IAITAM: POKEMON go should be banned from corporate-owned phones, tablets, as well as personal phones linked to sensitive business data
July 2016 by IAITAM CEO Dr. Barbara Rembiesa
Millions of Americans may have fallen in love with the Pokémon Go mobile gaming app, but those fans do not include the corporate professionals who deal with Information Technology Asset Management (ITAM) designed to keep phones, tablets, and other devices secure in the workplace. Today, the International Association of IT Asset Managers (IAITAM) called on corporations to ban the installation and use of Pokémon Go on both corporate-owned, business-only (COBO) phones/tablets and “bring your own device” (BYOD) phones/tablets with direct access to sensitive corporate information and accounts.
IAITAM CEO Dr. Barbara Rembiesa said: “Frankly, the truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure. Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices. We already have real security concerns and expect them to become much more severe in the coming weeks. The only safe course of action here is to bar Pokémon Go from corporate-owned phones and tablets, as well as employee-owned devices that are used to connect to sensitive corporate information.”
Facebook, Twitter, YouTube, and even traditional media sources such as newspapers are all buzzing about Pokémon Go, a mobile gaming app created by Niantic Labs. The purpose of the game is to go out into the “wild”, or your surrounding neighborhood, and catch virtual Pokémon. From there, you level up as a trainer, visit Pokéstops for items, and fight for control of various “gyms,” which are usually located around landmarks and notable historic locations.
Rembiesa highlighted the following concerns:
* DATA BREACHES. The original user agreements for Pokémon Go allowed Niantic to access the entire Google profile of the user, including their history, past searches and anything else associated with their Google Login ID. This has since been corrected, but for COBO devices the result was, by definition, a data breach. It is unclear of the extent of data breaches that took place prior to the changes, what happened to the information accessed, and how that information was stored and/or destroyed. Further, there is nothing that would prohibit Niantic Laboratory from once again seeking access to all or some of this information.
* RISKY KNOCKOFF COPIES. There are now reports that some versions of the Pokémon Go app available from non-official app stories may include software allowing cyber crooks to remotely control the user’s phone or tablets. Unsophisticated users may not understand that third party app providers should be avoided due to the risks involved. The online security firm Proofpoint already has detected knockoff Android copies of Pokémon Go in the wild containing a remote controlled tool (RAT) called DroidJack.
* ENCOURAGING BAD BEHAVIOR. One of the most important things for employees using COBO devices, in particular, is the need to stick with approved software and apps. Pokémon Go must be considered a “rogue download,” which is any software program downloaded onto a device that circumvents the typical purchasing and installation channels of the organization. Rather than simply banning Pokémon Go, corporations should also use this as a learning opportunity to encourage maximum employee understanding of the rationale against rogue downloads, particularly the security risks they represent.