How sensitive company data leaks onto mobile devices in business

Expert Peter Wood explains the top five ways sensitive information can get onto mobile devices, and what policies need to be in place to prevent data exposure.

The use of consumer technology such as smartphones and tablets is now common in the workplace. Whilst many businesses provide and administer smartphones for employee use, in most cases, the devices themselves are still owned by individual employees, eroding the boundary between personal and business computing. In many organisations, IT staff are obliged to permit personal mobile devices in business to connect to corporate networks, often undermining existing security controls.

How does corporate information get onto consumer devices? 
There are several ways by which sensitive company data could seep onto employee-owned devices, but the following are generally the most likely:

1. When an employee adds his or her company email details to a smartphone, suddenly the personal device is storing sensitive corporate data, as well as all the employee's private information. If the phone is an iPhone or a BlackBerry, the employee will probably synchronise it with his or her personal computer, and, of course, iPad too, potentially adding even more sensitive data.

2. Google Docs, along with file-sharing services like Dropbox, and the apps that work with them, such as Documents To Go or Quickoffice, present another avenue for organisational data to spread onto employees' mobile devices.

3. Instant messages and text messages can contain sensitive information that could be unwittingly stored on a mobile device, especially if an attachment is involved.

4. Working collaboratively with colleagues whilst travelling is popular, and, thus, employees will often copy business information directly from a desktop or laptop to a smartphone, which provides them with a convenient way to collaborate. Of course, it also loads the mobile device with potentially sensitive data.

5. Remote access to corporate networks is increasingly common, with many handheld devices supporting VPN software. Once connected via a VPN, a smartphone becomes a node on the internal network with all the rights and privileges of its user, making it simple to copy data to the phone's hard drive.

What are the risks of corporate information on consumer devices?
When it comes to security, mobile devices that contain sensitive data could put all that data at risk, unless the appropriate controls are in place. Worryingly, many users do not protect their phones with a PIN or password, leaving all the information on the device exposed to anyone who picks it up. Even worse, if the device supports remote access, the data on corporate servers may be vulnerable, too.

A survey by vendor Sophos in April 2011 of over 1,000 consumers found 28% were actively encouraged by their employers to use personal devices at work. However, 30% said their companies did not have a security policy in place to protect information on personal devices used for work purposes.

What controls are needed to reduce the risks?
A company's acceptable use policy must be updated to embrace smartphones and tablets as well as to illustrate that everyone benefits from making consumer devices secure. Employees should understand their personal data, such as bank details, logons and private emails, needs to be secure just as much as the business information on mobile devices.

A policy should also clarify who owns the data on the consumer devices and what users’ responsibilities are. The policy should require users to:

  • Register their personal devices before using them for company business.
  • Notify the company if their devices are lost or stolen.
  • Protect their devices with a secure password.
  • Only access the company network using an approved method, such as a VPN.
  • Install (and keep updated) security software, such as antimalware and remote-wipe applications.

In addition, you may wish to restrict the sensitivity of information that employees can access on their devices, especially if you have protectively marked data.

One way to restrict the types of corporate data that reside on consumer devices without opening the floodgates is to use technologies like Microsoft's ActiveSync, which permits users to manage their mail, contacts and calendars on their smartphones and iPads without a direct connection to the corporate network.

Apple’s iOS products (iPhone, iPad and iPod touch) support Cisco IPSec VPN protocols, proving a secure option for remote access (Juniper Networks and F5 Networks offer similar competing products). With the release of iOS 4, iPhones and iPads offer enterprise-quality access controls and policy enforcement comparable to those offered on a BlackBerry.

The company and its employees must strike a deal that enables the application of adequate security controls to consumer devices in return for permitting access to corporate data. The trick is to identify the controls that will enforce the corporate security policy without driving a wedge between the business and its users. The alluring nature of recent consumer technologies has captured the imaginations of users, encouraging them to use the devices as more than phones and PDAs and really explore their capabilities. This can be great news for organisations that embrace the technologies – enabling greater productivity, more creative results and flexible working.

Rather than permitting this wave of consumerisation to sweep over the organisation, however, research the technologies available and the controls they offer. Perhaps start by offering access to mail and diary systems to a trial group, then monitor their behaviour and build your experience before committing further. Limit VPN access to devices you know offer secure client software, and ensure you deploy strong authentication to compensate for the potential weaknesses in consumer platforms. Most importantly, experiment with the technologies yourself and ensure you understand the strengths and weaknesses of each platform.

About the author:
Peter Wood is CEO at First Base Technologies, an ethical hacking firm based in the UK. Peter founded First Base in 1989 and has hands-on technical involvement in the firm on a daily basis, working in social engineering, network penetration testing and skills transfer. Peter is also a world-renowned speaker and security evangelist.


Read more on Privacy and data protection