Should Employers Say No to Pokémon Go?

By now, the Pokémon Go phenomenon has quickly swept the nation (yours truly excepted) into a fever of using smartphones and tablets to “find” and “capture” digital creatures from the Pokémon universe that virtually appear at specific locations in the real world.

(If you need any proof that it’s not just a game for kids to play, Forbes contributor Paul Tassi has been posting tips and tricks on its site for all the business world to see and use.)

Now, it may sound like an odd — or perhaps paranoid — question, given the seemingly harmless nature of the game, but could Pokémon Go actually have negative effects on employers and organizations, beyond a dip in worker productivity?

Well, of course it could, according to a few different sources.

According to the International Association of IT Asset Managers (IAITAM), fans of the game “do not include the corporate professionals who deal with Information Technology Asset Management (ITAM) designed to keep phones, tablets, and other devices secure in the workplace.”

And that’s why the group has called on corporations to ban the installation and use of Pokémon Go on both corporate-owned, business-only (COBO) phones/tablets and “bring your own device” (BYOD) phones/tablets with direct access to sensitive corporate information and accounts.

Here’s IAITAM CEO Dr. Barbara Rembiesa discussing the dangerous world that players enter when tracking down the fanciful creatures on the phones, tablets, etc.:

Frankly, the truth is that Pokémon Go is a nightmare for companies that want to keep their email and cloud-based information secure. Even with the enormous popularity of this gaming app, there are just too many questions and too many risks involved for responsible corporations to allow the game to be used on corporate-owned or BYOD devices. We already have real security concerns and expect them to become much more severe in the coming weeks.

The only safe course of action, she advises, is to bar Pokémon Go from corporate-owned phones and tablets, as well as employee-owned devices that are used to connect to sensitive corporate information.

The group outlines three of its greatest concerns when it comes to the game:

* DATA BREACHES. The original user agreements for Pokémon Go allowed Niantic to access the entire Google profile of the user, including their history, past searches and anything else associated with their Google Login ID. This has since been corrected, but for COBO devices the result was, by definition, a data breach. It is unclear of the extent of data breaches that took place prior to the changes, what happened to the information accessed, and how that information was stored and/or destroyed. Further, there is nothing that would prohibit Niantic Laboratory from once again seeking access to all or some of this information.

* RISKY KNOCKOFF COPIES. There are now reports that some versions of the Pokémon Go app available from non-official app stories may include software allowing cyber crooks to remotely control the user’s phone or tablets. Unsophisticated users may not understand that third party app providers should be avoided due to the risks involved. The online security firm Proofpoint already has detected knockoff Android copies of Pokémon Go in the wild containing a remote controlled tool (RAT) called DroidJack.

* ENCOURAGING BAD BEHAVIOR. One of the most important things for employees using COBO devices, in particular, is the need to stick with approved software and apps. Pokémon Go must be considered a “rogue download,” which is any software program downloaded onto a device that circumvents the typical purchasing and installation channels of the organization. Rather than simply banning Pokémon Go, corporations should also use this as a learning opportunity to encourage maximum employee understanding of the rationale against rogue downloads, particularly the security risks they represent.

Also lending his voice to the chorus of concern is Philippe Weiss, Chicago-based lawyer and managing director of Seyfarth Shaw at Work.

Weiss offers managers five “valuable strategies to safely manage Pokémon Go perils” at work:

Prioritize Performance over Pokémon: Start watching your employees’ timeliness and attendance with greater attention than usual in the coming weeks. Follow-up on even small delays in work/task completion while the Pokeman Go craze is upon us. – Note any employees walking around with gazes fixed on their smartphone screens (and exhibiting an accompanying semi-spaced-out demeanor). – Train your managers to know when and how to safely tell employees: “Pokemon STOP!” (And train them not to set the wrong example, themselves, by playing Pokemon Go during work time).

Train on Pokemon Go Protocols: Give security people and managers simple scripts to use when they encounter any wandering/errant players. The key is to “Respectfully Reroute” players, quickly and safely.

Patrol Possible Player Pathways (especially if you operate any outdoor facilities): Regularly check all doors, gates and access ways to unauthorized areas to confirm that they are effectively secure. (And do not leave any hazards exposed. You don’t want distracted players falling into a floorboard gap followed by a 30 foot drop to the sub-basement.)

Use the Power of Your Policies: Remind everyone at work about your electronic device policy and ask that smart phones be turned off at all meetings. Don’t cede your power to the Pokemon.

Consider the Potential Poke-Payoff: On the plus side, if your store or business is near (or is itself) a Poke Stop or Pokemon Gym, you most likely have already seen increased foot traffic. Businesses can also purchase an in-game module called a “lure” to attract Pokemon (and thus, more players/potential customers) for a 1/2 hour period.  However, be ready for the possible resulting Poke-mayhem. If that happens, take steps to ensure that your own employees continue to focus on their work.

“The phenomenon is here,” Weiss notes, “but Pokeman GO need not mean that Performance STOPS!”