Article: "Rough Edges" from the July 2010 issue of Business Travel Executive Featuring Philip Farina

1. COVER STORY
CORPORATE POLICY
CONTACTS
CELL DATA
By Z. Kelly Queijo
Rough Edges
Policy pointers that smooth risk of travelers’ cell phones.
You’ve heard it before: “My cell phone is According to David Schofield, direc- conference bridges are immediately
my life!” The speaker could be a drama- tor of wireless mobility at AlsbridgeTAG, changed.
queen teenager whose cell phone privileges “Security is a growing concern as regula- Contact notes, personal numbers and
have just been revoked. But when spoken tion mostly looks to paper trails. Now IT account information could be revealed
by a business traveler, these words more has to follow the vapor trail. The ability to should the person want to probe into the
carry weight and represent a deep level of replicate deleted data from handheld memory of the device. “Internal damage is
responsibility. devices and forensic reconstruction are one thing,” says Schofield, “negligent
A typical business traveler’s mobile becoming a big part of corporate protec- release of client information becomes
Business Travel Executive JULY 2010
phone stores contacts, appointments, tion against espionage internally and something completely different.”
email, and perhaps even other sensitive externally.”
information such bank account numbers, Or imagine this scenario: a sales man- Triple Locked
social security numbers and corporate ager loses his handheld device and the per- For serial business traveler Peter
data. Loss of any of this information can son who finds it now has access to the Shankman, founder of Help-A-Reporter-
present risks that not only compromise sales manager’s calendar. In that calendar Out, who claims to sleep in hotel beds
traveler’s personal identity, but are also are internal strategy, pricing or client meet- more often than in his bed at home, his
security risks for his employer. ings. The person who found the phone mobile phone and laptop are critically
Just how bad is it if a traveler’s cell could potentially attend any of those calls important to his day-to-day work. Given
phone falls into the wrong hands? undiscovered unless the sales manager that, Shankman takes protecting his data
Probably worse than you imagine. notifies corporate and all the standing and devices seriously. “All devices, lap-
24

2. tops, and iPads have passwords. In addi-
tion, I do a physical check of where my
stuff is as often as is possible.”
You Are Here Checking-in - it’s what business travelers
do when they finally make it to their desti-
One backup is not enough for nation whether it be a hotel, conference, or trade show. They check in to let some-
Shankman. Three is better. He routinely one know they have arrived. Usually that person is whoever happens to be working
copies his data to a backup drive, a hard the reservation desk at that particular moment. However, in March 2009, “checking-in”
drive at home, and a cloud drive some-
took on a entirely new meaning with the arrival of the location-based social networking
where in “said” cloud — and yet, even this
(LBS) tool known as “Foursquare.”
is not entirely sufficient. Shankman also
stores his most important documents on an Unveiled at the South by South West (SXSW) technology conference, Foursquare
encrypted web site separate from his per- was one of the first companies to build upon the status messaging tool where users
answer the question “What are you doing?” that Twitter launched in 2006. Upon the
It’s easy to break into a arrival of Foursquare, the question became “What are you doing and where are you
doing it?”
cell phone using parental Other similar tools such as Gowalla, Brightkite and WeReward have emerged, each
control software. ‘A hacker with a slightly different twist regarding the “what.”
But they kept the “where.”
need only know the model This concept of geolocation updates, allows any smartphone user to post a mes-
sage through Foursquare (or similar tool) to any or all designated social networks or
of your phone, your phone
friends groups stating they have just “checked-in” to a particular establishment or
number, and carrier to location.
Check-ins seems innocent enough given their game-like environment — users earn
gain access.’
badges or points as rewards for checking in to the same place repeatedly. The user who
checks in often enough earns the status of “mayor” of that establishment, only to be
sonal and corporate sites. “If I’m trapped
ousted by the next person who checks-in more frequently.
in a foreign country, I can login, download
my passport, and hopefully get home.” For businesses, the opportunities to take advantage of geolocation marketing and
To the corporate security officer tracking are unlimited. In fact, LBS messages are the ultimate in word-of-mouth market-
(CSO), the threat to data integrity on cor- ing tools and are a terrific way to bring people together in public settings such as con-
porate systems is the same whether the ference. A tweeted text message inviting attendees to the hospitality suite sure beats
threat originates from a computer used by the printed invitation stuck somewhere in the bottom of the conference goody bag left
a hacker or from a smartphone: someone in the hotel room.
from the outside wants in. According to
Think before you tweet
Randy Marchany, information technology
According to Ann Handley, chief content officer for MarketingProfs, event produc-
security officer for Virginia Tech, the two
biggest risks he sees are sensitive data ers are definitely looking at Foursquare and other location-based networking these LBS
breaches and password compromises. tools as yet another way to connect and engage with attendees. “It’s is a no-brainer for
“Corporate execs love to read their email in-person events because of ... well, the location-specific nature of the shared experi-
on their smartphones and these emails ence of an event. Foursquare is a great way for attendees to connect with others and
may contain sensitive information. In ‘see’ who else is present. The connections make for some immediate networking oppor-
addition, people tend to create password tunities and audience participation.”
files on their smartphones and these
But when it comes to personal security and privacy, is telling the world through
devices are, in effect, becoming the equiva-
your smartphone that you are not home or not in the office really all that smart? When
lent of ‘sticky notes.’”
“Smartphones are effectively really Angela Daffron, stalker victim, says “be careful what you share online,” she means it.
highly portable computers with Wi-Fi and Over-sharing, a form of TMI (too-much-information), can provide the “bad guys” all the
cellular data network access,” says Colin info needed to track down a person who may be walking alone to the parking garage, or
Grant, managing director for Nomad has left house, office or property unattended. Recently, the web site PleaseRobMe.com
Business Travel Executive JULY 2010
Mobile Guides. “In terms of security they flashed onto the media’s radar due to the attention they drew by streaming posts from
are no different than laptops or USB flash the status-obsessed public who are compelled to imply no one is home in the form of
drives that have advantages and security
messages that either state where they are going - “off to LAX” - or where they have
weaknesses.” The obvious difference, of
arrived-”just checked in at Starbucks on Main Street.”
course, is that smartphones are small,
highly portable, easy to share and, more Just as a password is code to protect against unwanted entry into a cell phone or
often than not, easy to hack. computer, the code that protects a business traveler compelled to “check-in” comes in
Some problems are specific to certain the form of cryptic words, delivered in 140-chareacters or less, at the right time, at the
mobile devices. Greg Lee, president of right place.
Software Specialists, points out that on a — ZKQ
Blackberry, the browser can be configured,
25

3. COVER STORY | Rough Edges
and often is configured by default, to phone numbers on-hand (but not in the call from your phone.
appear to be inside the corporate firewall. cell phone) for quick access: the cell phone Hand someone your phone to take a pic-
“For example, from my Blackberry, I can carrier’s, so service can be suspended until ture of you.
access all of my corporate intranet sites. the lost phone is found; and the CSO’s, so Don’t click on links in emails or messages
This is a Blackberry feature and it means any possible data breaches can be reported from people you don’t know.
that an application I decide to load on my and the necessary action taken as quickly The security risk can get very person-
as possible. al. Angela Daffron, founder of Jodi’s
The ability to replicate Corporate policies in place for Voice, knows from her own experience
domestic travel may need to be beefed up what it’s like to have someone break into
deleted data from
when traveling in outside the US. Philip a cell phone and gain access to data stored
handheld devices and Farina, a travel and hotel security expert there. Daffron’s cell phone was hacked by
and CEO of Farina and Associates Ltd., a stalker who used off-the-shelf parental
forensic reconstruction stresses that in addition to the various lev- control software to invade and monitor
els of risks travelers are exposed to when her public and private life. “Had I known
are a big part of traveling internationally (fire, food poison- not to leave my phone laying my desk,
ing, fraud, theft, kidnapping/abduction unattended, or had I protected it with a
protection against
and of course, the terrorism element), data
corporate espionage. protection also makes the list. “One only
‘It will be stupid
has to view the latest news to see where things, like storing
phone could also access those same sites. trade secrets, products and identities have
This presents, at the very least, an infor- been stolen from individuals who are trav- confidential files on your
mation access issue. Of course, the risk is eling for both business and pleasure.”
the same for me installing software in my To circumvent risks when traveling in phone and then leaving it
company laptop as well.” foreign countries, Farina suggests travelers
“It will be stupid things,” Grant says, take the following precautions:
in a bar or on the back
“like storing confidential files on your Leave your data-sensitive cell phone seat of a taxi, that present
phone and then leaving it in a bar or on at home. Consider obtaining a local
the back seat of a taxi for someone else to mobile/cell phone at your destination. the greatest risk.’
find — that present the greatest risk. This Consider purchasing a “shield” for
is where end-user training comes in.” your devices. password, some intrusions could have
Schofield agrees: “Corporate policy is a If you require internet access, ensure been avoided.”
first defense.” that you have appropriate levels of encryp- She recommends the following steps
tion and firewalls for secure communica- regardless whether a phone is for business
Elements Of Corporate Policy tions. or, more commonly, for both business and
The goal of a corporate cell phone policy In your vehicle, keep your valuables personal use:
is to protect the enterprise from loss of out of sight and hidden, preferably in the Always be aware of your surround-
intellectual property. Establishing a policy trunk areas. ings.
and getting employees to follow all of the If staying at a hotel, always lock up Be aware of what information you
rules all of the time is another thing entire- your computers, data devices and cell are sharing about yourself.
ly. Given that human behavior is often the phones, when not needed, in the in-room Hide the name of your carrier.
nemesis of any policy, having a strategy in safes or in the safe deposit boxes located Never let your phone out of your
place for when security is compromised is at the front desk. sight.
mission-critical. Know the warning signs and act on
Policy points often include: requiring Personal Precautions them — if your phone lights up, even
passwords on smartphones, no texting From corporate use to personal use, if briefly, or you notice anything strange or
while driving and limiting the type of data your travelers’ cell phones truly are “their new on your phone, take it to your carri-
that is stored or accessed remotely. John life,” tell them to give that phone the same er’s store and have a technical support per-
Hering, CEO of Lookout, a mobile secu- level of attention and consideration they son take a look at it.
rity company, recommends the following would just as if their lives, and the lives of Spend the money for security soft-
Business Travel Executive JULY 2010
be added to any corporation’s cell phone those they care about or work with, ware and install it. $40 can buy peace of
policy: depended on it. mind.
Never leave your phone unattended. Do: Install mobile security software. During her ordeal, Daffron learned
When traveling, always lock your Backup your phone’s data regularly. how easy it is to break into a person’s
phone in a hotel safe when it is not in use. Password protect your phone. phone using parental control software. “A
Download mobile security software Read reviews before downloading any hacker need only know the model of your
that will protect against malware, data apps and download them only from rep- phone, your phone number, and carrier to
loss, and against physically losing your utable sources. gain access to your phone’s sensitive
phone. Don’t: Ever let your phone out of your data.” In addition to mobile security soft-
A corporate policy should also sight. ware, she now uses a Sharpie to block out
include that the user keep two specific Share your phone or let anyone make a the name of her cell phone carrier. BTE
26