Users should encrypt mobile data to avoid falling foul of data protection legislation, according to a report on mobile security from analyst firm Burton Group.
Analyst Michael Disabato said encryption is the one foolproof method of protecting the contents of a disc drive or personal digital assistant, provided a strong, proven encryption algorithm is used and weak pass phrases or keys are avoided.
He said the built-in Encrypted File System for Windows and the File Vault for Mac OS X meant users have little excuse for not encrypting laptop data. He said utilities are also available to encrypt the contents of PDAs without user intervention and these should be used as well.
The report advised companies to use recovery keys. Burton Group said these could then be made available in the event of a user losing their encryption keys or leaving the company without revealing the encryption keys.
Along with protecting data, Disabato urged IT directors to lock-down mobile devices for security. In the report he pointed out that a number of wireless hotspots assign public IP addresses to users' machines when they connect, rather than using the more secure Network Address Translation protocol. He said these addresses are regularly scanned by hackers for vulnerable devices that can be infected with viruses or Trojan programs.
Disabato also warned that Windows XP has connection sharing enabled by default, which means it will connect with any wireless network it can find.
"This opens up a serious security hole, as most new laptops come with built-in wireless technologies (Bluetooth, 802.11), and any nearby wireless device can now access enterprise networks through the mobile device or the contents of the mobile device itself," the report said.
But although mobile technology can be made more secure, Disabato said the weakest link in the security chain was the user. The report said users would view security measures as an inconvenience rather than a protection.
Disabato said policies should be developed that cover mobile communications and computing.
What to include in a mobile use policy
Wireless Lan usage, including public hotspots, home networks, and the enterprise network
Cellular data and voice network usage. The largest security risk is the discussion of confidential information in a public place
Reporting mobile loss or theft
Approved connection types
Information authorised for storage on mobile devices - keep in mind the varying capabilities for encryption on each device type
Acceptable use of the network
Notification of human resources and IT when personnel leave the company or change function.
Source: Burton Group