Mobile computing is achieving everything it should. Until you find your sales director has lost her laptop with the most confidential company information on it, and it mysteriously finds its way into your competitor's greasy hands. Worse still, your financial director has his PDA stolen in an airport and it's not secure, he has all the company accounts, salaries, and customer details stored on it. What are the implications if this indiscretion hits the market? Your share price drops, customers lose faith in your company and in the worse scenario your FD ends up in prison for contravening the Data Protection Act.
A little far fetched perhaps, but we all know mobile phone, laptops and PDAs do get lost every day, with people losing telephone numbers, bank account details, diary information, notes and memos, often with little chance of this information ever being recovered. Highly inconvenient if it's not backed up, dangerous if it's not secure. In the PDA Usage Survey conducted earlier this year in the U.K. by Pointsec and Computer Weekly, one in 10 people admitted to keeping all of their confidential information on their PDA. Of those surveyed, 72 percent admitting to using their PDA for company use but a quarter used no security to protect this information. When these devices contain company information and they disappear without having adequate security, it's a little more than inconvenient. Companies need to recognize that data is a company's most valuable asset.
In addition, it is imperative that organizations ensure secure transfer of data transmitted between the client and server in both directions. This should be achieved through encryption permitting control of access behind the firewall. Synchronization then should be not permitted at a PC level but between mobile device and server (typically installed inside the firewall), allowing IT staff to manage and control processes from a central location. This involves putting the right infrastructure in place to effectively monitor mobile device usage without any user initiation.
Here are a few hints and tips on ensuring your mobile workforce stays secure and avoids falling into the trap of losing confidential company information.
1. Create a mobile device security policy specifically designed for handheld devices.
2. Create an awareness program to make the new policy known within the organization. Staff must be told about the security implications of mobile devices, and what actions will be taken if the policy is ignored.
3. Never rely on techniques or products that allow the user to make security decisions. All security settings should be maintained and controlled centrally.
4. Require enforceable mandatory access control on all devices as the first line of defense. Users should not be able to disable the access control put in place.
5. Purchase PDAs for employees. Never allow users to connect their personal devices to the company network (who really owns the data and controls the security on a personal device?). Company ownership is a pre-requisite for maintaining a strong security profile.
6. Standardize on a few brands of devices and support only a few mobile operating systems. Too many devices and operating systems will multiply your worries. Knowledge of device and OS internals are key to keeping up with vulnerabilities and knowing how to fix them.
7. Use password/PIN standards. Specifically consider device input and screen limitations in the policy, as small screens and lack of easy to use keyboards does not make regular passwords easy to use. Consider use of two-factor authentication: something you know like numeric or picture based PINS (using symbols) in combination with biometric or signature recognition technology.
8. Approved devices need to carry their own defenses. You need to think about each device and removable media as a self contained unit that WILL contain confidential data and therefore needs to be protected adequately. Consider automatic and user-transparent encryption of all data on a mobile device and removable media. Mandatory and enforceable use of encrypted removable media prevents data from leaking when a user might try to use the same media for storing both songs and company data on the same CF card.
9. Track and label devices. Treat mobile devices like desktops and laptops, labeling them and keeping records.
10. Treat wireless like the internet. Use a VPN on top of WEP to connect to the internal network. Consider the use of one-time password tokens or certificates for opening VPN connections. A personal firewall will soon be needed also for mobile devices as the number of applications, services and ways to connect increases.
11. Select and deploy an anti-virus product that works in conjunction with the AV products already in place in the organization. It is just a matter of time now before we will see Trojans and viruses that can cause real harm when devices are synchronized back to the enterprise.
12. Set standards for centralized controlled synchronization products to ensure that only approved applications are used and that important data is backed up automatically. These management products also help to ensure that the borderline between company world and personal world are kept at controllable levels. You should consider using these tools to block the possibility to sync the device to more than one computer, avoiding the danger of users who sync work data to the home computer.
By following the mobile security steps a company can secure and protect its data while in transit as if they were building virtual walls and instilling the same physical security measures that you would normally find in an office environment. Mobile computing is about being free to work outside the office environment and with the technology readily available to secure all information stored on this devices, nothing should stand in the way of a free, flexible and secure mobile workforce.
Kurt Lennartsson is senior vice president of strategy, Pointsec Mobile Technologies, Inc. (www.pointsec.com).
Pointsec is exhibiting at Infosecurity Europe, Europe's largest and most important information security event. Now in its 8th year, the show features Europe's most comprehensive FREE education program, and over 200 exhibitors at the Grand Hall at Olympia from April 29- May 1, 2003. www.infosec.co.uk