I was eating at a restaurant a little over a month ago when a couple sitting not too far from me caught my attention. They were hardly touching their food, and they were also completely oblivious to each other. Each was holding a BlackBerry device, completely immersed in texting. I somewhat sarcastically wondered if they would at some time afterwards look back on their meal experience as a special time with each other!
Except for the fact that texters are downright dangerous when they text while they drive, texting isn’t really such a bad thing. But those who do it constantly seem like captives to me. I have heard stories of young couples who have broken up on the grounds that one of them did not reply to text messages quickly enough. Apparently some texters feel snubbed when there is a delay between the time they send a message and the time the recipient replies. I was even told that once one of a romantic duo became jealous because he suspected that the other was texting with a romantic rival of his.
From an information security point of view, however, texting is anything but an innocuous activity. It provides a means to knowingly and unknowingly leak sensitive and valuable information. Heaven only knows how many individuals engaged in by all appearances innocent little texting sessions have revealed proprietary and even classified information. There are some special considerations regarding texting that greatly increase security-related risk:
1. Texting sessions bypass firewalls and other barriers that protect networks. The resulting risks are for the most part ignored, something that is very ironic considering that incoming modem access that bypasses firewalls and peer-to-peer traffic are on just about every organization’s “no-no” list.
2. Texting-related transmissions are seldom if ever encrypted, rendering them extremely susceptible to eavesdropping attacks. The wireless nature of these transmissions makes the would-be eavesdroppers’ task considerably easier. In most cases, therefore, anyone who can capture the information in a texting session can view the entire contents of the session.
3. The content of texting sessions goes through and is usually saved on a server located somewhere. The content of texting sessions is thus out of the control not only of the texters, but also the organization(s) for which they work. If I were ever to decide to make a living by engaging in corporate spying, one of the first things I would try to do is to obtain access to texting servers.
4. Today’s data loss prevention tools, intrusion detection systems, and other security technology currently lack (and may never have) the capability to capture and analyze the content of texting sessions in the workplace. Consequently, if data leakage through texting occurs, it is extremely unlikely that anyone will ever know about it.
Texting and mobile computing go hand-in-hand. Let’s face it—most organizations do little to secure their mobile computing devices and environments in the first place. I would thus not expect a sudden surge of concern regarding the risks surrounding texting. There is at least one time-proven and cost effective measure that organizations can and should use, however—security awareness training. At a minimum, organizations should have mandatory all-hands awareness training sessions that teach users about the dangers of data leakage through texting.