"Whatcha got there?"
"This is my new T-Mobile G1 smart phone."
"Hey, nice screen, Bill. Cool keyboard, neat mouse control."
"Thanks! I just got it to sync with all my work emails too! Now I can be productive everywhere when I am not at my desk. Check it out Bob."
"Bill, I thought only BlackBerry devices could be used for company email?"
"That's what 'THEY' want you to think Bob. All I did was set my work email to auto-forward to my Gmail account. And, like magic, all my work emails are available on my G1."
"Bill, that's nothing! Look what I did on my new netbook."
"Bob, when did you get a netbook? I thought they we still pretty expensive?"
"Nah, I got this one for $348 out the door. With Windows! And check this out..."
"Bob that looks just like your work computer's desktop!"
"That's because it is Bill. I just plugged this USB drive into my work computer and it copied all of my data and settings onto this drive. Then I plugged the drive into my new netbook and BAM, it was all there!"
"Bob, you are such a showoff!"
"Our company is really forward-thinking when it comes to I.T. It's great they let us use any computing device for work!"
Do You Work With Bob And Bill?
Do you know a Bob or a Bill in your organization? If you don't, you are probably not looking hard enough.
Most employees do not take the time to search out your organizational policy on protecting sensitive information on mobile devices. (That is if you have one -- hint, hint.) And, if Bob and Bill did find the correct policy, would it provide enough detail so they could make appropriate decisions?
If your enterprise is not prohibiting, restricting, or controlling, the removal of organizationally sensitive information via USB drives, SD card readers, or other removable memory ports on organizational computing assets, then Bob and Bill would have no reason to believe that the actions they are performing are inappropriate.
Organizations have many options when it comes to protecting information that leaves computing assets via ports. Beyond policy and information security awareness, tools are available that enable organizations to monitor data leaving via ports, disable ports from being used, and protect the information leaving a machine via a specific port with organizationally controlled security measures (encryption and authentication options abound).
As for the email forwarding....well, that's another issue your company policy will increasingly need to address with the proliferation of "prosumer" smartphones.
Ben Halpert, CISSP, is an information security researcher and practitioner and writes monthly about security. Comments, questions & requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.