British Columbia's auditor general says appropriate security controls are not always in place for thousands of mobile devices used by government employees, putting sensitive information at risk.
Carol Bellringer also concluded after an audit between June and November 2015 that the government does not monitor mobile-device activity and has no central record of devices, such as smartphones and tablets.
"This is concerning because an inventory of all devices that have access to information is the most critical IT security control. It's pretty tough to control what you don't know about," Bellringer said Tuesday after releasing a report.
"Any loss, theft or exposure of sensitive government information to which these devices often have access could have serious implications for both government and the people of British Columbia."
Bellringer said inactive devices may be left unlocked for too long, leaving information vulnerable, adding that the same security measures available for personal computers over the last two decades are only now becoming available for mobile devices.
Her audit on security of mobile devices included the Office of the Chief Information Officer and five ministries — Finance, Justice, Health, Children and Family Development, and Forests, Lands and Natural Resource Operations — which have the highest privacy risks.
Bellringer made seven recommendations to improve security, including that the Office of the Chief Information Officer ensure that key initial security settings are applied before a mobile device is used.
Her report also called for an analysis of lost and stolen device reports for potential enhancements to security awareness programs.
Bellringer said the government recognizes the risks posed by the rapidly changing nature of mobile devices.
The Office of the Chief Information Officer began implementing her recommendations even before the audit was completed, she said. The office added a new mobile-device management tool, an important step towards automating the installation and maintenance of anti-malware, Bellringer added.
The Office of the Information and Privacy Commissioner also released a report on mobile-device management on Tuesday, focusing on privacy.
Acting privacy commissioner Drew McArthur said the investigation conducted concurrently with the audit suggested the government needs to implement clear mobile-device policies because many were confusing.
"To keep up with the pace of technological change, privacy and security training for government employees should be offered on an ongoing basis and it must specifically reference mobile devices," he said.
"Government should also be careful to ensure that applications on any government-issued mobile devices do not store personal information outside of Canada."
Both offices produced 15 tips on how citizens can maintain security of their own devices. They say people should ensure that screens are locked, and that password attempts and location information are limited.