Licensed private investigator and forensic consultant Luke Athens offers some tips you should consider to protect yourself if you don't have a policy in place.
As more and more portable electronic devices are introduced into the enterprise environment through BYOD (bring your own device) policies, the greater the risk to the company – and not just from the standpoint of viruses and malware. Intellectual property is now the biggest issue that needs to be addressed.
To identify the risks in your working environment requires a simple probability calculation based on several considerations. Any device that is introduced into the workplace can be considered a BYOD, and this commonly includes: laptops, USB devices, mobile phones, tablets, memory cards and dongles.
So what risks apply when introducing BYODs into the office environment? This article breaks the risks down to two categories: security and intellectual property.
If your company has no electronic device or BYOD policy in place you are effectively opening all the doors and windows to your enterprise and allowing people to enter at any time they wish. Just like a cold or flu, a digital virus can be transmitted from one person to another via simple contact, and in some cases can be transmitted through the air to another victim.
Whenever you bring a device into your workplace or when a BYOD connects remotely with your system, it has the potential to infect other connected devices. This is a major security issue for your business and the privacy of your valued clients.
There are now more mobile electronic devices in the world than computers. And hackers are now concentrating more on penetrating mobile devices than “regular” computers. In part this is due to the recent increase in the quantity of flash memory in mobile devices. Mobile banking has become increasingly popular for small businesses, and the sheer amount of personal data stored on a portable device makes it a more interesting target.
Portable mobile devices are likely to connect with more surrounding environments more frequently, and this has the potential to spread a virus quicker than a single attack on a server or single PC. Just keep in mind when connecting a portable device to your local environment that malware and viruses can be duplex. So if a server or PC is compromised and you connect your handset, the infection can spread to the handset - and vice versa.
In some cases a user that connects a device to the workplace can override security protocols, leaving the business at risk if the correct policies are not present. Viruses, malware and trojans are becoming more sophisticated, hiding code so that scans and security processes will see a file to be clean even though it’s actually harmful.
Most problems and hacks occur due to poor staff training and knowledge. So it is vital in any organisation to educate employees on the basic issues. Here are some tips:
1. Educate staff via workshop training programmes and policies (prevention is the best cure).
2. Don't jailbreak an IOS (Apple) device; this is a process that removes the integrity and security components of the handset.
3. Don't root (Android) devices as this removes the integrity and security components of the device.
4. Ensure you have a single unified security platform that is able to communicate across all devices. This reduces the risk of external viruses being introduced into the workplace environment.
5. Systems such as remote wipe functions for mobile phones and location services should be enabled. In this way, if a portable device is stolen or misplaced, you can delete the data so it doesn't end up in the wrong hands.
6. Ensure that a complex password policy is enforced along with an auto lock feature.
7. Consider your next mobile. Don't just pick a phone because of its design, think about the security components. One mobile to consider is the Blackphone 2 from Silent Circle.
Intellectual property (IP) refers to creations of the mind, such as inventions, literary and artistic works, designs, and symbols, names and images used in commerce. It also includes information gathered by your company, such as your client database.
Most companies that contact us about intellectual property theft today are concerned about internal threats: employees who might take a company’s client list with them when they leave. Although, that being said, this is more common in certain industries than others.
Another major issue causing clients to come to us is when they have been hacked. This is where your policy and procedures should have saved you! However, most companies do not enforce or have policies to protect their sensitive intellectual property.
I'm amazed how many companies today do not have even basic policies in place. Most small- to medium-size businesses believe they are doing the right thing by having some basic security software and that should protect them. You should have as a minimum, a backup policy (daily) perhaps an offline back system, passwords and/or encryption. Think about minimising who has access to your client database.
We understand that your staff may need client information to conduct their day-to-day activities; however, there are other alternatives. Logs and transfer details should be stored so that you can identify who, when and how long or how much data was transferred during any employee log in.
If staff are aware that everything is logged and recorded we dramatically reduce the risk of intellectual property theft from within.
If you need advice, systems, policies or staff training feel free to contact Luke Athens.
International Intelligence Agency
1300 738 400