Protect and survive : simple rules for the workforce beyond the corporate firewall

Loss of mobile devices is increasing but there are many ways to protect data

As the workforce becomes mobile, confidential corporate and personal information is increasingly being stored on a range of mobile devices, such as laptops, PDAs and smartphones. Unfortunately, this proliferation of devices that operate outside the secure parameters of the corporate firewall is creating a significant security risk for the enterprise.

The main issue with mobile devices is that they are vulnerable to theft and loss. For example, a famous survey by mobile security specialist Pointsec revealed that 63,135 mobile phones, 5,838 PDAs and 4,973 laptops were left in the back of London taxis in the last six months of 2004 alone. The loss of phones in that period works out to an average of three phones per taxi.

But while the cost of replacing the devices themselves is relatively insignificant, the cost of losing confidential personal information such as credit card details or sensitive corporate data  on the latest financial or strategic plans can be critical.

According to the US-based  Computer Security Institute, for example, the theft of a laptop results in an average financial loss to an enterprise of £51,000, with only a fraction of the sum relating to hardware costs.

At the same time, ever stricter non-disclosure and corporate governance regulations also mean that it is increasingly in the interest of organisations to operate and enforce mobile security policies.

It comes as a surprise, then, to learn that most companies have not yet taken steps to address these issues. A recent online survey of more than 2,000 IT managers performed by market analyst house Quocirca, for example, found that 80% of respondents see mobile workers themselves as constituting the main mobile security threat.

However, 20% of those surveyed admitted that although their companies have widely deployed mobile devices, they have not implemented any effective security policies. More worryingly, of those companies that had taken the time to draw up a mobile security policy, 60% did not bother to enforce it.

"Responsibility is a two-way challenge. When things go wrong it is not just down to the individual user being careless, it is also down to the organisation not putting the right policies in place or enforcing them. It is the responsibility of the company to set out the right procedures around mobile devices, and to educate the workforce about good practice. Good companies do this," said Rob Bamforth, senior security analyst at Quocirca.

Fortunately, there is a growing arsenal of tools available for securing mobile devices, from the device itself right through to controlling remote access to the corporate network.

However, according to Bamforth, the first step is education. For example, common sense should prevail when using phones, PDAs and laptops in public spaces, although the London cab survey suggests that it is seldom applied.

But, equally, mobile security is not just about guarding against theft or loss. For example, confidential information can easily be read by someone peering over a shoulder at the screen of a mobile device.

Bamforth calls this awareness of environment. "It's just common sense. Don't be as trusting - leaving a device on the table of a coffee shop - as you would be in the office. Keep devices in a bag in some situations, and take into account whether people can see over your shoulder when opening confidential or sensitive documents. Some people just forget where they are," he said.

While policies can be easily drawn up, human nature dictates that education is rarely enough, unfortunately. Which is where technology can help to monitor and enforce such policies.

Passwords and Pins comprise the first and simplest line of defence. But while most devices offer this capability as standard, the problem is ensuring that employees always use them.

"All devices have this feature, but from a corporate perspective you do not want to leave that decision to the user. Our software, for example, provides the ability to set polices and enforce them, so that if a user turns the password capability off, an IT administrator can turn it back on again," said Bill Jones, vice-president of product management at mobile software company Intellisync (which was acquired by handset manufacturer Nokia in February).

Many systems - including Intellisync's Mobile Systems Management, Landesk Software's Security Suite, Altiris' Handheld Management Suite and Bluefire's Mobile Security Suite - offer this ability to set password policies from a central console.

In addition, such systems allow administrators to set password strength, such as eight-digit alpha and numeric codes  and to set options, such as device reset or wipe, if an incorrect password is entered a specified number of times.

Another problem with passwords, however, is the number of them that users are now required to remember: for access to devices, the corporate network, enterprise applications, websites, and so on.

HP's Credential Manager for Protecttools, which is being built into HP notebooks and PDAs, for example, "remembers" user's passwords and personal information. All passwords are stored in a chipset in devices, known as the trusted platform module (TPM), meaning that users only have to remember one password (to gain access to the TPM).

It also provides a higher level of security as long passwords are no longer a problem, as they are stored in the TPM - not on a sticky note.

"Users don't have to remember passwords so it means you can implement much tighter security. For example, a 32-word password for access to websites, applications and networks, is no problem as the TPM remembers them all," said Steve Doddridge, senior notebook consultant at HP EMEA.

Through the TPM, all HP Notebooks also offer Drivelock, which means that unless anyone trying to access the device knows the appropriate 32-word password - which is known only to the TPM - the hard drive is completely locked down.

A further level of mobile device security is provided by data encryption, whereby data on the device can only be accessed if the user holds the correct key. The device management suites mentioned from the likes of Intellisync and Landesk usually offer 128-bit encryption for data stored on mobile devices - as do specific encryption products from suppliers such as Pointsec, iAnywhere, GoodLink and OpenHand.

Encryption is available for laptops, PDAs and smartphones - for the latter covering most of the mobile platforms, including Windows Mobile, Symbian, PocketPC and Palm OS. However, the flip side is that data encryption does slow down performance, so less powerful devices will suffer more.

Smartcards and tokens for mobile devices - available from suppliers such as RSA Security, Verisign, SafeNet, Aladdin - offer another form of authentication, but these are often used in conjunction with a password (known as two-factor authentication), as they can easily be misplaced or stolen - but, in theory, only the user should know them.

One of the strongest forms of user authentication is biometrics, such as fingerprint and iris scanning, and voice and face recognition, which many devices are  beginning to incorporate.

Laptops incorporating fingerprint scanners, for example, are available from HP (Notebook), IBM (Thinkpad), Dell (Latitiude), Sony (Vaio), Fujitsu (Lifebook) and Toshiba (Tecra).

Increasingly fingerprint scanners are also being incorporated into PDAs - such as HP's iPaq hx2790. However, as scanners decrease in size and cost, and improve in terms of reliability, they are set to appear in an increasing array of handheld devices, with a number of biometric-enabled handsets from manufacturers LG and Pantech already available in Japan and South Korea.

According to Doddridge, fingerprint scanners will be increasingly incorporated into the HP range of devices throughout 2006. However, while many claim that biometrics theoretically removes the need for passwords and other forms of authentication, an equal number believe that biometrics should only be used in cases of extreme security - on the chief executive's laptop, for example - at least until users become more comfortable with using the technology.

Third-party scanners, such as fingerprint scanners incorporated into the mouse or via a USB port, are also available for under £60 from a range of companies, such as Sony, Microsoft and Lexar.

However, Andrea Wood, personal technology analyst at Jupiter Research, warned that such USB-based tools can create an additional security threat. "Some add-on products that use the USB port are not as secure, because if you can somehow deactivate the USB port, then that security check can be bypassed. It is better to upgrade to a machine that comes with a scanner integrated," she said.

Meanwhile, USB-based memory products, such as Flash memory cards, sticks and pens, are another security threat, as they can be easily lost or stolen. Policies governing their use are, therefore, imperative.

While authentication represents a way of identifying a user to the device, or a device to the network, malicious code and viruses represent a slightly different threat: that of data corruption and loss. Mobile devices can introduce viruses or worms into the corporate network, which can wreak havoc.

Any device connecting to the internet should have anti-virus, spyware and malware protection. On the laptop, companies such as McAfee, TrendMicro, F-Secure and Symantec all offer strong protection in this area. They also increasingly offer the same capabilities for smartphones and PDAs - although the virus risk for smartphones is still largely theoretical, with only a handful of reports of breaches.

Device management products, meanwhile, can perform automatic anti-virus and spyware upgrades, so that any device trying to gain access to the corporate network with outdated anti-virus software will be quarantined and updated automatically.

As well as installing anti-virus updates, device management suites monitor all devices trying to access the corporate network, and can be set to quarantine or correct those with incorrect security settings, out-of-date patches or that have had the password function switched off.

"You cannot have a secure environment unless you know all the machines in your system and what their settings are in terms of anti-virus, spyware, patch management, password control, and so on," said Daniel Powter, Northern Europe manager at Landesk Software.

Likewise, Cisco's network admission control can either be built into the routers or offered as a plug-in option to control access to a Cisco-based network. Network admission control is an initiative of more than 60 suppliers working together to offer a network than can check the security compliance of devices when remote access to systems is granted.

"It can check that a security patch or anti-virus update is loaded onto any device trying to access the network and update it if necessary. If a device does not comply with an organisation's security policy we can deny access to the network, quarantine it, or give the device just enough access to fix the problem," explained Kevin Regan, senior security analyst at Cisco.

Like Landesk's, the Cisco approach is designed to automatically update mobile devices even if they have been disconnected from the corporate network for a period of time.

With such an array of tools - and critical and sensitive information increasingly circulating outside of the corporate firewall - there is no longer any excuse for lax mobile security.

Read more on Mobile networking