Sometimes it can be risky mixing business and pleasure. The International Association of Information Technology Asset Managers (IAITAM) is warning businesses such a risk could occur if employees download the insanely popular Pokemon Go app on company-owned devices.
The association has recommended corporations prohibit the installation and use of Pokemon Go on any devices used for business purposes. The group says that includes "bring your own device" (BYOD) phones/tablets with direct access to sensitive corporate information and accounts.
AITAM CEO Dr. Barbara Rembiesa goes so far as to call the new augmented reality game a “nightmare” for firms trying to keep their email and cloud-based information secure.
“Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices,” Rembiesa said. “We already have real security concerns and expect them to become much more severe in the coming weeks.”
She said to be safe, organizations must keep the app off any device the connects to the organization's network. Here are her concerns:
Rembiesa says the original user agreements for the game allowed Niantic to access each user's entire Google profile, including his or her history, past searches, and anything else associated with a Google Login ID.
That is no longer the case in current versions, but Rembiesa says this meets the definition of a data breach for corporate-owned devices. It's also not clear to what extent data breaches took place before the change and what happened to the accessed information.
Rembiesa says she has seen reports that some versions of the app that are on non-official download sites may include malware. The illicit software may allow cyber-criminals to take control of an infected phone or tablet.
Rembiesa worries that unsophisticated users might not be aware of the risks inherent in downloading from any third party provider, especially if the device is used on a corporate network. She says Proofpoint, an online security provider, has already reported knockoff Android copies of Pokémon Go in the wild containing a remote controlled tool (RAT) called DroidJack.
Encouraging bad behavior
Making an exception and allowing the use of a game app on a corporate-owned device sets a bad precedent, Rembiesa argues. She says employees need to understand the importance of sticking with approved software.
Despite its popularity, she says Pokemon Go must be considered a "rogue download," which is “any software program downloaded onto a device that circumvents the typical purchasing and installation channels of the organization.”