of smartphone users never put a PIN on their phones, and leaving various applications logged-in all the time increases risk and vulnerability.
"We've already had instances in UTS where the policy has protected missing or stolen smart devices," says Peter Buch, associate director of HR Technology Services.
The key habit that smart device users should develop is synchronizing and backing up their data on a regular basis. This makes the process of recovering from a theft, loss or device failure much easier. By encouraging basic security measures for smart devices, OIT believes this policy will significantly increase the security of Emory's valuable data.
Questions may be directed to local IT support or submitted to security@emory.edu.