A flexible and mobile workforce is of huge benefit to the business,
but it is essential that company information is kept secure. Kurt
Lennartsson explains
A company installs a mobile workforce, it invests in laptops,
personal digital assistants (PDAs), mobile and smart phones and its
staff are out there chasing and, hopefully, winning business.
Mobile computing appears to be achieving everything it should.
Until one day the sales director loses his laptop with confidential
company information on it, and it mysteriously turns up in the
hands of a competitor. Worse still, the financial director has his
PDA stolen at the airport and it is not secured even though it has
the company accounts, salaries, and customer details stored on it.
What are the implications if this indiscretion hits the market? The
company's share price drops, its customers lose faith and, in the
worst scenario, the financial director ends up in prison for
contravening the Data Protection Act.
This may be a little far fetched but mobile phones, laptops and
PDAs do get lost everyday and, with them, people lose telephone
numbers, bank account details, diary information, notes and memos -
often with little chance of this information being recovered. This
can be highly inconvenient if it is not backed up and could be
disastrous if it is not secure.
In a PDA usage survey conducted earlier this year by Pointsec and
Computer Weekly, one in 10 people admitted they kept all their
confidential information on their PDA. And of these, 72% admitted
they use their PDA as a business tool but a quarter do not use any
security to protect this company data.
When devices containing company information disappear and do not
have adequate security, it can be substantially more than
"inconvenient" for the company concerned. Enterprises need to
recognise that data is its most valuable asset and treat it with
due care.
Here are a few tips on ensuring your mobile workforce stays secure
and does not fall into the trap of losing confidential company
information.
- Create a mobile device security policy specifically
highlighting handheld devices
- Create an awareness programme to make the policy known within
the organisation. Staff must be told about the security
implications of mobile devices, and what actions will be taken if
the policy is ignored
- Never rely on techniques or products that allow the user to
make security decisions. All security settings should be maintained
and controlled centrally
- Require enforceable mandatory access control on all devices as
the first line of defence. Users should not be able to disable the
access control put in place
- Buy PDAs for staff. Never allow users to connect their personal
devices to the company network. (Who owns the data and controls the
security on a personal device?) Company ownership is a
pre-requisite for maintaining a strong security profile
- Standardise on a few brands of devices and support only a few
mobile operating systems. Too many devices and operating systems
will multiply your worries. Knowledge of device and operating
system internals are key to keeping up with vulnerabilities and
knowing how to fix them
- Use password/Pin standards. Specifically consider device input
and screen limitations as small screens and keyboards do not make
regular passwords easy to use. Consider use of two-factor
authentication, something you know like Pin numbers or
picture-based Pins (using symbols) in combination with biometric or
signature recognition technology
- Approved devices need to carry their own defences. You need to
think about each device and removable medium as a self-contained
unit that will contain confidential data and therefore needs to be
protected. Consider automatic and user-transparent encryption on
all data on a mobile device and removable medium - virtual physical
security
- Mandatory and enforceable use of encrypted removable media
prevents data from leaking when a user might try to use the same
medium for storing both music and company data on the same Compact
Flash memory card
- Track and label devices. Treat mobile devices like desktops and
laptops, labelling them and keeping records
- Treat wireless technologies like the Internet. Use a virtual
private network (VPN) on top of Wired Equivalent Privacy to connect
to the internal network. Consider the use of one-time password
tokens or certificates for opening VPN connections. A personal
firewall will also soon be needed for mobile devices as the number
of applications, services and ways to connect increases
- Select and deploy an antivirus product that works in
conjunction with any antivirus products already in place in the
organisation. Soon we will see Trojans and viruses that can cause
real harm when devices are synchronised back to the
enterprise
- Set standards for centralised, controlled synchronisation
products to ensure only approved applications are used and that
important data is backed up automatically. These management
products also help to ensure that the borderline between company
and personal worlds are kept at controllable levels. Consider
blocking the ability to sync the device to more than one computer,
avoiding a user being able to sync work data to a home
computer.
To summarise, disable unwanted features where possible and enforce
best practices where necessary. Ensure users understand the
importance of the security policy document and are aware of the
consequences of bypassing the guidelines and creating a potential
or real security breach.
A good manager should never underestimate the ingenuity of the
user. Mobile devices are appearing with an ever-widening range of
connectivity options: USB, Bluetooth, 802.11, infrared, GSM and
GPRS. Data can be transferred easily from one device to another so
all methods of transfer should be blocked whenever possible.
By following these steps a company can secure and protect its data
while in transit as if they were building virtual walls and
instilling the same physical security measures that would be found
in an office environment.
Mobile computing is about being free to work outside the office
environment and using the technologies that are readily available
to secure information stored on these devices to deliver a free,
flexible and secure mobile workforce.
Kurt Lennartsson is senior vice-president of strategy for
Pointsec Mobile Technologies