With remote working becoming more common, many businesses are looking for ways to help workers stay connected on the move. The most common solution is to provide workers with ‘Smartphones’ or Personal Digital Assistants (PDAs) which allow users to send email, surf the internet and manage online task lists and calendars direct. But as such devices become ubiquitous, the security risk they pose is all too often overlooked.
The biggest threat to corporate security can occur if a Smartphone is lost or stolen. In such cases, a malicious user could find themselves with unfettered access to text messages, contact lists and emails, all of which could have the potential to compromise your brand. In addition, most Smartphone devices come with document reader to allow users to view documents. While this is convenient for workers on the move, it also means that a high level of sensitive data could be stored without a password on the device.
For these reasons, it is important to introduce an acceptable use policy and ensure that all end users are made aware of its requirements and the implications of poor data handling offsite. As a minimum the policy should require that the SIM card and access to the device itself is password protected, and should clearly assign users with the responsibility to properly protect the device outside of the workplace.
In addition, an acceptable policy should ensure that all files are password protected if sent over email. If a file received by a PDA user is not password protected, it should be made the recipient’s responsibility to password protect it before saving it to the device. Further, the acceptable use policy should make it clear what information can and cannot be stored on the device, which may include prohibiting the storage of highly sensitive information from the device altogether.
It is also wise to prohibit users from connecting the device to unsecured networks, as this could leave them open to intrusion from unauthorised users who could access sensitive data. Users should also be instructed not to download files from unknown sources as malware is as much of a threat to such handsets as they are to desktop computers and could allow malicious users to gain control of the device and access information stored on it.
In addition, if an infected device is later connected to the employee’s computer, this could pass the malicious software into the network, further compromising the company’s security. For this reason, it is important to install antivirus and firewall software on any PDA devices that connect to the internet, just as you would with a desktop computer.
It is also wise to ban the use of personally owned PDAs for business use as they cannot be as closely monitors as business owned devices. Equally, if an employee leaves the company, it is important to ensure that the device is returned immediately to prevent the risks associated with data theft.
It is clear then, that business should not underestimate the risk posed by Smartphones and should seek expert advice from a professional - such as a computer forensic expert - before issuing, or allowing the use of, such devices.
IntaForensics a BS EN ISO 9001:2000 registered firm providing Computer Forensics, Expert Witness, Mobile Phone Forensics, and Forensic Data Recovery to the Legal Sector, Police Forces, Local Authorities and Commercial organisations internationally. Visit Computer Forensics for further information.