Guest Post by David Nardoni
The responsibility of conducting mobile forensic investigations in the workplace should fall in the lap of the Chief Information Security Officer (CISO). Unfortunately, 58% of organizations do not have a CISO, according to our recent Global State of Information Security Survey of 9,300 senior executives. Often the CIO is tasked with leading efforts to collect evidence when foul play is suspected. Fetching data from mobile devices is fraught with challenges not found in the more mature realm of personal computers.
Increasingly employees want to use their mobile devices as they do their desktops. They edit and send documents, check work email and collaborate with other employees using the device’s built-in features for texting or instant messaging. They also toggle back and forth from work to personal applications and data. In some respects and based on employee usage of mobile devices, the motives employers have for investigating mobile devices mirror those of PCs. Maybe an employer believes that an employee absconded with trade secrets, downloaded the credit card numbers of customers or transferred the social security numbers of hospital patients. The stakes are high. Either corporate assets are on the line or employers may be on the hook for millions of dollars in fines from regulatory agencies and damages to litigants, as well as substantial brand erosion.
The legal and technical issues presented by mobile devices create a slew of unique challenges.
Employees feel a heightened level of intimacy with mobile devices that they don’t with their desktops. After all, the devices are always with them. As a result, I’ve found from leading digital forensic investigations that employees are more likely to reach for their mobile device to communicate with another party to conduct illicit communications. Consequently, when an employer suspects suspicious activity, the mobile device is the first place they want to look.
It’s critically important that employers put the necessary workplace policies in place that grant them the scope and authority to secure the evidence they need when employee misuse of data is evident and to educate employees of the policy and its impact. Employers should also leverage education as a potential deterrent for misuse. Employees need to understand that they shouldn’t expect privacy when using their mobile devices to access corporate networks, whether the company technically owns the device or they do. Companies should consider the legal, privacy and data-recovery issues associated with BYOD programs.
For example, some mobile devices and operating systems provide employees with strict password protection capabilities that are impossible to bypass using current commercial solutions. Other mobile devices have full encryption. In these instances the device’s data is shielded from employers. If employers are lucky, the employees in question synced their mobile devices with their desktops. Should devices that block employers from determining their level of risk exposure be permitted to interface with corporate systems? Should employers address setting passwords in workplace policies?
Piecing Together a Complete Picture with a Patchwork Quilt of Solutions
Mobile security is where PC security was 10 years ago. The information that employers can extract from mobile devices varies depending on the device and operating system and the employer’s mobile management infrastructure.
As it stands now, employers must engage a patchwork quilt of solutions to piece together a complete picture of the activity that transpired over a mobile device. Vendors are approaching the ability to provide a full image of the device in one shot. The good news: The market is maturing rapidly. It won’t take 10 years to catch up with PC security.
Providers of mobile forensic solutions face challenges that those in the PC market don’t. Keep in mind, new devices and operating systems are introduced every 6-12 months. Vendors must update solutions to keep pace with new technology.
Mobile devices doubled the number of end points that could need investigating at anytime. IT departments must prepare to determine the organization’s risk exposure when necessary. Workplace policies are important. So is having a range of tools at your fingertips.
I’d like to hear about any challenges you have encountered when conducting mobile forensic investigations. Share your thoughts in the comments.
Image shared by JohnGoode