A Ponemon Institute and Cellcrypt study shows that making business cell phone calls can be an expensive risky business, especially if trade secrets are revealed during cell phone calls. There is a threat due to cell phone interception.
The cellcrypt website reported that the codebook that unscrambles GSM calls - used in 80% of cell phones -
has been computed and published on the web, that lowered the cost to criminals for cell phone eavesdropping to below $10,000.
According to a survey of seventy five companies and 107 senior executives in the United States, it costs U.S. corporations on average $1.3M
each time a corporate secret is revealed to unauthorized parties. 18%
of respondents estimate such losses to occur weekly or more frequently,
61% at least monthly and 90% at least annually.
67
percent of IT practitioners surveyed lack confidence that the
proprietary and confidential information conveyed during cell phone
conversations is adequately secured in their organizations and 85%
believe voice data security is at least as important as other security
issues faced by the business.
Moreover, 80% believe that the
organization would not discover the wrongful interception of a cell
phone conversation that revealed valuable corporate secrets.
The
survey asked participants to respond to the likelihood of six separate
scenarios involving the use of cell phones to communicate sensitive and
confidential information occurring in their organizations. The
scenarios described the following:
- A conference call among senior leaders in the company in which cell phones are sometimes used.
- A sales manager conducting business in Asia uses her cell phone to communicate with the home office.
- An external lawyer asks for proprietary and confidential information while using his cell phone.
- A
call center employee assists a customer using a cell phone to establish
an account and collects personal information (including Social Security
number). - The finance and accounting staff discusses an earnings press release and one participant on the call is using a cell phone.
- A
CEO's administrative assistant uses a cell phone to arrange ground
transportation which reveals the CEO's identity and location.
Awareness
of the problem was high with 71% stating that confidential information
is communicated over cell phones in conference calls, 80% when
travelling to countries known to be high risk for voice interception
and 83% when discussing information with professionals such as legal
representatives.
59%
of respondents felt that high profile employees are likely or very
likely to be specifically targeted for voice interception with 50%
indicating that such interception would occur by government authorities
and 32% by criminal organizations. The risk of such interception was
seen to be highest in the Asia Pacific and Middle East regions.
Despite
these findings, few organizations have yet deployed comprehensive
protection measures with only 14% deploying technological solutions to
personnel travelling to high risk locations and a surprising 83% not
even providing employee training to raise awareness about the risks of
using cell phones in high risk areas.
"Cellular
communications are ubiquitous in business and will only become more
prevalent as worker mobility grows, yet the risk to information
security is often overlooked," said Larry Ponemon,
chairman and founder, Ponemon Institute. "Common scenarios, such as
conference calls attended by executives dialing in on their cell phone,
may pose a serious threat to highly sensitive personal or corporate
information if proper precautions are not taken to ensure business
information integrity."
Simon Bransfield-Garth,
CEO of Cellcrypt added "This data attempts for the first time to put an
economic figure on the cost of cell phone interception. With recent
news demonstrating the vulnerability of cell phone calls, it serves as
a wake-up call to those responsible for Risk and IT within corporations
to add cell phone risks to their list of hot topics."
The survey was conducted byt Ponemon Institute (www.ponemon.org), on behalf of Cellcrypt (www.cellcrypt.com).