Can you hear me calling?
In the seventh of his weekly series for Cambridge Network members, BS7799 and IT governance expert Alan Calder explains the ABCs of business security and compliance. This week he looks at voice insecurity.
We’re used to talking. We do it all the time. And that’s a problem, because someone is usually listening.
When telephones were plugged into the wall, security was relatively simple: you shut the door. If your conversation regularly involved confidential information, you would probably have had the room swept regularly for bugs. And if you were concerned about confidential information leaking out of your company, you installed call monitoring and recording equipment.
The mobile phone has changed everything. We take calls wherever we are, whatever we’re doing. Four times out of five, the incoming caller assumes that we are ready, willing and able to talk about whatever it was that occasioned the call. And so we talk – sometimes to complete strangers - as though no-one is listening.
The lack of self-discipline by mobile phone users is the starting point for one of the most poisonous and destructive attacks an organization could ever have to endure. Usually, the curious person who overhears a railway carriage conversation hasn’t heard enough to know exactly what’s going on. But he has heard enough to share what he knows about the organization’s troubles with his mates down the pub – or with the whole world on her blog.
And then the organization has a problem it didn’t know it had.
Conversely, a disciplined use of mobile phones can also be the ideal way to bypass the organization’s call blocking or recording systems: a mobile-to-mobile call is the best possible way of leaking (financial) information – and a photo makes it even more dramatic.
Information is an asset. Just like the organization’s reputation, information has a value. Most users of mobile phones treat their – and their employer’s – confidential and valuable information without due care and attention. Reckless talking endangers many more businesses in the UK than terrorists do.
And people who’re careless with what they say will also tend to be careless about all the other aspects of their own personal security – from passwords through to anti-virus software and screensavers.
Those who’re being careful, using a mobile phone to leak information, are a bigger problem – advance news of a takeover, an FDA result, a legal action or anything similar, can have a dramatic impact on a company’s share price.
What do we do about it?
Organizations need a clearly stated policy regarding use of mobile phones, which sets out clearly what they can, and can’t, be used for.
The requirement to comply with the policy must be clearly written into employment contracts and accompanied by straightforward training.
The back up of a determinedly enforced disciplinary procedure ensures that the message gets home.
Confidential information should never, ever be discussed with someone who is using a mobile phone. If you need to discuss something confidential, insist on doing so later – from a secure location.
Mobile phones – particularly picture phones – should be banned from areas in which highly confidential information is discussed or stored.
Next week: Vulnerabilities – the heart of the matter