By Adam Harrison, Computer Forensic Consultant, Kroll Ontrack
For years Blackberrys have been the de facto tool when it comes to mobile business communication but the advanced functionality and fashionable nature of various Android and iOS devices has tempted a number of companies to adopt them as alternatives. With Research in Motion’s offering in the world of tablets - the BlackBerry Playbook - now on the scene, we can expect this trend to continue. Even companies that do not provide tablets and smartphones to their employees can still expect that a significant number are carrying them in their pockets on a daily basis and possibly using them for business purposes.
Policies relating to the use of business equipment and resources for non-business purposes are common in most organisations however, relatively few policy-makers seem to recognise the need to instruct employees to the extent that they should or should not use personal devices for business purposes. The key risk associated with this activity of course relates to data loss; copies of e-mail and documents stored on employees tablets and smartphones run the risk of falling into the wrong hands should these small and easy to misplace or steal devices go missing. In the past, the damage possible through loss of a mobile device was limited by how little you are able to store on it but with today’s range of sophisticated devices boasting many gigabytes of storage, one misplaced phone could relate to a large chunk of your companies data escaping into the wild.
It doesn’t just take loss or theft of the device for a ‘leak’ to occur. The increased screen size on tablets makes them perfect for working on the tube or train. But coupled with the boost in readability for the user also comes the risk that your e-mails, presentations and documents are being read by your neighbours who find themselves with nothing better to do that look over your shoulder. If someone is looking over your shoulder with malicious intent, they can quickly use their phone to snap an image of your screen, with apps available now that can use OCR to convert the photograph into editable text. Most would consider this a relatively minor concern in most cases but with some of the most sensitive and live information residing in employees inboxes it is certainly worth reminding them that even a subject line read by the wrong person can do damage.
The enemy within
Arming employees with what are essentially small computers with ever-growing functionality is understandably tempting for businesses that embrace more mobile working and encourage flexible working hours, but as with any tool it can facilitate malicious behaviour including intellectual property (IP) theft. Documents can be uploaded to cloud storage services, e-mailed to any number of people or posted to social networking sites with astonishing speed and this activity is often much more difficult to track or restrict than more traditional methods of stealing data.
Just because the ‘out of the box’ functionality of a smartphone may be considered an acceptable risk to business the functionality can offer be augmented with the addition of third party applications, or Apps. There are a multitude of applications that may have legitimate use but can also be misused. It doesn’t have to be the misuse of apps that causes data leakage; with an increasing number of apps available from a huge number of developers can we be sure that the app itself can be trusted? It is common for IT to limit the employee rights on the workstations they use, not allowing software to be installed unless it is approved and considered ‘safe’. This practice appears to be less common in the smartphones and tablets that are being rolled out and of course where employees are using their own devices they are free to install whatever apps they see fit.
Hand in hand with the rise in smartphone use is an increased degree to which we are connected to social networking services such as Twitter and Facebook. Incidents of employees posting sensitive or embarrassing information to these sites are well documented and seemingly on the rise. The possible damage to brand and reputation caused by 140 characters or a poorly considered status update can be catastrophic. Access to these mediums through portable devices is increasing and it is the responsibility of businesses to train or brief their employees to ensure that a simple mistake or foolish reference to the organisation doesn’t cause serious reputational damage.
The influx of smartphones and tablets to the workplace is inevitable whether the devices are company provided or not. These devices certainly have the potential to improve productivity and often bring a presentation to life however if the appropriate usage policies are not introduced and security considerations not taken, then these same devices could prove to be a double-edged sword. Most of the threats discussed in this article can be mitigated through proper and adequate education of employees and proper analysis of the security implications prior to rolling them out.
Join us on