Smart Phones "Bigger Security Risk" Than Laptops 174
CWmike writes "A recent survey of 300 senior IT staff found that 94% fear PDAs present a security risk, surpassing the 88% who highlighted mobile storage devices as a worry. Nearly eight in 10 said laptops were an issue. Only four in 10 had encrypted data on their laptops, and the remainder said the information was 'not worth' protecting. A key danger with PDAs was that over half of IT executives surveyed were 'not bothering' to enter a password when they used their phone. A VP at the company that performed the survey said: 'Companies need to regain control of these devices and the data that they are carrying, or risk finding their investment in securing the enterprise misplaced and woefully inadequate.' Is this just iPhone fear-mongering? Do you think the passwords execs could remember would help with securing PDAs and smart phones?"
Nothing to fear from iPhones (Score:0, Insightful)
Not surprising (Score:5, Insightful)
Remember, people want to use these things while they are driving a car, eating fast food, and listening to a book-on-tape. They don't want no stinkin' security features.
IT departments securing handhelds (Score:5, Insightful)
It's possible to lock it all down instead of live in fear. Of course, there's a fine line between security and stifled innovation. Our company's proxies, by default, blocks blogs, and I have to request that they be unblocked one at a time. Since most of the discussion concerning JSRs for JDK7 development happen through people's blogs, it can seriously slow down the ability to do my job sometimes. But if you want things secure, there are going to be tradeoffs.
(And if a company laptop doesn't contain ANYTHING worth stealing, the employee should probably be fired for not producing anything worthwhile
Cell phone security (Score:3, Insightful)
As a result, I'm not storing any sensitive information on the phone.
The Palm Pilot was at least better in this regard, since it allowed seperating public and private information and requiring a pin when you wanted to access private data. However, this was a PDA rather than a cell phone.
If you have physical access (Score:4, Insightful)
regards
Re:Not surprising (Score:2, Insightful)
Not worth protecting (Score:3, Insightful)
And honestly, a lot of them could be right in that it wasn't worth protecting. For example, what percentage of documents are really needed to be secret for a company's existence? My guess is about
analog hole (Score:5, Insightful)
I can't have a cameraphone because I can 'steal' data, but you let me bring my 250GB laptop home.
My email is filtered for PPI and dirty words, but you don't filter my Gmail.
I can't FTP, but I can attach 10 MB files to webmails.
Build a better mousetrap, and some management school out there will produce a stupider monkey.
Looking forward to two stage Cell/PDA encryption (Score:3, Insightful)
So I am hoping for a two stage system where call logs, full content of my address book, notes, calendar and so on is stored and encrypted separately from basic parts of the system. Incoming calls logs could then be stored in a temporary mode until I enter my storage password in which moment I would get access to the secure data using a separate password.
There are of course problems here too - notifications of upcoming calendar events, and displaying name/number association for incoming calls, among other issues. It will be necessary to allow personal choice for what should be cached outside of secure memory, but I certainly look forward to having a more secure options for Cells and PDA's!
Re:Not surprising (Score:5, Insightful)
The entire content of their inboxes doesn't count as data worth stealing? What about the potential for shorting the company's stock and then using their device to send an email from their account that will make the value drop (if only briefly)?
Re:Not surprising (Score:5, Insightful)
PDAvailable (Score:3, Insightful)
Come on, now. If the information's on a PDA, anybody with the IT version of a bent paperclip will be able to get it.
What's the first security rule for a PC: If they have physical access to your computer, your data is theirs. I would bet my bottom dollar that 90% of the security problems concerning a PDA result from exactly that: loss of physical control of the device.
Re:Nothing to fear from iPhones (Score:5, Insightful)
How is the iPhone magically invulnerable to wireless issues, as the sister post describes.
Another fanboy, "Oh no! Someone's perhaps saying something potentially negative about an Apple product! Must rush to defense!"
Re:Make the tech better, not the people using it (Score:3, Insightful)
The point here is that healthcare records are going electronic. I'm required to have OB/GYN notes for patients on me at the drop of a hat in case a delivery comes through the ER doors at 2 in the morning. When I'm heading to a patient's home for a visit (yes, some of us still do visit patients' homes!), it's far more convenient - and safer - for me to have their phone number and chart on my Smartphone than to print out their chart and bring a paper copy to their house. What happens if I am in a car accident and the file is stolen in the mix of the accident? What happens if someone breaks into my vehicle and I have other patient files kept there for other visits that I plan to do during the day (which I can't bring into the home and expose to the patient I'm seeing - again, HIPAA).
It's far more simple to have records stored in one SECURE place, but not every component of that device is secure. I haven't heard of any HanDBase hacks yet - I'm sure they're out there in the wild - but I haven't heard of them. Still, that leaves other information open to use an exploitation. HanDBase doesn't integrate well with the phone system; you can't even copy and paste a phone number for a patient from HanDBase into the phone application on my SmartPhone - so do I write it down? Do I try to remember the phone number and risk dialing a wrong number and giving my patient's name to some unknown person on the other end of the line when I ask for them (especially since I'm usually doing about 2 dozen things at a time) - or do I store the numbers of the patients I call most often in the address book and simply tap "call" next to their name when I need to contact them?
You lack a basic understanding of the workload placed on healthcare professionals and the impracticality of using a centralized computer system for everything. Thank goodness our health network is going wireless so docs can continue using their phones - which have become invaluable in improving patient care - and use them safely through encrypted data connections back to the hospital data center. You act as though storing a few patient files on a phone is some sort of sin; you give me a better way to have the exact prescriptions, doses, surgical and medical histories, etc. on every patient at my fingertips when I'm called to the ER to see one of my patients and the hospital's computer system is down or the record can't be found in the system because of reason X, Y, or Z. FIX THE TECH. The people want to USE the tech and use it responsibly, but if the technology isn't repaired FIRST, then the expectations placed on practitioners to go paperless are placing everyone at risk.
I'm describing the problem - it needs a solution. If you don't have one, I suggest you put your fingers in your ears instead of on your keyboard.
Re:Fortunately, we use blackberries! (Score:3, Insightful)
Now, let's see who uses Blackberries. Managers. Who makes security guidelines? Managers. Who have usually little to no technical skills and loathe everything that keeps them from "just using" stuff? Managers.
I wish you all the luck in the world to convince your managers that those security features are a good idea.
It goes hand in hand (Score:3, Insightful)
Security is a matter of improving technology and training your staff. Doing just one of them will not increase your security past the more insecure one of them.
Re:Not surprising (Score:3, Insightful)
"all. And NO, sheer size of a company does not yield "competent" IT staff, trust me on this one..."
Jesus H.
If only life were simpler
Ha!HA!Ha! (Score:3, Insightful)
There is none.
Cell phone users don't seem to care who is around (in listening distance to their conversations) so SECURITY is a moot point!
I have experienced this while working as a cashier at a local "shit and get" store. Most people are so caught up in their 'own little cellphone world' that they forget about anyone around them.
Most people are so jaded about their surroundings while talking on cellphones that IT security does not even enter the picture.
I get so tired of it that I usually toss them out until they finish their conversation.
Basically, have the respect and courtesy to deal with me and your purchase, or get the fsck out. I don't want to be subjected to your phone conversation. Deal with it.
Yet another AC here. (Score:1, Insightful)
Who knows what information to get? The employee.
Who has the password? The employee.
Besides the PEBKAC, most company compromises are done.... through the employee.
Re:IT departments securing handhelds (Score:3, Insightful)
I'm on IT and I have to tell you some two things:
1) I'm a user as much as a sysadmin, or what did you think? So please consider I do see it from both perspectives: that of the sysadmin I am and that of the user I am too so it might be, just from this assertion only that I'm on a more relevant position regarding this issue than you.
2) More often than not, IT is not insular nor unresponsive, since it holds no power to do one way or the other. Just like in everything else is management the one that provides strategies and objectives that IT just put in practice. More times than not, it is not IT the one that will cut you off your RSS feed but a manager that told that "all that lost time blogging and what-not must finish" being IT just the executory arm.
There is a time where IT is really unresponsive and that's when, as usual, IT is heavily understaffed and overburdened and holding all responsibility for "IT matters" instead of ask for employee's matureness: when somebody loses a check supposed to be taken to a bank office it's the employee responsibility for not being cautious enough; when his PC is flowed with worms because he was at goatse on office time it's an IT problem more times than not. In the end, if the employee visits goatse is IT's fault but if -as expected, trying to cope with HR problems via technical solutions affects somebody's productivity it's IT's fault too!
"My having to circumvent IT to work means that there is dissonance between how IT sees my role and I (and my boss) see my role"
You forget that most probably is you boss the one that asked directly or indirectly for your RSS feeds to be cut off and it's your boss direct or indirectly the one responsible for asking contradictory efforts to different parts of the company's staff. On the other hand you too are a bit at fault: "my having to circumvent IT..." Would you dare to circumvent the beancounters so you can get your stuff for a given project faster? Would you dare to think you surely see the "whole picture" regarding your company financials better than the beancounters so it's in your company's overall best interest for you to circumvent financial policies and procedures?
"I tend to view new security measures as productivity killers because they are not accompanied by contextual interviews to see how I work."
And you are probably right at that. But do you really think it's IT the one that decided not to spend the effort, time and money for such interview?