IT security: The walls have eyes

COMPANIES SPEND a small fortune securing offices, sites and communication networks, using firewalls, malware protection, encryption, qualified terminal devices and secure operating protocols. You name it, they do it. But what happens when people travel or work from hotel and home?

Once out of office, security seems to drift to the back of the mind. Within hours, shields are down and exposure near total. Sit in any hotel lobby, restaurant, coffee shop or airport lounge, and just watch. People shout on their mobiles in public places as if they were in some acoustic bubble. They may have to shout to overcome the noise level or to be heard across a table, but what about the information they are revealing?

Watch people using their laptops and tablets next to you, behind you, or a few seats away. If you can’t read the text, pull out your smartphone, turn off the sound, and click away. Soon you will have an entire document. In any public place, coach, train or aircraft, just open bluetooth or WiFi and be amazed at the number of open devices advertising their presence and vulnerability. For a small investment in software, you can access most of these devices and their hard drives.

Fortunately, I am not from the Dark Side. I just observe, and often alert people by showing them just how open they are. But what is going wrong? Do companies equip their people with secure devices and then fail to train them? Probably, but perhaps not. It is possible that corporate travelers relax once they are on the road like many holiday makers do with their erstwhile careful spending habits. Should companies be worried? Judging by what I pick up as I travel, I really think they should. Here are a couple of real examples:

About four seats away from me on a train was a very loud group. The team leader was giving a briefing face-to-face and by audio conferencing via a BlackBerry. He defined the strategy and assigned specific tasks, with project and customer named, and products and finances broadcast to everyone within earshot.

A client conference call was agreed, and the leader announced the number as this and pass code as that, saying that he would see them all on the conference call in a minute. I tried to resist the temptation, but I found myself dialing the number and logging on as a silent partner.

How very easy and how very profitable it could have been. There I was, on a sales call concerning … well, I can never delete what I heard, but I cannot divulge it either. But I did eventually get bored, and logged out and went back to my coffee and biscuits.

On another occasion, I was working in a coffee shop when a man sat in front of me with a coffee and laptop. His boot-up time was extraordinarily protracted and colourful. The seal of the US and the CIA acronym filled the screen on a bright blue background. What an opportunity – and what a risk.

Out came my iPhone and I captured screen after screen. I’m pretty sure I got his password and log-on details too. So what did I do next? I said hello, demonstrated what I had, and pointed out that he was not in the US and the environment was not entirely benign.

Today, cloud computing is upon us, along with BYOD (bring your own device), which means this class of risk is about to be amplified. While handheld devices are difficult to read and photograph at a distance, they are very easy to pocket. The newest risk seems to be that people leave mobile devices on tables while they purchase food and drink or visit the facilities.

Time for more training, I reckon. Better still, time to anonymise documents and devices, and to introduce automatic close-down and remote data deletion. All this is simple to do, but I can guarantee human nature will get in the way.

Peter Cochrane is an IT consultant and former chief technologist at BT