It is a fact that most people have a cell phone and a high percentage of those phones are smart phones, basically a mini computer in your pocket. These devices are not going away, but there adherent risks associated with them that we as security professional must address.

Since the advent of cellular phones many things have changed in our world, and once the smart phones made their debut things got a lot more complicated. With the so called “Smart Phones” came a whole array of security issues that many businesses have yet to address.

The security risks associated with cell phones in general are minimal if you are still using a basic phone.  Those risks mainly include the phone’s camera.  However, the security risks with smart phones are many and with the changing technology moving at warp speed, it is untold how many security risks may be out there.

Smart Phones are mini-computers, not only can you make calls, send text messages, and take photographs, you can also surf the internet, receive and send emails with files attached, scan documents, transfer files wirelessly and many other things. The days of needing a laptop to copy and move files are over and now your smart phone will do just about everything that a computer will do and you can carry it in your pocket.  So why is that a security risk or threat? Simply speaking the device can be dangerous in the wrong hands and can result in criminal or civil actions.

Cell Phone Cameras Security Risks

First, all cell phones have cameras built into them. These cameras can take still shots and videos and in many cases you may not know what is being filmed or photographed. These cameras have been used in the commission of criminal activity on numerous occasions, such as photographing people in private settings (e.g. restrooms and changing rooms). Other types of inappropriate uses include photographing confidential records, trade secrets, classified information, and so on.

Years ago only those committing espionage carried small cameras to secretly photograph things, but now just about every adult has the ability. To counter this risk many businesses have implemented cell phone policies, yet the enforcement of such is often impossible, and like many other policies it comes down to the honor system.

Is there any place within your organization that a cell phone camera could be used to destroy your businesses image or reputation, cause you be to be sued, or violate someone’s privacy?  If you answered no we have news for you, you are in fact at risk.

Cameras have been used to film or photograph people in the restrooms or locker rooms and that video has made its way to the internet within seconds of being made. Take for example a large pizza company whose employees filmed themselves bathing in the businesses kitchen sink, or other videos of employees adding body fluids to food products that a customer is about to consume.  Cameras have also been used to photograph trade secrets, confidential documents, and upload the pictures to the internet, and it can happen anywhere including at your business.

Mini-Computers Security Risks

Another risk associated with cell phones includes the fact that anyone can get a credit card scanner and affix it to their cell phone and process credit card transactions.

Case in point there have been many incidents where wait-staff at restaurants have done just this instead of using their employer’s cash registers. In one such case a waitress was taking the credit card to process a customer’s check instead of scanning the card at the wait station’s computer.

In this case she pulled out her personal scanner and affixed it to her smart phone and put the charge on her device so that she personally received the funds.  When the customer reviewed their monthly statement they did not recognize the merchant’s name and questioned the charge to their account, and thus uncovered this diversion. Had the customer not reviewed their statements and questioned the charge, the employee would have gotten away with the crime.

There are handheld credit card processing machines available for merchants and they are in use in other countries, yet they have not been widely placed into service in the United States. Why? These devices come to the customer and they scan their card just like we all do at the cash register in most retail stores these days.  This way the card never leaves the hands of that customer, which is a much more secure process.

Another risk with smart phones is the fact that you can connect your phone to any computer that has a USB drive, or you can connect using Wi-Fi which many businesses offer for free to their customers or anyone within range. Once you are connected either you can upload files to your phone, or download malware or viruses to the computer, all with very little risk of being noticed.

Security Risk Identification and Mitigation

So what can you as a business owner do to reduce or eliminate your cell phone security risks? There are many things that can be done depending on the type of business you operate and listed below are some of the basic security risk mitigation steps that everyone can take.

• Develop a cell phone policy and enforce it
• Do not allow employees to carry cell phones at work unless it is an essential part of their job
• Do not allow cell phones into security sensitive areas (i.e. locker rooms, restrooms, research and development areas, locations where sensitive documents are stored and so on…)
• Review your Wi-Fi service and determine your security risks with such. You can also set your settings for this service to minimize the use and features and look at blocking access to your intranet network through the Wi-Fi connection
• If your business uses equipment that relies on Bluetooth or Wi-Fi access check your settings often to insure the proper security measures are in place. Note: In a recent case it was found that medical devices using Wi-Fi allowed hackers an undetected route into the healthcare organization’s network
• Check to see what Wi-Fi access shows up within your business environment in case someone is spoofing your Wi-Fi or phishing in an attempt to acquire sensitive information such as usernames, passwords, and credit card details wirelessly

You can also ban cell phones on your company’s property, however this may be difficult to enforce.  As an example, many federal court facilities currently have such a ban, but cell phones still make their way inside.

Security Risk Assessment

Has your organization ever studied the risks associated with smart phones or cell cameras in the workplace? Do you have restrictions on the possession and use of cell phones at work? Do you have restrictions on these devices from entering sensitive or restricted areas? Do you know what the Best Practices are for cell phones at work?

Remember, a policy alone will not reduce your risks and it cannot prevent inappropriate use of cell phone cameras.  As a business owner or security professional you must insure that appropriate and reasonable security measures are in place and that you are taking the proper steps to address this issue.