Most owners and managers check emails, read documents, pay invoices, and access cloud-based applications using their phones. The mobile browser has now become part of the office network. It is convenient and fast. It also collects more data than many people know.
Research done on different mobile browsers used by many people showed significant differences in the amount of data collected. Some mobile browsers collect many device identifiers and data. Others collect only what is necessary for the browser to work. If your team is using a mobile browser to access company resources, it’s essential to know what information is potentially being exposed.
How mobile browsers handle user data
Mobile browsers gather several types of data.
First, mobile browsers gather technical data necessary for the application to run.
This type of data includes IP address, type of device, operating system, and activity within the browser. Functionality requires some of this type of data.
Second, mobile browsers gather analytics data.
This type of data could include search history, website addresses, activity within the browser, crash reports, and activity IDs. This type of data could potentially be connected to a user profile.
Third, mobile browsers gather tracking data through cookies and tracking scripts.
Even if a mobile browser does not collect a great deal of data on it’s own, a website could potentially collect user data that is stored in the browser.
This type of identifier could potentially connect to advertising IDs.
If a member of your organization researches a vendor, accesses a client portal, or looks through financial records through a mobile browser, a trail of metadata could potentially exist.
This type of metadata could potentially include time stamps, location indicators, device IDs, and patterns of behavior.
This does not mean sensitive documents are available for anyone to see.
It simply means this type of behavioral data exists and could potentially be collected by the mobile browser provider or a related service.
The risk to a growing company
This activity is often overlooked in the planning process. However, the browser is the entry point for many organizations’ Microsoft 365, accounting systems, CRM systems, payroll systems, and industry-specific tools.
If a device is compromised, the saved session and cookies could potentially provide a pathway into these systems (which have been used to bypass MFA). If the sync features are saving history or credentials in a personal account, the data could potentially leave your controlled environment. If advertising IDs are connected to usage patterns, research topics and vendor activities could potentially become part of a larger whole.
There is also the issue of compliance. Many businesses in California are under the umbrella of a privacy regulation such as the California Consumer Privacy Act. Insurance carriers are increasingly asking for documentation of security controls in a system or network in the event of a breach investigation.
Many executives are concerned with email security. However, the browser is often overlooked because it is the primary entry point for many organizations’ cloud-based systems.
Control, configuration, and policy
Obviously you can’t stop browsing altogether. In many cases it is essential. However, it can only be controlled.
The first area to consider is the choice of browser. The privacy policy of each browser is different in terms of the level of data collection. The vendor’s policy document and independent testing results should be considered before deciding on a standard browser for company-owned devices. Note that popular browsers like Google Chrome and Microsoft Edge are known to collect substantial telemetry data.
The second area to consider is the configuration of the browser. The sync functionality of the browser does not need to be enabled unless absolutely necessary. Browser based password storage should be disabled and only approved third party password manager enabled. Advertising IDs can be disabled for company-owned devices. Multi-factor authentication can be enforced for all web-based applications.
The next area to consider is mobile device management. Company-owned devices and personally owned devices that are allowed for work can be included in a mobile device management system that includes encryption, screen lock enforcement, remote wipe capability, and application management. Automatic updates can be enabled for the operating system and the browser.
Policy is as important as technology. Employees must be given clear guidance on which browsers are supported, how to access company systems securely, and what is acceptable on a company device. Personal browsing on a company-managed phone is riskier and must be dealt with accordingly.
Mobile browsers are a part of your infrastructure whether you design for them or not.
Work with an IT partner who understands your business environment. General IT checklists are a good start, but implementation requires someone who can integrate security controls with your business workflow, your compliance needs, and your risk tolerance.