It's probably no surprise to anyone that the activities framing the experiences in our personal lives have leaked into our business lives and vice versa. A September 2008 survey from The Pew Research Center's Internet & American Life Project reveals BlackBerry and personal digital assistant (PDA) owners are more than twice as likely to report that their employer expects them to stay tuned into e-mail outside of the office. In fact, 48% say they are required to read and respond to e-mail when they are away from work. Whether it's required by a company or it's a worker's choice, lines are being crossed, and that could pose many problems for companies, especially insurers.
The general use of smartphones within an insurance company seems to be by executives and other members of upper management. While some field employees and insurance agents may depend on smartphones for business communications, the availability of insurance-specific applications on these devices seems to be in the relatively early stages, according to Chad Hersh, a principal at New York-based Novarica. "There aren't that many smartphone applications out there right now for insurance," he says. "CSC (Falls Church, Va.) released an application [currently in beta] to enable agents and customers to access CSC systems on mobile browsers. Very few vendors have offered anything like that to date. It's really been up to the carrier."
Other than a handful of quiet steps toward insurance-specific mobile apps and some mobile claims systems apps on smartphones, Hersh says, there's been little reason to have governance policies. Governance policies apply to other mobile devices, as the insurance industry has seen activity in mobile claims through PC tablets or Web-connected laptops, but little through smartphones. Hersh attributes this to "the classic insurance lag, where carriers wait to see if a standard emerges," he says.
However, many industry experts - Hersh included - agree that the insurance industry will see the mobile technology landscape start to change in the next couple years. Insurers are already providing mobile options to their customers. Earlier this year, Nationwide Mutual Insurance Co., Columbus, Ohio, released a mobile application that assists iPhone users after an auto accident. Additionally, Hersh says, USAA, a San Antonio-based provider of insurance and financial services to the military and their families, has completed some groundbreaking work on the banking side with iPhones and check depositing, and will likely shift some of that effort over to the insurance side. He believes this will lead to agents asking the question, "Why do my customers have more mobile access to the carrier than I do?"
PREPARE FOR THE SURGE
CIOs and IT departments need to be prepared for the predicted surge in smartphone usage among carrier employees, agents and consumers. They can begin by looking at how smartphones are currently used in their organizations and set policies that address security, application accessibility and overall control of corporate-sanctioned or personal smartphones. The only thing right now for which there are policies is e-mail on handhelds, Hersh says. Security and remote data wipes (erasing all data, making it unrecoverable) are going to have to become more of a focus in policies.
Darby O'Neill, CIO at Princeton Insurance, a medical professional liability insurer in Princeton, N.J., was curious about other insurers' smartphone usage when she attended a Physician Insurers Association of America event in early October. She questioned malpractice insurance CIOs at the IT roundtable about their smartphone policies and culture.
"I wanted to know because we, like everybody else, have information that I don't want in anyone else's hands," she says. "Out of 50 people (representing about 25 companies) in the room, only one company would reveal that it's letting people use their own phones to access their corporate e-mail." However, she heard the CIOs whisper to each other that they really didn't know if employees are using their personal phones for corporate communications.
THE RISKS INVOLVED
The unknowns related to smartphone usage is already a problem for CIOs, says Kevin Kalinich, national managing director of professional risk solutions for Aon Financial Services Group, Chicago. "A smartphone is designed to be flexible for new applications, and that's going to drive its usage." But the downside, he says, is that the smartphone may be too flexible. As a result, potentially harmful applications the smartphone manufacturer, operating system (OS) provider and network carrier didn't create can be downloaded onto the phone. "The apps introduce data exposures that weren't anticipated because they weren't embedded into the smartphone at the time the CIO decided to provide their workers with these devices."
The insurance industry is no stranger to data breaches due to mismanaged mobility; it's seen lost laptops turn into costly breaches. In early October, Blue Cross and Blue Shield Association warned physicians that a file containing unencrypted identifying information for 800,000 to 850,000 physicians who contract with a BlueCross BlueShield-affiliated insurance plan was on a laptop computer stolen from an employee of the national association in Chicago.
Given remote storage options, just as much data can be stored and leaked on smartphones. In fact, Hersh says, security could be even more problematic on a smartphone than on a laptop. "With laptops, I think we all understand the issues. You can easily have a boot-up password or a biometrics scanner on there. It's all very easy, commoditized and well understood," he says. "But outside of BlackBerry, which has a very standard security mechanism (self-lock, ability to control its use throughout the enterprise and the ability to remote wipe), how many CIOs or IT staff really know how to tell if a device automatically goes into standby after 30 seconds or, if it locks, the data is secured?"
The fact that there are so many different possible combinations of phone manufacturers, OS providers and network carriers also complicates security, governance and asset management efforts.
"Can you imagine if laptops weren't just Apple or Windows?" Hersh asks. "What if your employees were able to choose what OS was on their laptop, and they didn't even have to tell you?" This represents a big risk with smartphones, he says.
Another risk to consider, Aon's Kalinich points out, is bandwidth. "You can send a lot more data on a smartphone," he says. "Smartphones can aggregate data, and what makes it even more risky in terms of exposure is that smartphones are being used in the cloud. In the old days, the hard drive and storage would be either on the laptop or desktop. But now, with so much activity on smartphones, all of that data will clog up and overwhelm the mobile device. So an insurer can store that data in the cloud from the smartphone, which means a remote cloud server could hold all of your clients' data."
NO EASY ANSWERS
So, what's the answer to all of these headaches? Standardization would be an ideal solution. While it's not likely in the next couple years, CIOs can take a step in that direction.
"You need to make sure that every device on which employees are getting and storing company data is able to be controlled remotely and tracked by inventory and asset tracking," Hersh says.
O'Neill agrees that control is important. Out of Princeton Insurance's 150 employees, about 20 have smartphones, but O'Neill is researching ways to get more smartphones to more employees. "It is important that we weigh the want and desire for information by employees versus the security level," she says. "You want people to be on 24/7 - not everyone agrees with that, I know - but you want to enable people to respond if they want to." She says that issuing laptops was the first step to 24/7 access, but ultimate mobility requires smartphones. "If you're going to go down that line, you have to continue down that line."
O'Neill's plan for an employee who wants 24/7 access is to give them two choices - either accept a company-issued and approved phone or purchase their own personal phone that is compatible with Princeton's current server. If the employee chooses to use his own phone, "he has to bring that device into me and it becomes my device," she says. "I'm going to load all of the policies, and all of the security on it." The employee is required to use a password to get into the device, and if the password is entered incorrectly three times, O'Neill will wipe out that device entirely.
O'Neill emphasizes that this is the plan. While, currently, the only smartphones those 20 Princeton Insurance employees use are company-issued, she believes she will soon be working with employees' personal phones. "Anybody on the corporate team who needs it, we give it to them," she says. "Most of them have separate personal phones as well. So they carry two phones, which they don't like to do."
Employees using their personal phone for business present many risks, especially when it's a smartphone not supported by the IT staff, Hersh says. "We're seeing problems associated with employees who want to use their iPhone, Google Android or Windows Mobile phones for business-related activities - e-mailing, viewing customer data, etc. It seems like a great productivity boost, but realistically, what happens if they lose that device? Also, Windows Mobile phones, in particular, have the ability to read and edit Microsoft Office documents, and that's a particular problem."
SMARTPHONES GALORE
A July 2009 Forrester Research survey of CIOs from a number of industries shows that the iPhone is gaining popularity for business use. According to the survey, more than half of enterprises already support more than one mobile device - mostly BlackBerry and Windows Mobile devices. And, nearly one out of four enterprises support the iPhone.
After two years of avoiding the iPhone, O'Neill is considering supporting it. "I said no to iPhones for two reasons: First, it was a device that didn't function well in the Microsoft environment that most of us have, and it presents itself as too much of a toy from a corporate perspective," she says. "Now, I want employees to have a phone they're going to use. However, if I'm going to give them something, I'm still going to control it."
In terms of asset management, insurers are going to have to figure out what they can support and how much control they're willing to exert over their employees, Hersh says. "What many companies outside the industry are starting to figure out is that they need to have policies and procedures associated with smartphone use, and be willing to work with their employees on making sure everyone is in compliance."
SETTING A POLICY
Setting a smartphone policy should start with the smartphone, right? Wrong, says Aon's Kalinich. "The smartphone governance policy should not be developed in a vacuum," he says. "It should be developed in concurrence with overall enterprise IT governance because as soon as you establish the foremost policy on governance for smartphones, there's going to be some new technology that already makes your policy outdated."
Kalinich says insurers need to determine the types of information they consider confidential and who should have access to that type of information. "It could be that an entity determines that a certain set of people with a specific skill set should have information on underwriting or claims or settlement procedures," he says. "And another set of people should only have information on employees, our vendors and so forth. You have to set your governance policy more based on who needs to know what information, and after you set that policy, that's when you implement that overall macro-level policy with respect to data and information into the different devices. It makes your governance policy much more flexible. It makes the policy much more adaptable."
The whole issue of smartphones is fluid, dynamic and changing on a regular basis, Kalinich says. He uses the example of the 3G network, the newest mobile environment. He predicts that in two years 3G will be passed, and 4G devices will be prevalent. "So your policy for the 3G network will be obsolete in 2010 or 2011, and you'll be stuck creating another policy for 4G," he says.
O'Neill worries the constant changes will affect her company's helpdesk operations. "My helpdesk, which is a pretty limited staff, is going to have to be tech savvy on a number of smartphones and operating systems because you're constantly going to have issues," she says. "We're trying to figure out if we can standardize on something or pick three or four for employees to choose from. It's a management nightmare."
(c) 2009 Insurance Networking News and SourceMedia, Inc. All Rights Reserved.
