Eskenzi PR ad banner Eskenzi PR ad banner
  • About Us
Tuesday, 26 September, 2023
IT Security Guru
Eskenzi PR banner
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us
No Result
View All Result
IT Security Guru
No Result
View All Result

Pokémon GO: A meme in the essential balance of work and play

by The Gurus
August 25, 2016
in This Week's Gurus
Share on FacebookShare on Twitter

Pokémon GO is this summer’s craze, with the latest figures showing that 7.5 million people have downloaded it. And along with Rattata and Pidgey, people have also been discovering a number of personal risks while playing – notably, falling off cliffs or even wandering in front of traffic. But what about business risks?  If an employee uses their personal phone (even if they don’t play Pokémon GO) for work e-mail (e.g. BYOD) are they unknowingly introducing risk to their employer?  Even worse, are they risks that the business isn’t aware of or prepared to handle?
There is a clear risk involved with BYOD, but beyond malicious apps, there are subtler risks at play here.  In order to play Pokémon GO, you agree to allow Niantic to track your location, access your camera and “certain personal information (such as your email address) that your privacy settings on the applicable account permit us to access.”1   Even more concerning are other parts of the Pokémon GO ‘Terms of Service’ that you must agree to in order to play the game.
In particular, the statement “By making any User Content available through the Services, you grant to Niantic a nonexclusive, perpetual, irrevocable, transferable, sub licensable, worldwide, royalty-free license to use, copy, modify, create derivative works based upon, publicly display, publicly perform, and distribute your User Content…”2 I’m no lawyer, but those are terms that seem out of place on a device with proprietary business information and sensitive customer content.  But we can segment the corporate data from game data, right?  Well, on an IOS device I’d be inclined to agree as Apple’s sandboxing is solid.  But what if your employee, intentionally or otherwise, uses their Gmail account for work e-mail?  What if the employee uses the same password for their Gmail or Facebook account as Active Directory?  The easiest way to sign up for Pokémon GO is to use your Gmail account or Facebook account, and even if password re-use isn’t relevant, you’ve just provided your Facebook or Gmail account password to a gaming company.  Last I heard, gaming companies aren’t immune to compromise, which could put all kinds of personal and professional information at risk, particularly when Facebook accounts are threatened.
So let’s recap a bit. In order to play Pokémon GO, people need to:

  • Give up their Gmail or Facebook account password
  • Allow a gaming company to track their physical location at all times
  • Give access to their camera (as needed)

I can’t speak to the percentage of people who gave up their Facebook account password, but given the number of people playing the game, it has to be a pretty wide net.  In addition to not being a lawyer, I’m also not a conspiracy theorist, but that sounds like pretty juicy information for someone to use (be it for good or evil).  Being paranoid, I’m going to assume the latter.
Given all that, what are the clear risks to businesses?  I’d say the primary risk is password re-use.  While we can assume that Niantic doesn’t plan to exploit Gmail and Facebook account credentials, we *can* assume that they will be targeted by malicious actors who do plan to exploit said credentials.  If someone were to compromise customer Personally Identifiable Information (PII) from Niantic, the amount of business-specific information harvested could be significant – particularly if there is a lag between the compromise, detecting the breach and public disclosure.  So, if your employees are using the same password for Gmail and/or Facebook as they are for Office 365, and Niantic gets hacked … well, you know the drill.
So what can businesses do? A lot of it has to do with solid policies and user education but technology is important too:

  • Invest in a solid security awareness program. Employees need to understand the risks inherent with mixing church (personal) and state (corporate) on the same device.
  • Write a security policy that resonates with your employees. Well written policies tend to be well read and adhered to, and poorly written policies tend to be poorly read.
  • Make sure every device that interacts with your network is secured.  While educating employees is essential, millennials are coming and they expect to be secure, everywhere, on any device and without impacting the user experience.
  • Ensure BYOD is a privilege, not a right.  There is skin in the game on both sides of the table and while the benefits are clear (e.g. companies save money, employees pick their own smartdevice) there are also responsibilities for both parties.

We need to make peace with the fact that we’re owned by every device we depend on and every app we can’t live without and that these devices are already a utility for work, health, and play.  Trying to force a single application to suit solely business interest will likely be counterproductive. Security professionals and business leaders should be looking for  technology solutions which will  support the user’s interests, as well as the business requirements.

FacebookTweetLinkedIn
ShareTweet
Previous Post

Automation requires humanity

Next Post

A quarter of banks' data breaches are down to lost phones and laptops

Recent News

CREST and IASME announce partnership with the NCSC to deliver Cyber Incident Exercising scheme

September 26, 2023
partnership

Cyberelements Partners with ABC Distribution Partners to Revolutionise Privileged Access Management in Europe

September 26, 2023
Adarma Names James Todd as Chief Technology Officer, Reinforcing Dedication to Security Operations Excellence

Adarma Names James Todd as Chief Technology Officer, Reinforcing Dedication to Security Operations Excellence

September 25, 2023
Nurturing Our Cyber Talent

Nurturing Our Cyber Talent

September 25, 2023

The IT Security Guru offers a daily news digest of all the best breaking IT security news stories first thing in the morning! Rather than you having to trawl through all the news feeds to find out what’s cooking, you can quickly get everything you need from this site!

Our Address: 10 London Mews, London, W2 1HY

Follow Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

  • About Us
No Result
View All Result
  • Home
  • Features
  • Insight
  • Channel News
  • Events
    • Most Inspiring Women in Cyber 2022
  • Topics
    • Cloud Security
    • Cyber Crime
    • Cyber Warfare
    • Data Protection
    • DDoS
    • Hacking
    • Malware, Phishing and Ransomware
    • Mobile Security
    • Network Security
    • Regulation
    • Skills Gap
    • The Internet of Things
    • Threat Detection
    • AI and Machine Learning
    • Industrial Internet of Things
  • Multimedia
  • Product Reviews
  • About Us

© 2015 - 2019 IT Security Guru - Website Managed by Calm Logic

This site uses functional cookies and external scripts to improve your experience.

Privacy settings

Privacy Settings / PENDING

This site uses functional cookies and external scripts to improve your experience. Which cookies and scripts are used and how they impact your visit is specified on the left. You may change your settings at any time. Your choices will not impact your visit.

NOTE: These settings will only apply to the browser and device you are currently using.

GDPR Compliance

Powered by Cookie Information