Secure Timesheet? Isn’t Every System Secure?
The simple answer is No. Most software systems focus on functionality and ease of use, not security. This is a big problem as a secure timesheet system needs a security-first approach.
Do you need a Mobile App?
For most customers, the simple answer is Yes as the ease of use and accessibility is something their employees want. So, assuming you want a mobile app for your users, the first question to suppliers should be ‘is your mobile app a downloadable mobile App?’, because downloaded apps are inherently insecure.
Why Downloaded Mobile Apps are Insecure
Downloaded mobile apps store data on mobile devices. If the device is ever lost or stolen, corporate data could be compromised. It all depends upon the security of the person’s phone password. However, there is a greater risk with downloaded apps:
Fact: Mobile apps are vulnerable to hackers and security breaches
Research by Arxan, experts in mobile security, found that it took less than 10 minutes to hack into the top 30 financial sector apps, and they discovered 180 vulnerabilities! Demonstrating the vulnerabilities exposed by downloadable mobile apps.
Another report found “insecure data storage is the most common security issue in 76% of mobile apps”.
Importantly, hackers seldom need physical access to a smartphone to steal data: 89% of vulnerabilities can be exploited using malware. With mobile apps exposed to high levels of security vulnerability, corporate data is at considerable risk. Added to this, when Android and iPhone apps store data on phones, that can translate to the very definition of a mobile security lapse.
IT departments dedicate a considerable portion of their budgets to security, and in high security environments, provide secure mobile devices to employees. However, it is common for employees to use their own mobile phones connected to business apps. In these environments, mobile devices provide a ‘back door’ and create a weak link in the organization’s security as the security of mobile devices is set by the employees that own the devices. Employees set the passcodes to their phone, the apps and possible malware they download, and if the phone is lost or stolen, may not report it to IT security.
This puts all the data used by corporate systems that use phone apps at risk, and if your timesheet solution uses a mobile app, it is putting your organization’s customer’s data at risk.
So what’s the answer? How can mobile timesheets be made secure?
The answer is to look at what is acceptable to Corporate IT security for desktop software.
For desktop computing, cloud software is the most prevalent today. Cloud software is recognized as being more secure, more resilient, require less IT support than locally installed apps – especially when new versions need to be rolled out to users. In fact, applications that are downloaded and installed on desktop PCs or Macs are now viewed as out-of-date, high maintenance, and are rarely acceptable to IT departments anymore.
So why then are mobile apps downloaded for mobile phones and tablets when this same approach on the desktop is viewed as out of date?
“Cloud software is incredibly prevalent in PCs and Macs, but when it comes to phones and tablets, people seem stuck in the mindset that they must have a downloadable app,” explains Timewatch CEO Graeme Wright. “It’s what people are used to, and that includes developers.”
“Downloaded mobile apps download and store data on the phone as this makes the app faster and more convenient to the user. This of course creates a security risk because this data stored on a device, and should the device be lost or stolen corporate security is reliant on the person’s phone password. The point here is that the level of security and the risks are outside of the control of the organization. In contrast, cloud based applications specifically developed for the mobile browser don’t download any data, so there is no corporate data at risk.”
So why do companies develop mobile apps if they are insecure?
“That’s an excellent question”, says Wright. “There are a few likely reasons. The first is that the public is used to downloading apps for the phones. It’s easier for Developers to deliver solutions in a familiar way. Once a product is developed for devices, it’s impossible to change it to be cloud based, it needs a complete rewrite, and that’s expensive. Another reason could be marketing – mobile apps are sold via phone stores and suppliers like the exposure these stores provide. Additionally, it is much harder and more costly to develop a secure browser app that works with all mobile browsers. These combined give compelling reasons for developers to take the downloadable app approach rather than the secure mobile cloud app approach.”
Why did Timewatch create a secure browser timesheet app?
“A downloadable app just didn’t sit right with us. Computing has swung back and forth between centralized processing and distributed processing a few times over the years. It seemed a first-generation concept to go back to distributed processing on mobile devices rather than the centralized cloud server approach that was becoming more and more prevalent when the smartphone emerged. So we engaged with our customers. Interestingly, few customers raised security as a requirement, they were all so focussed on having mobile functionality, but when we asked if they would compromise security there was a resounding no! So prototyped both approaches, and could immediately see the security benefits of the responsive app approach, so that is the direction we took.”
Secure Timesheet – The Right Approach?
For mobile, the cloud can be just the same as it is for PCs and Macs – browser based. Most apps need access to the web to work anyway, and many personal systems such as Facebook, Netflix, Twitter, Gmail etc. all run in the mobile browser. Mobile business software solutions that run in a browser make good sense. They are inherently more secure. They are easier to manage as there is nothing to download and install, no updates or security patches for the IT team to manage, no data stored on the mobile device, no risk if the device is lost or stolen, and nothing to hack.
Our PC and Mobile applications are cloud-based browser applications.
There is nothing installed on devices, so no data to compromise.
Although technically a downloaded app is very different to a cloud app, the front end design concept is no different. The software needs to be designed specifically for touch sensitive, smaller screen size and reduced data usage that mobile devices demand. In web design, this is called ‘responsive’ design.
A responsive cloud based timesheet, meets all requirements: it delivers all the timesheet functionality users need on their mobile, it has all the same benefits of desktop cloud software, and of course avoided the security risks of of mobile apps.
“There is just no need to risk corporate data by using downloaded Apps,” says Wright. “With a well-designed mobile web app like Timewatch®, and the speed of phones on 4G, 5G, why risk mobile security by using downloaded and installed apps? Use a Cloud app, just like you would on a PC or laptop.”
“A personal phone may be the biggest risk to a company’s security,” explains Wright. “The Cloud affords better security with end-to-end encryption, and data storage is unquestionably safer in the Cloud than on a private individual’s phone. With our mobile web apps, if anyone loses their phone, there is no data loss as there is nothing stored on your phone. All corporate data is safe and sound in the Cloud.”
Click here (it’s safe!) for more information on secure Timewatch professional services products for your business.
1. ^ Arxan, Feb 5, 2020. Financial Mobile App Vulnerability FAQs (Now Digital AI, original document no longer available)
2. ^ Positive Technologies, June 19, 2019. Vulnerabilities and threats in mobile applications, 2019
3. ^ ZDNet, June 20, 2019. Three quarters of mobile apps have this security vulnerability that could put your personal data at risk
4. ^TECH Excactly, June 2021y10 Steps on How to Build a Successful Employee Mobile App
Timesheet app security and mobile app security
Timewatch’s OutlookTime system provides high levels of mobile app security. Whereas downloadable apps store data locally, OutlookTime is cloud based. With no data stored on the phone or tablet, it offers the highest level of timesheet app security.
Other posts you may be interested in:
Teams is a great collaboration tool, and works perfectly in the more prevalent remote working environment we have now. Teams has all of the details of meetings, both internal and external, the exact same information that needs to be entered into a timesheet. Our new Teams integration lets employees turn their Teams meetings into timesheets at the click of a button – increasing timesheet accuracy, reducing time taken to enter timesheets to seconds, saving time – around 2-4 hours a week. Time that would be better spent on productive tasks.
With the the latest update to our Time®&Money time billing software, there are five more reasons your organization should be using our sophisticated, highly configurable software that values your employees’ time in monetary terms. These enhancements make Time®&Money even better: latest Outlook Timesheet with new support for categories, new Report Writer, Dashboards, bi directional integration with Dynamics, Xero, Sage as well as all the features to make timesheets more efficient.