A flexible and mobile workforce is of huge benefit to the business, but it is essential that company information is kept secure. Kurt Lennartsson explains
A company installs a mobile workforce, it invests in laptops, personal digital assistants (PDAs), mobile and smart phones and its staff are out there chasing and, hopefully, winning business.
Mobile computing appears to be achieving everything it should. Until one day the sales director loses his laptop with confidential company information on it, and it mysteriously turns up in the hands of a competitor. Worse still, the financial director has his PDA stolen at the airport and it is not secured even though it has the company accounts, salaries, and customer details stored on it.
What are the implications if this indiscretion hits the market? The company's share price drops, its customers lose faith and, in the worst scenario, the financial director ends up in prison for contravening the Data Protection Act.
This may be a little far fetched but mobile phones, laptops and PDAs do get lost everyday and, with them, people lose telephone numbers, bank account details, diary information, notes and memos - often with little chance of this information being recovered. This can be highly inconvenient if it is not backed up and could be disastrous if it is not secure.
In a PDA usage survey conducted earlier this year by Pointsec and Computer Weekly, one in 10 people admitted they kept all their confidential information on their PDA. And of these, 72% admitted they use their PDA as a business tool but a quarter do not use any security to protect this company data.
When devices containing company information disappear and do not have adequate security, it can be substantially more than "inconvenient" for the company concerned. Enterprises need to recognise that data is its most valuable asset and treat it with due care.
Here are a few tips on ensuring your mobile workforce stays secure and does not fall into the trap of losing confidential company information.
- Create a mobile device security policy specifically highlighting handheld devices
- Create an awareness programme to make the policy known within the organisation. Staff must be told about the security implications of mobile devices, and what actions will be taken if the policy is ignored
- Never rely on techniques or products that allow the user to make security decisions. All security settings should be maintained and controlled centrally
- Require enforceable mandatory access control on all devices as the first line of defence. Users should not be able to disable the access control put in place
- Buy PDAs for staff. Never allow users to connect their personal devices to the company network. (Who owns the data and controls the security on a personal device?) Company ownership is a pre-requisite for maintaining a strong security profile
- Standardise on a few brands of devices and support only a few mobile operating systems. Too many devices and operating systems will multiply your worries. Knowledge of device and operating system internals are key to keeping up with vulnerabilities and knowing how to fix them
- Use password/Pin standards. Specifically consider device input and screen limitations as small screens and keyboards do not make regular passwords easy to use. Consider use of two-factor authentication, something you know like Pin numbers or picture-based Pins (using symbols) in combination with biometric or signature recognition technology
- Approved devices need to carry their own defences. You need to think about each device and removable medium as a self-contained unit that will contain confidential data and therefore needs to be protected. Consider automatic and user-transparent encryption on all data on a mobile device and removable medium - virtual physical security
- Mandatory and enforceable use of encrypted removable media prevents data from leaking when a user might try to use the same medium for storing both music and company data on the same Compact Flash memory card
- Track and label devices. Treat mobile devices like desktops and laptops, labelling them and keeping records
- Treat wireless technologies like the Internet. Use a virtual private network (VPN) on top of Wired Equivalent Privacy to connect to the internal network. Consider the use of one-time password tokens or certificates for opening VPN connections. A personal firewall will also soon be needed for mobile devices as the number of applications, services and ways to connect increases
- Select and deploy an antivirus product that works in conjunction with any antivirus products already in place in the organisation. Soon we will see Trojans and viruses that can cause real harm when devices are synchronised back to the enterprise
- Set standards for centralised, controlled synchronisation products to ensure only approved applications are used and that important data is backed up automatically. These management products also help to ensure that the borderline between company and personal worlds are kept at controllable levels. Consider blocking the ability to sync the device to more than one computer, avoiding a user being able to sync work data to a home computer.
To summarise, disable unwanted features where possible and enforce best practices where necessary. Ensure users understand the importance of the security policy document and are aware of the consequences of bypassing the guidelines and creating a potential or real security breach.
A good manager should never underestimate the ingenuity of the user. Mobile devices are appearing with an ever-widening range of connectivity options: USB, Bluetooth, 802.11, infrared, GSM and GPRS. Data can be transferred easily from one device to another so all methods of transfer should be blocked whenever possible.
By following these steps a company can secure and protect its data while in transit as if they were building virtual walls and instilling the same physical security measures that would be found in an office environment.
Mobile computing is about being free to work outside the office environment and using the technologies that are readily available to secure information stored on these devices to deliver a free, flexible and secure mobile workforce.
Kurt Lennartsson is senior vice-president of strategy for Pointsec Mobile Technologies