More and more employees are bringing personal mobile devices, such as media players, flash drives, and smart phones, to work for entertainment, communications, and other purposes. Equally, many employers issue their staff with such devices to allow them to be more mobile and to run business applications as part of their job.
This explosion of personal devices with built in web connectivity, office applications, and email can improve working practices, but also comes with risks not limited to time wasting. The portability, connectivity, and storage capacity of mobile devices means they bring with them the threat of data leakage, data theft, and the introduction of viruses or other malware into workplace computing systems.
Computer scientists Sean Garrity and George Weir of the University of Strathclyde, in Glasgow, Scotland, writing in the International Journal of Electronic Security and Digital Forensics outline some of the problems associated with the enormous growth in mobile technology and explain how those concerns might be addressed.
Portable storage devices of every ilk, whether mp3 player or mobile phone, now have several ways of connecting to other devices and networks including wi-fi, Bluetooth, and USB. Many of these devices also now have several gigabytes of storage capacity and are often expandable and so have the ability to capture vast quantities of data, whether for legitimate work purposes or for illicit use.
Business organizations are rightly concerned about the loss or disclosure of intellectual property or sensitive information about customers and employees, explain Garrity and Weir. "Mission critical data must be protected in order to maintain business operations," they explain. "The public scrutiny, embarrassment, financial and judicial penalties resulting from data leaks are a major concern, and access control are among the most critical issues, they add. However, the widespread use of personal data storage devices is an ever-present risk for management to lose control over the flow of business and non-business information into and out of the enterprise."
The researchers suggest that there are several measures that an organization might take to remove undue risk. First, and perhaps most draconian is simply to ban personal storage devices from the workplace. Such an approach might be appropriate for staff employed in roles where communications and access to information are not required, but likely to be unworkable for members of a sales force, for instance. Less severe would be to limit the applications and connectivity allowed on mobile devices from a central position of control.
A more holistic approach would be to give staff security training, to ensure devices are used securely; however, this does not preclude malicious use or theft. The team points out that many of the risks associated with personal storage devices are not new. However, the speed of adoption and ubiquity in the workplace of such devices, coupled with increasing sophistication and consumer willingness to adopt advances will continue to pose threats to business security. "Vendors are seeking to develop products that assist organizations to discriminate between legitimate and illegitimate use of devices in compliance with organizational security policies," the team says. However, no complete solution to information leakage is ever likely to be possible.
"Balancing the threat of personal technology in the workplace" in International Journal of Electronic Security and Digital Forensics, 2010, 3, 73-81.