Is that a data breach in your pocket?

With the meteoric rise of tablets and smartphones, it is inevitable that their presence in the workplace is also increasing, but are we fully aware and comfortable with the risks?

For years BlackBerry^® smartphones have been the de facto tool when it comes to mobile business communication but the advanced functionality and fashionable nature of various Android™ and iOS™ devices has tempted a number of companies to adopt them as alternatives. With Research in Motion^®’s offering in the world of tablets - the BlackBerry^® Playbook - now on the scene, we can expect this trend to continue. Even companies that do not provide tablets and smartphones to their employees can still expect that a significant number are carrying them in their pockets on a daily basis and possibly using them for business purposes.

Policies relating to the use of business equipment and resources for non-business purposes are common in most organisations however, relatively few policy-makers seem to recognise the need to instruct employees to the extent that they should or should not use personal devices for business purposes. The key risk associated with this activity of course relates to data loss; copies of e-mail and documents stored on employees tablets and smartphones run the risk of falling into the wrong hands should these small and easy to misplace or steal devices go missing. In the past, the damage possible through loss of a mobile device was limited by how little you are able to store on it but with today’s range of sophisticated devices boasting many gigabytes of storage, one misplaced phone could relate to a large chunk of your companies data escaping into the wild.

It doesn’t just take loss or theft of the device for a ‘leak’ to occur. The increased screen size on tablets makes them perfect for working on the tube or train. But coupled with the boost in readability for the user also comes the risk that your e-mails, presentations and documents are being read by your neighbours who find themselves with nothing better to do that look over your shoulder. Most would consider this a relatively minor concern in most cases but with some of the most sensitive and live information residing in employees inboxes it is certainly worth reminding them that even a subject line read by the wrong person can do damage.  

The Enemy Within

Arming employees with what are essentially small computers with ever-growing functionality is understandably tempting for businesses that embrace more mobile working and encourage flexible working hours, but as with any tool it can facilitate malicious behaviour including intellectual property (IP) theft.  Documents can be uploaded to cloud storage services, e-mailed to any number of people or posted to social networking sites with astonishing speed and this activity is often much more difficult to track or restrict than more traditional methods of stealing data.

Just because the ‘out of the box’ functionality of a smartphone may be considered an acceptable risk to business the functionality can offer be augmented with the addition of third party applications, or Apps. There are a multitude of applications that may have legitimate use but can also be misused. It doesn’t have to be the misuse of apps that causes data leakage; with an increasing number of apps available from a huge number of developers can we be sure that the app itself can be trusted?  It is common for IT to limit the employee rights on the workstations they use, not allowing software to be installed unless it is approved and considered ‘safe’. This practice appears to be less common in the smartphones and tablets that are being rolled out and of course where employees are using their own devices they are free to install whatever apps they see fit.

Social Networking

Hand in hand with the rise in smartphone use is an increased degree to which we are connected to social networking services such as Twitter and Facebook. Incidents of employees posting sensitive or embarrassing information to these sites are well documented and seemingly on the rise. The possible damage to brand and reputation caused by 140 characters or a poorly considered status update can be catastrophic. Access to these mediums through portable devices is increasing and it is the responsibility of businesses to train or brief their employees to ensure that a simple mistake or foolish reference to the organisation doesn’t cause serious reputational damage.

Conclusion

The influx of smartphones and tablets to the workplace is inevitable whether the devices are company provided or not.  These devices certainly have the potential to improve productivity and often bring a presentation to life however if the appropriate usage policies are not introduced and security considerations not taken, then these same devices could prove to be a double-edged sword.  Most of the threats discussed in this article can be mitigated through proper and adequate education of employees and proper analysis of the security implications prior to rolling them out.

Adam Harrison is a Computer Forensics Consultant at Kroll Ontrack's office in London

Disclaimer
This document is neither designed nor intended to provide legal or other professional advice but is intended merely to be a starting point for research and information on the subject of legal technology. While every attempt has been made to ensure accuracy of this information, no responsibility can be accepted for errors or omissions. Recipients of information or services provided by Kroll Ontrack shall maintain full, professional, and direct responsibility to their clients for any information or services rendered by Kroll Ontrack.

BlackBerry^® & BlackBerry^® Playbook is owned by Research In Motion Limited and is registered in the United States and may be pending or registered in other countries. Kroll Ontrack is not endorsed, sponsored, affiliated with or otherwise authorised by Research In Motion Limited. IOS is a trademark or registered trademark of Cisco in the U.S. and other countries and is used under license.