Prior to joining Kinamik, I was a security consultant; while doing my job, it was normal practice to bring my own laptop into an organization, which often meant copying and retaining sensitive company information on it. Being a security consultant, I obviously made sure that my hard drive was encrypted, that the antivirus was up to date, operating system and applications patches were applied promptly, the firewall rules were appropriate and I even checked the logs on a frequent basis. But times change, and, today, these normal security practices have slightly evolved, especially wrt replicated cloud storage. I now encrypt individual files and am careful what is synchronised to my mobile devices. I have often wondered how many non-security folk take such precautions!
The Information Security Week´s 2012 State of Mobile Security provides a glimpse of the current situation “with 62% already allowing personal devices at work, IT’s juggling laptop policies and Wi-Fi policies and BYOD policies—and that means security gaps big enough to drive a semi through. Most, 80%,require only passwords for mobile devices that access enterprise data/networks, yet just 14%require hardware encryption, no exceptions”.
Ok, so this problem is pretty bad; just to make matters worse, let’s think about eDiscovery and eEvidence issues… Kurt Mix, a former engineer for BP plc, is being prosecuted on charges of intentionally destroying SMS evidence requested by federal criminal authorities that are investigating the Deepwater Horizon disaster. If convicted, Mix faces a maximum penalty of 20 years in prison and a fine of up to $250,000 as to each count. Could this be just Kurt that gets into trouble here or is it possible that there is a smoking gun scenario that will be pursued at more senior levels of the company?
To sum it up, organisations need not only look at how to protect electronically stored information (ESI), but also how to ensure records that are generated on mobile devices are preserved, especially whilst on legal hold. Issuing legal hold notices are just not enough, there needs to be technical solutions available to ensure on-going legal hold, especially on mobile devices that do not benefit to regular backups.
Author: Nadeem Bukhari