A Secure Timesheet Should Be Priority #1 When Choosing Timesheet Software

Scary Fact: Mobile apps are vulnerable to hackers and security breaches

Research by Arxan, experts in mobile security,  found that it took less than 10 minutes to hack into the top 30 financial sector apps, and they discovered 180 vulnerabilities! Demonstrating the vulnerabilities exposed by downloadable mobile apps.

Another report found “insecure data storage is the most common security issue in 76% of mobile apps”^[2].

Importantly, hackers seldom need physical access to a smartphone to steal data: 89% of vulnerabilities can be exploited using malware^[3]. With mobile apps exposed to high levels of security vulnerability, corporate data is at considerable risk. Added to this, when Android and iPhone apps store data on phones, that can translate to the very definition of a mobile security lapse.

IT departments dedicate a considerable portion of their budgets to security, and in high-security environments, provide secure mobile devices to employees. However, it is common for employees to use their own mobile phones connected to business apps. In these environments, mobile devices provide a ‘back door’ and create a weak link in the organization’s security as the security of mobile devices is set by the employees that own the devices. Employees set the passcodes to their phone, the apps, and possible malware they download, and if the phone is lost or stolen, may not report it to IT security.

This puts all the data used by corporate systems that use phone apps at risk, and if your timesheet solution uses a mobile app, it is putting your organization’s customer data at risk.

So what’s the answer? How can secure timesheets for mobile be made?

The good news is Yes, but it needs a different approach.

The answer is to look at what is acceptable to Corporate IT security for desktop software.

For corporate desktop computing, cloud software is the most prevalent today. Cloud software is recognized as being more secure, more resilient, require less IT support than locally installed apps –  especially when new versions need to be rolled out to users. In fact, applications that are downloaded and installed on desktop PCs or Macs are now viewed as out-of-date, high maintenance, and are rarely acceptable to IT departments anymore.

So why then are mobile apps downloaded for mobile phones and tablets when this same approach on the desktop is viewed as out of date?

“It has become second nature to just as if there is a (mobile) app,” explains Timewatch CEO Graeme Wright. “Few if any IT departments would let employees download and install desktop applications on unprotected personal computers, the risks are too great. Employees’ use work PCs that are secured by the company’s network, and the IT department manages installed applications, but many use Cloud software. Cloud software is recognized as secure and there are through various ISO & SOC2 standards that security can be demonstrated. When we point out that using this exact same approach for mobile connectivity ensures the same level of security as desktop apps, it is quite often a light bulb moment.”

So why do companies develop mobile apps if they are insecure?

“That’s an excellent question”, says Wright. “There are a few likely reasons. The first is that the public is used to downloading apps for the phones. It’s easier for Developers to deliver solutions in a familiar way. Once a product is developed for devices, it’s impossible to change it to be cloud-based, it needs a complete rewrite, and that’s expensive. Another reason could be marketing – mobile apps are sold via phone stores and suppliers like the exposure these stores provide. Additionally, it is much harder and more costly to develop a secure browser app that works with all mobile browsers. These combined give compelling reasons for developers to take the downloadable app approach rather than the secure mobile cloud app approach.”

Why did Timewatch create a secure browser timesheet app?

“A downloadable app just didn’t sit right with us. Computing has swung back and forth between centralized processing and distributed processing a few times over the years. It seemed a first-generation concept to go back to distributed processing on mobile devices rather than the centralized cloud server approach that was becoming more and more prevalent when the smartphone emerged. So we engaged with our customers. Interestingly, few customers raised security as a requirement, they were all so focussed on having mobile functionality, but when we asked if they would compromise security there was a resounding no! So prototyped both approaches, and could immediately see the security benefits of the responsive app approach, so that is the direction we took.”

Secure Timesheet – The Right Approach?

For mobile, the cloud can be just the same as it is for PCs and Macs – browser based. Most apps need access to the web to work anyway, and many personal systems such as Facebook, Netflix, Twitter, Gmail etc. all run in the mobile browser. Mobile business software solutions that run in a browser make good sense. They are inherently more secure. They are easier to manage as there is nothing to download and install, no updates or security patches for the IT team to manage, no data stored on the mobile device, no risk if the device is lost or stolen, and nothing to hack.

Although technically a downloaded app is very different to a cloud app, the front end design concept is no different. The software needs to be designed specifically for touch sensitive, smaller screen size and reduced data usage that mobile devices demand. In web design, this is called ‘responsive’ design.

A responsive cloud based timesheet, meets all requirements: it delivers all the timesheet functionality users need on their mobile, it has all the same benefits of desktop cloud software, and of course avoided the security risks of of mobile apps.

“There is just no need to risk corporate data by using downloaded Apps,” says Wright. “With a well-designed mobile web app like Timewatch®, and the speed of phones on 4G, 5G, why risk mobile security by using downloaded and installed apps? Use a Cloud app, just like you would on a PC or laptop.”

“A personal phone may be the biggest risk to a company’s security,” explains Wright. “The Cloud affords better security with end-to-end encryption, and data storage is unquestionably safer in the Cloud than on a private individual’s phone. With our mobile web apps, if anyone loses their phone, there is no data loss as there is nothing stored on your phone. All corporate data is safe and sound in the Cloud.”

Click here (it’s safe!) for more information on secure Timewatch professional services products for your business.

References

1. ^ Arxan, Feb 5, 2020. Financial Mobile App Vulnerability FAQs (Now Digital AI, original document no longer available)
2. ^ Positive Technologies, June 19, 2019. Vulnerabilities and threats in mobile applications, 2019
3. ^ ZDNet, June 20, 2019. Three quarters of mobile apps have this security vulnerability that could put your personal data at risk
4. ^TECH Excactly, June 2021y10 Steps on How to Build a Successful Employee Mobile App

These Timewatch Products all have safe, secure timesheets based on mobile web apps

• Outlook Timesheet entry
• Resource Scheduling
• Time and billing (includes OutlookTime®)
• Professional Services Automation (all in one)