Posted by: Arian Eigen Heald
Data Breaches, Eigen's Rules of Thumb, Hardware & InfoSec, Mobile, Security
Cell phone companies are tempting us more and more with phones that act as PDAs (Personal Data Accessory??), send and receive email, surf the Web, have bigger capacity to store documents, are music players, cameras and oh, by the way: a phone. And in the coming years some have proposed utilizing your phone to pay bills and buy stocks.
It’s wonderful and terrible all at the same time. There is no standard procedure for wiping a phone’s information. Phone manufacturers have proprietary hardware, and have been extremely reluctant to release information to software developers who could provide us with a way to wipe the phone and its’ memory. As a result, we have millions of phones available with sensitive data, on an open market. Thank you manufacturers, for protecting the consumer? As usual, no one really thought about security, not to mention privacy.
Three years ago, Graham Clements – A managing director for a subsidiary of Japanese packaging multinational Ishida – decided to get rid of his BlackBerry and turned it in to his IT department for recycling. At the start of this month that BlackBerry was one of the top items on the agenda at the first board meeting that Clements had called since his return from vacation – because the data on it had come back to haunt him.
Instead of being recycled, the BlackBerry, like millions of other mobile devices every year, had been passed on to a company to be sold. On Clements’s device were business plans, details of customer relationships, information on the structure of the company, details of his bank accounts and details about his children. Ouch.
Fortunately, that BlackBerry was among several that were recovered from mobile phone recycling companies as part of a study into data loss on mobile devices. It’s a significant issue that many companies have not addressed.In a 2006 survey by the Business Performance Management Forum (BPMF), nearly half the respondents reported that at least 25 percent of all mobile devices in their organizations carry mission-critical information and applications.
Imagine having a computer that you could never wipe clean of any of your confidential business activities. Instead of recycling, we can only destroy the items. Mobile device security software commonly available can secure the device, but cannot wipe it. If anyone knows of a good wipe program, please drop me an email.
Some folks leave their SIM cards in the phone they return to corporate headquarters, along with their messages and documents. Taken any pictures on that phone you wish you hadn’t? That office Christmas party where your senior manager got drunk and acted up? They’re probably still there.
I’ve just thought of a new Rule of Thumb: There’s no such thing as DELETE on a cell phone/PDA/camera. We must act accordingly until assurance can be confirmed about wiping these devices. If it cannot be wiped, it must be destroyed, which is not exactly “green” in any corporate environment.
My old one (a Palm) is in my desk drawer, kept for parts because my spouse is still using a Palm. Where’s yours? What was on it?