Today’s Phones=New Risks for Businesses

Today’s Phones= New Risks for Businesses

September 2011

The value of phones has changed dramatically in the last 20 years. As a business tool, they can literally mean the difference between profit and loss. Not surprisingly, corporations around the world routinely issue mobile phones to employees in order to ensure that staff members can conduct business and be reached at a moment’s notice.

In the last decade, phones have evolved from merely receiving and making calls to possessing the functionality of “mini” computers. Unfortunately, the risk has also increased. “Smart” phones store massive quantities of data and can access corporate servers with ease. In fact, many of today’s phones are able to store more data than laptops from bygone years.

Consequently, when a smart phone is lost or stolen, the ramifications can be significant. The actual device doesn’t have to be stolen either. Information can be stolen remotely. Just like botnets take over a computer, worms and other viruses can take over a phone.

There are a number of steps that your organization can take to help lessen the damage company phones can cause.

1. Manage company-owned mobile devices consistently and with security in mind.

Lock user profiles. Most phones can be configured to ensure that they are as secure as possible. Specifically, certain aspects of a user’s ID or profile can be managed centrally and applied to all devices.

Mandate a password. This step may seem overly simplistic, yet some organizations allow employees to use mobile devices without a password. Once lost or stolen, the data can be accessed quickly and information removed via e-mail or transmitted to a cloud computing storage site. You may be able to use software that “wipes” a phone’s memory once an incorrect password is attempted a certain number of times.

Ensure the “time out” feature is activated. Mobile phones should always have this feature activated. It sends the device to “sleep” and triggers a need to enter the device’s password. The longer a device is able to remain “awake,” the greater the risk that a third party will be able to access it. Depending on your organization’s needs, a timeout feature that is activated within to 2 to 5 minutes is normally prudent.

2. Engage employees. Discourage the use of public “hotspots,” which provide wireless Internet access. Although it is convenient to do so, accessing a public hotspot can be fraught with risk. In fact, hotspots in business districts are particularly vulnerable as they provide would-be criminals with the opportunity to steal corporate data being transmitted and received, as well as steal the device itself if left unattended. Of course, sometimes it is necessary to use a hotspot but your company’s mobile phones should be equipped with the appropriate security.

3. Educate employees. Employees should acknowledge receiving a copy of your organization’s mobile security policies and procedures and ideally, be formally tested on the contents. They should be made aware of mobile phone “do’s and don’ts” including what they are required to do if the device is lost or stolen. Employees should understand the seriousness of the situation. However, they should not be so concerned with the ramifications that they fail to report the phone missing in the hopes it will go undetected.

4. Discourage downloading of sensitive data. The probability that employees will lose or misplace a mobile device is significant. They should be encouraged to only store information that is absolutely essential to their roles with your organization. Before employees save information on their phones, they should evaluate the inherent risks of doing so and the ramifications for the company in the event their device goes missing.

5. Social media policy. The explosion in social media does not come without risk. Facebook, Twitter, YouTube and LinkedIn have all been used by fraudsters to deliver malware. Your company should consider prohibiting access to social media sites and also have “back-end” monitoring tools that block these sites. For organizations that require employees to access social media, consider designating specific computers for that task that have extra security in place.

6. Leverage technology.

Encrypt all mobile devices. Given the amount and sensitivity of the data that can end up stored on a mobile phone, consider encrypting the data, or “locking” it behind a door that can only be accessed by the appropriate “key.” There are a number of third party encryption solutions available that are designed for specific types of phones. No solution is fool-proof, but encrypting a mobile device provides one more layer of security that must be overcome by criminals.

Deploy mobile security tools. Preventing the introduction of unauthorized software or malware can be accomplished by installing an anti-virus solution designed specifically for mobile devices. Many solutions come embedded with remote data wiping capabilities, call blocking and occasionally encryption. Before any mobile security is purchased, ensure that the manufacturer routinely provides updates to counter the latest threats.

Install remote “detonation.” In the event that a phone is reported stolen or missing, the functionality to remotely wipe or “detonate” the device should be installed. The peace of mind that such software can provide is tremendous, especially when a stolen or lost device in question has critical information such as the organization’s list of customers, pricing policies or financial statements etc.

Mobile phones can be a blessing when they are in the possession of employees, but they can also be a tremendous liability. Make sure you factor in the risk when planning for data security.

A Sure-Fire Mobile Phone Risk
— and One Fire Risk
that Is Unproven

    In addition to data theft, another serious mobile phone danger facing employers is when employees talk and text while driving.
The National Highway Traffic Safety Administration has attributed “distracted driving” as the primary cause of thousands of deaths annually and hundreds of thousands of injuries. If an employee causes an accident while texting or talking on a cell phone in the normal course of his or her work day, your company could be found liable.
Numerous states have implemented laws that ban texting while driving. Over time, a texting ban is likely to become law in all 50 states.
If your employees travel internationally, a long list of countries have banned talking and texting on cell phones while driving.
With today’s technology, in the event of an accident, evidence that the driver was talking or texting is easy to secure on “smart phones.”

Is it Dangerous to Talk on a Phone While Pumping Gas?

    The Federal Communications Commission (FCC) alerted that reports and rumors suggesting it is dangerous to use a wireless phone while pumping gas have not been proven.
The reports may be fueled by warnings posted at gas stations and included in some wireless phone manuals stating that wireless phones shouldn’t be used around fuel vapors.
“There is no evidence that these reports are true,” according to the FCC.
   
One rumor describes incidents where consumers are injured by fires or explosions when they use their cell phones at gas stations. In these stories, a fire was reportedly ignited or an explosion occurred when an individual answered a ringing cell phone. Supposedly, an electrical spark from the phone ignited a fire or caused an explosion.
The wireless industry has done studies on the potential for wireless phones to create sparks that could ignite flammable materials. According to the FCC, the studies generally conclude that while it may be theoretically possible under precise conditions, there is no documented incident where the use of a wireless phone was found to cause a fire or explosion at a gas station. Wireless phone manufacturers and fuel companies have issued warnings as a precaution.
While any potential threat by wireless devices is remote, there are potential ignition sources at gas stations like static electricity.