Organizational Data and Remote Wiping Personal Phones

How much thinking have you done done about the confidential organizational data that leaks out every day onto the personal phones of employees? You’ve fretted about USB thumb drives and you’ve deployed BitLocker so that data can’t be recovered from a laptop computer left at an airport security checkpoint, but have you thought about what might be stored on that brand new smart phone with 64 GB of flash memory that the well dressed senior executive is flashing around the break room?

64 GB is certainly more than enough storage to hold what was hosted on several departmental file shares when I worked in first level support!

In the 1990’s a lot of organizations were worried about their Sales team walking out the door with the spreadsheet containing all the customer contacts. Today the Sales team has all those contacts and the communication with those contacts stored on their phone. Phones hold a lot of important data. Data that is easily recoverable by a third party if they found or stole the phone.  We worry about USB drives and we worry about people emailing sensitive documents to their Hotmail accounts, yet few people seem to be giving mobile phones much in the way of consideration.

This is in part a cultural thing. We still don’t really think about phones as the small computers that they are. We still think of phones as dumb. They aren’t and we are if we think about them that way.

Consider the following: There have recently been reports of people who used their personal phones to read their organizational email being surprised when the organization that they used to work for performs a remote wipe on those personal phones after the person’s employment ceases. http://www.npr.org/2010/11/22/131511381/wipeout-when-your-company-kills-your-iphone

While this makes sense to some IT staff, the amount of shock and outrage this story generated across the general public indicates that users have a different attitude towards corporate data being stored on their personal phone. That is, that if it is stored on their device, it is their data. That the organization has no right to wipe “their” data because it was on “their” personal phone. There is a pervasive attitude that the ownership of data is directly related to the ownership of the data storage medium. This will no doubt cause many headaches for IT departments in the years to come.

Some organizations go as far as to have employees sign waivers that indicate that the employee is aware that their personal phone might be wiped in the event that their employment ceases. Some organizations do this. Most don’t.  If your organization doesn’t do this, this is probably something you should get on top of.

What you do have to remember is that like USB thumb drives, mobile phones are becoming increasingly dangerous as possible vectors for information leakage. While IT departments have happily devolved mobile phone support back onto the users who want to use their own phones to access corporate resources, there is a cost to this in terms of information security that many people haven’t deeply considered. At the moment the only thing you can do about it is make sure that your backside is covered by having some policy in place that details a procedure to ensure that phones can be remotely wiped if they are reported lost or the owner of the phone’s employment at your organization ceases.  Make people completely aware that the cost of them using their mobile phone to access your organizational infrastructure is that the device will be wiped of all data in the event that such a wipe is deemed necessary. If people are aware of this, they’ll either choose not to read their work email on their phone or they’ll have nothing to complain about when their phone needs to be eventually wiped.