Camera phones

Prying eyes. At many companies, a camera phone - great for office party snapshots or for capturing an interesting presentation slide - wouldn't raise an eyebrow. At Cardinal Health, mobile phones equipped with cameras are a physical security threat.

Cardinal Health has its hand in almost every facet of a drug's life cycle - from development, manufacturing, packaging and delivery to pharmaceutical distribution. To allow photographs of how valuable drugs move through these stages could create security vulnerabilities. Cardinal Health also handles personal medical information that falls under the US Health Insurance Portability and Accountability Act (HIPAA) regulations. "To allow cameras anywhere near the process, from when we receive [the product] to when we deliver it to the end users, would be a huge vulnerability, and it's not one we're willing to accept," says Tim Gladura, the company's CSO.

That said, camera phones are particularly challenging to contain because they're not connected to any platform that the company controls. Gladura says that a "no cameras" policy and an ongoing awareness campaign that conscripts employees into the security ranks works best. "I'd rather have 55,000 sets of eyes out there than just my department," he notes. But even that is not enough. His department also has enacted other policies that help to keep cameras out of sensitive areas. For example, employees at the distribution facilities are discouraged from taking lunch in the parking lot - to allow security to better discern if other, unauthorized individuals are sitting in the lot to observe loading dock operations. The doors that cover employee lockers are grated, offering security personnel a view of the contents. And random security searches are not unheard of.

At Tommy Hilfiger USA, camera phones pose a different kind of threat: the potential loss of intellectual property. David Jones, vice president of corporate loss prevention and security, worries about visitors who enter the company's design studios. "For anyone in our business, the design patents are the innovations that the company lives off," says Jones. A covertly snapped picture of a dress for the new summer line that is e-mailed to a competitor represents a real loss.

Jones also relies on a no-camera policy to protect the design areas, but he worries about the increasing prevalence of camera phones and their shrinking forms. His fears are well-founded. According to InfoTrends/Cap Ventures, research suggests that by 2009, 89 percent of all new mobile phone handsets will include a camera. And the technology is advancing so quickly that it is harder and harder to tell which mobile phones can take snapshots. "On older phones you could tell if there was a camera; now you can hardly tell, so we have a policy that we can't really enforce beyond awareness and training," Jones says. He adds that to his knowledge a theft by camera phone has not yet occurred, "but the threat is always there for it to happen".

CIOs and security execs also need to worry about protecting their employees' privacy when camera phones are around. One security executive, who declined to be identified because of the sensitivity of the situation, recounted a case where employees using the company's shower facilities after lunchtime workouts became concerned about a man who always seemed to be talking on his mobile phone in the changing area. Public locker rooms and gyms frequently have "no mobile phone" rules, and locker rooms provided by an employer should be no different.

"Information about people [photographic or personal data] is way more valuable than information about anything else," says Stephen Cobb, author of Privacy for Business (Dreva Hill, 2002), a book that offers executives advice on safeguarding privacy of customer data. "Companies often focus on protecting financial secrets, but information about people can cost the company more."

At First Data, which specializes in money transfers and credit card processing, CISO Phil Mellinger has an employee dedicated to examining mobile devices and other technologies that employees want to bring into work, and who gives written approval from security where appropriate. Without that approval, the device is banned. "We used to approve general security configurations," says Mellinger. "For example, if someone used a wireless device, there were two approved configurations for security. But now each device has its own security configuration, so we have to get down to the device level." Mellinger also notes that camera phones are not just a security issue but an HR issue and a procurement issue as well. "You have to get so many different entities in the company focused on the problem and approach it from different perspectives, but it is a massive problem," he says.

According to industry sources, the Pentagon and defence contractors have long had mobile detection equipment, but that kind of technology is now going mainstream. Companies that offer mobile phone detection technologies - such as Phoenix-based Cellbusters - are gaining traction in corporate markets. The CellBuster device can detect a mobile phone that is switched on (even if it is not in use) within a range of 30 metres, and it issues an audio alert that tells the user to shut off her phone. It can also operate in a silent mode, alerting security personnel with a flashing light. This kind of product is ideal for companies that have certain targeted areas within their facility that should be camera phone-free, whether it's the boardroom or the locker room.