We have a BYOD policy and we need to amend our policy to include banned mobile apps due to security/privacy concerns, i.e. TikTok.  Has anyone found a trustworthy and maintained list of apps your company should ban from mobile devices that access your information systems due to privacy and security concerns?

Security & GRCModern Device Management
3.3k viewscircle icon2 Upvotescircle icon12 Comments
Sort by:
Chief Cybersecurity Strategist & CISO in Healthcare and Biotech2 years ago

I agree with Eric Bedell.... you may also want to take a look at companies specializing in MTD solutions, such as Lookout, Zimperium, and Wandera websites where they publish lists of apps with known security vulnerabilities or privacy issues. As an example, Lookout periodically updates their Mobile Risk Matrix, highlighting apps and behaviors that pose security risks. https://www.lookout.com/documents/datasheets/us/lookout-mobile-risk-matrix-bullet-points-infographic-tabloid-us.pdf

Lightbulb on1
Chief Privacy Officer in Finance (non-banking)2 years ago

I found it easier to use Whitelist instead of Blacklist.
First this is more secure, and second it requires less maintenance.

Lightbulb on6
Senior VP & CISO3 years ago

We don’t ban but we have a company App Store with all approved apps. We limit use of other app stores

Lightbulb on1
CISO @ Florida Gulf Coast University in Education3 years ago

Some US states like Texas, and Florida are starting to build such lists with technology and services that are considered "bad".  Some parts of the US Federal Government have started publishing technology lists that are considered banned.

https://www.tampabay.com/news/florida-politics/2023/05/02/desantis-drones-police-chinese-dji-american-security/
https://www.cnn.com/2023/04/07/business/tik-tok-florida-ban-state-universities/index.html

The lists are out there, although there is no one list you can follow.

I do agree with everyone else on here though, doing this on personal devices is a bit odd.  If anything you should consider restricting the services on your corporate/guest networks, so that if someone uses a BYO device you do not need to worry about what is on there, but rather prevent it from accessing those services, and ensure none of your data ends up on those devices.

Former CISO, VP in IT Services3 years ago

There is no silver bullet of trustworthy, maintained list of apps - it all depends on your company's risk tolerance for what information / activity is gathered and used according to the actual terms & conditions.  That is assuming someone in business/risk management has read the T&Cs to develop a position.  :-)

Lightbulb on1

Content you might like

What cyber security metrics are CISOs of listed companies reporting to the audit committee of the supervisory board?

Read More Comments

Have you increased MFA for your employees working remotely as a result of the COVID-19 crisis?

Yes73%

No22%

Not yet, but we plan to5%

View Results

Are short term bans of the use of GenAI applications and tools (such as ChatGPT) a good idea for end users in most organizations? For context see this article on the State of Maine Government's directive before you vote: https://www.govtech.com/artificial-intelligence/chatgpt-generative-ai-gets-6-month-ban-in-maine-government

Yes - Maine did the right thing. There are too many security risks with free versions of these tools. Not enough copyright or privacy protections of data.30%

No, but.... - You must have good security and privacy policies in place for ChatGPT (and other GenAI apps). My organization has policies and meaningful ways to enforce those policies and procedures for staff.41%

No - Bans simply don't work. Even without policies, this action hurts innovation and sends the wrong message to staff and the world about our organization.22%

I'm not sure. This action by Maine makes me think. Let me get back to you in a few weeks (or months).6%

View Results

What do you consider to be the biggest success factors for adopting AI-enabled security solutions?

Read More Comments

To what extent are organisations actually realizing measurable value from AI-enabled capabilities in GRC platforms, and to what degree is embedded AI now viewed as a core, expected feature in GRC tool selection rather than a nice-to-have add-on?