Your Corporate Risks Jump as Phones Get Smarter

Posted on Aug 24, 2011 | Tags:

"Smart" phones store massive quantities of data and can access corporate servers with ease. In fact, many of today's phones are able to store more information than earlier generation laptops. This increased capability brings increased risks. Information from the phones, or the actual devices, can be stolen and put your company at risk. Here are some steps to take to help minimize the potential damage posed by cellphones.

 


   Secure Data on Mobile Phones

 

The value of phones has changed significantly in the past 20 years. As a business tool, mobile phones can literally mean the difference between profit and loss. Not surprisingly, corporations around the world routinely issue them to ensure employes can conduct business and be reached at a moment's notice.

A Sure-Fire Mobile Phone Risk
-- And a Fire Risk
That Remains Unproven

    In addition to data theft, another serious mobile phone danger facing employers is when employees talk and text while driving.
   Research has consistently shown that distracted driving while talking on a cell phone is a primary cause of thousands of deaths annually and hundreds of thousands of injuries.   
   If an employee causes an accident while texting or talking on a cell phone in the normal course of the work day, your company could be found liable.
    All of Canada's provinces have distracted driving laws that ban either driving while talking on a hand-held cellphone or text messaging while driving.
   If your employees travel internationally, a long list of countries have banned talking and texting on cell phones while driving.
    With today's technology, in the event of an accident, evidence that the driver was talking or texting is easy to secure on "smart phones."

Is it Dangerous to Phone and Pump?

    Reports and rumours suggesting it is dangerous to use a wireless phone while pumping gasoline have not been proven. That is the latest word in the United States from the Federal Communications Commission (FCC.
   The reports may be fueled by warnings posted at gas stations -- some in Canada --  and included in some wireless phone manuals stating that the devices should not be used around fuel vapours. "There is no evidence that these reports are true," according to the FCC.
   One rumour describes incidents where consumers are injured by fires or explosions when they use their cell phones at gas stations. In these stories, a fire was reportedly ignited or an explosion occurred when an individual answered a ringing cell phone. Supposedly, an electrical spark from the phone ignited a fire or caused an explosion.
   The wireless industry has done studies on the potential for wireless phones to create sparks that could ignite flammable materials. According to the FCC, the studies generally conclude that while it may be theoretically possible under precise conditions, there is no documented incident where the use of a wireless phone was found to cause a fire or explosion at a gas station. Wireless phone manufacturers and fuel companies have issued warnings as a precaution.
   While any potential threat by wireless devices is remote, there are potential ignition sources at gas stations like static electricity.

In the past decade, telephones have evolved to the degree that they now posses the functionality of 'mini" computers. Unfortunately, the risk has also increased. "Smart" phones store massive quantities of data and can access corporate servers with ease. In fact, many of today's phones are able to store more data than laptops from bygone years.

Consequently, when a lost or stolen smart phone has enormously significant ramifications. And with current technology, it isn't even necessary to steal the actual device. Information can be stolen remotely. Just like botnets take over a computer, worms and other viruses can take over a phone.

With such high stakes, it's critical that your company take steps to protect itself and its information. Here are six steps your organization can take that will help lessen the damage corporate phones can cause.

1. Manage mobile devices with security in mind.

  • Lock user profiles. Most phones can be configured to be as secure as possible. Specifically, certain aspects of a user's ID or profile can be managed centrally and applied to all devices. 
  • Require passwords. This may seem overly simplistic, yet some organizations allow employees to use mobile devices without a password. Once the device is lost or stolen, the data can be accessed quickly and information removed via e-mail or transmitted to a cloud computing storage site. There is software available that lets you wipe clean a phone's memory once an incorrect password has been attempted a certain number or times. 
  • Ensure the "time out" feature is active. This feature sends the device to sleep after a predetermined length of inactivity and requires the password to start using it again. This feature should always be activated on corporate mobile phones. The longer a device is active or on standby, the greater the risk a third party can penetrate it. A timeout after two to five minutes of inactivity is normally prudent, although the actual timing may vary depending on your organization's needs.

2. Avoid Hotspots. Discourage employees from using public hotspots that provide wireless Internet access. They may be convenient, but they can be fraught with risk. In fact, hotspots in business districts are particularly vulnerable as they provide criminals with the opportunity to steal corporate data being transmitted and received, as well as steal the device if it is left unattended while the employee is, say, ordering a cup of coffee. Sometimes using a hotspot is necessary, but be sure your company's mobile devices are equipped with appropriate security.

3. Educate employees. Employees should acknowledge receiving a copy of your organization's mobile security policies and procedures and ideally, be formally tested on the contents. They should be made aware of mobile phone "do's and don'ts" including what they are required to do if the device is lost or stolen. Employees should understand the seriousness of the situation. However, they should not be so concerned with the ramifications that they fail to report the phone missing in the hopes it will go undetected.

4. Discourage downloading sensitive data. The probability that employees will lose or misplace a mobile device is high. They should be urged to store only information that is absolutely essential to their jobs. Before employees save information on their phones, they should evaluate the inherent risks and the ramifications for the company if the device goes missing.

5. Limit social media access. Social media sites such as Facebook, Twitter, YouTube and LinkedIn have inherent risks and have all been used to deliver malware. Consider prohibiting access to social media sites and  have "back-end" monitoring tools that block these sites. If your organization must have its employees access social media sites, it's a good idea to designate specific computers with extra security for that task.

6. Leverage technology.

  • Encrypt all mobile devices. Given the amount and sensitivity of the data that can end up stored on a mobile phone, consider encrypting the data, or "locking" it behind a door that can be accessed only by a specific key. There are a number of third-party encryption solutions available that are designed for specific phones. No solution is fool-proof, but encrypting a mobile device provides one more layer of security criminals must try to break through.
  • Deploy mobile security tools. Preventing the introduction of unauthorized software or malware can be accomplished by installing an anti-virus solution designed specifically for mobile devices. Many solutions come embedded with remote data-wiping capabilities, call blocking and occasionally encryption. Ensure that the maker of any mobile security you buy routinely provides updates to counter the latest threats. 
  • Install remote "detonation." In the event that a phone is reported stolen or missing, the functionality to remotely wipe or "detonate" the device should be installed. The peace of mind that such software can provide is tremendous, especially when a stolen or lost device in question has critical information such as the organization's list of customers, pricing policies, financial statements and other proprietary, confidential information.

Mobile phones can be a blessing, but they can also be a tremendous liability. Make sure you factor in the risk when planning for data security.