You can prove the importance of physical security in an “era of mobility” by asking yourself a simple question: “Do you know anyone who recently lost his cell phone?”
The most important element of mobile data is, in fact, its external mobility. Mobile data is the end result of any process that moves data from point to point beyond the system from which it originated. bile data becomes mobile the moment it moves outside a closed or contained system. At that point, we lose the ability to completely manage the environment in which it exists. It is no longer stationary and no longer confined in its constrained environment.
Here are some examples of data-on-the-move:
- Copying a presentation file to a flash drive
- Posting company information onto a Web page or social media site
- Synchronising your calendar, e-mail, and contacts to a smartphone or PDA
- Taking pictures of coworkers and posting them to an online photo site
- Copying the company’s address book to a smartphone
A mobile device can be anything of the following:
- Laptop computers
- Cell phones and smartphones
- Personal digital assistants (PDAs)
- Portable media players
- Digital cameras
- USB-based storage drives, commonly referred to as flash drives
- Recordable CDs and DVDs
- Wearables and “Smart Toys”
As each generation of portable electronic devices and storage media becomes smaller, higher in capacity, and easier to transport, it’s becoming increasingly difficult to protect the data on these devices while still enabling their productive use in the workplace.
While many of the phones are simply lost by their owners, an even greater number are actually being stolen. A smartphone is easy to steal and worth hundreds of dollars upon resale, but the device itself is not the only target the thieves are after. The information on the device may be as important as the device itself. Many people use their phone as their wallet or purse. A smartphone will not only contain enough information to assist in identity theft, but can contain credit card information as well. “A lot of younger folks seem to put their entire lives on these devices” (Collins, 2012).
Health Insurance Portability and Accountability Act (HIPAA) violation complaints have “spiraled upward” since 2013. Healthcare organisations are using a growing number of mobile devices including tablets, smartphones, and laptops, which has meant that there’s a greater risk of data being lost or stolen. Healthcare organisations need to ensure that the proper administrative, physical, and technical safeguards are applied across all devices to ensure compliance and to reduce the number of breaches.
It is key to understand that the security of mobile data and mobile devices has an effect on the overall security of your information, and that changing the security of one will necessarily affect the security state of the other.
Here is where OpSec and PhySec come to help. Proper guidelines for operations (Operational Security Guidelines), access control and dual control of network use, as well as auditing can help to reduce risk and prepare your organisation, its employees and clients for possible attacks and data breaches.
- Never leave a smartphone unattended, even for just a minute. Make it a personal habit to keep the phone closed at all times.
- Use passwords whenever possible to protect your privacy if your phone is lost.
- Use passwords on any important documents that you keep on your cell phone. Your grocery list doesn’t need a password, but you don’t want confidential information in the hands of a thief.
- Keep only the documents you really need on your smartphone, and remove and archive older files you don’t actively use anymore.
- Never allow your cell phone software to automatically supply a password for you. If you do, it means that anyone with your phone can access your accounts.
- Regularly review and discard data on your device that you will not be actively using for current work.
- Use “open” public wireless networks cautiously. Identity thieves increasingly monitor these unsecured networks in airports or other public places, looking for credit card or personal information sent “in the clear” without VPN or SSL protection.
- If you use your device for email messaging, be sure you choose a phone that supports SSL/TLS security and that has support for wireless VPN networking.
- Report the loss or theft to the appropriate authorities. These parties may include representatives from law enforcement agencies, as well as hotel or conference staff. If your device contained sensitive corporate or customer account information, immediately report the loss or theft to your organisation so that they can act quickly.
Although many of the above is considered common sense, those rules should be constantly reviewed, improved and enforced upon employees. Violations have to be properly reported, analysed and sanctioned.Tags: