Listen to this article
The latest mobile gadgets are so powerful, even their makers are worried that they pose a security risk.
Devices such as music players, memory sticks and smart phones are capable of holding increasing amounts of data. And the very design features that set out to make these devices easy to use also make them a potent vehicle for corporate espionage.
The scale of the problem is illustrated neatly by reports that Ki-Tae Lee, CEO of Samsung Electronics’ telecoms division, has banned his own staff from using the company’s flagship SGH-B570 camera phone. With an 8Gb internal hard disk, Mr Lee feared that a single phone could smuggle out all the company’s confidential data.
Samsung’s Mr Lee is not alone in worrying about exactly what information staff, visitors and contractors might be storing on handheld devices.
According to a report by Deloitte, the professional services firm, 52 per cent of companies in the telecoms, media and technology (TMT) sector fear theft of intellectual property. And they have grounds to worry: as much as 70 per cent of movies appearing on file-sharing websites are understood to have been leaked by studio employees.
This is prompting companies to take increasingly draconian steps to control the use of smart phones, music players, memory sticks and other personal technology.
According to Donal Casey, security consultant at technology reseller Morse, some clients have gone as far as to put superglue into USB ports, in order to render them useless. “Although this sounds a little crazy, many organisations have resorted to this action. The downside is that it also means that legitimate devices like USB mice and keyboards can’t be used,” he says.
More technologically adept solutions are available, although again companies need to strike a balance between protection and practicality.
Software is available that can lock down USB ports, or restrict their use to innocuous devices, such as a keyboard, or to “known” devices authorised by the IT department.
Almost all removable computer hardware has a unique serial number of some sort; even if a company’s security software cannot read a serial number on a device, it can be set up so that it only allows the connection of authorised devices whose identity is known, such as a USB memory device with a computer-readable serial number that has been logged by IT. For added security, a USB device with a fingerprint reader at least ensures that if someone does copy data onto it, only they can read it.
Such measures, though, need to go hand in hand with robust policies governing who has access to which company files, according to Ollie Whitehouse, a security specialist at Symantec. “If you have implemented the right file permissions, a user will not be able to gain access to copy a file that they don’t have access to in their day to day role,” he says.
This way, someone in human resources should not be able to access engineering data, and a software developer would not have access to personnel records. Adopting a file rather than device-based approach to security has the added advantage of being future proof.
Although much of the current emphasis among IT departments is around USB devices, other technologies could be even more damaging. Network-connected hard drives, for example, cost just a few hundred pounds and can be as small as a good dictionary. Such devices do not use USB ports, but connect to either a fixed or wireless network. Blocking USB ports will not prevent their use.
But increasingly, the focus of information security specialists’ concerns is moving towards mobile phones. The mobile phone, especially in its smart phone or wireless PDA incarnation, is becoming the IT equivalent of the Swiss army knife.
A mainstream mobile device such as HP’s iPaq Messenger – a competitor to the BlackBerry – comes with its own internal memory, slots for two memory cards, USB, Bluetooth and GPRS (2.5G) mobile connections; the latest models also have WiFi and some versions have a camera. Other devices from makers such as Palm and HTC have similar capabilities.
The subsidy model, whereby the up-front cost of a smart phone is offset by the mobile operator, means that take-up of the devices are growing rapidly. The race by manufacturers to add functions such as music players or mobile television will only boost the use of high-end mobiles. To run these applications, phones need the powerful processors and extra memory that also makes them a threat to data security.
On the plus side, because high-end mobile phones are based on an extendable operating system such as Windows Mobile or Symbian, companies can install additional security measures. Devices such as music players run proprietary operating systems with few, if any security measures (although the almost ubiquitous iPod does have a password function).
Being able to add security measures at least offers the prospect of dealing with one of the other great headaches posed by portable gadgets: that of company information falling into the wrong hands because a device is lost or stolen. If staff have a legitimate requirement to put data on to a mobile device, but it then falls into the wrong hands, the damage can be as great as deliberate data theft.
It is perfectly possible to set up high-end PDAs and smart phones with security measures that are close to those available for laptops. These could include password or even biometric authentication, and encryption for the internal memory and removable data cards.
“Organisations have hardened security on these devices, but these are devices that are handed out in a controlled manner. The problem remains that you can buy these devices yourself very easily, and companies then have no control over them,” says James Alexander, a director in the enterprise risk service group at Deloitte.
For ultimate security, Deloitte has found companies, even with supposedly informal working environments such as media and entertainment, resorting to the “clean room” policies more readily associated with defence or biotechnology companies. “It might sound draconian, but some organisations are now saying that you cannot take something like an iPod onto their premises, or at least into that part of the organisation that handles sensitive data,” says Mr Alexander.