No large organization is immune to the fact that the proprietary information used to run their business is being removed in increasing amounts.
How can this be? Corporations are collectively spending hundreds of millions of dollars every year on firewall, virus protection and encryption technologies in an effort to secure the network perimeter that protects their information assets. In addition, these corporations are expending a tremendous amount of corporate resource and effort to implement these technologies. With all this investment and effort, how can it be that companies have failed to prevent their corporate data from leaking beyond their span of control? The answer is that they failed to understand and adapt to the changing landscape of emerging mobile and wireless technologies.
The amazing reality is that every day an increasing amount of sensitive business information is carried off the company's premises by well-meaning employees trying to do more with less on mobile computing devices such as laptop and tablet PCs, PDAs and smart phones.
But what those on-the-go professionals and the IT and security professionals at their company fail to understand are the incredible privacy and security risks the company is taking as a result of using these devices. Attractive theft targets, mobile and wireless devices are desirable not only for their inherent value as devices, but also for the contacts, schedules, sales data and the access they can afford to enterprise networks. It's easy to see that mobile and wireless devices create new security issues that may lead to corporate espionage, public embarrassment or even financial hardship.
But is it really that bad? And if so, how did such a monumental security breech come about?
The mobile revolution
Mobile and wireless device usage marks the beginning of a new computing paradigm – one that is uncontrolled, rapidly growing and mimicking the Wild West. With recent advances in computing power and storage capacity, today's Palm or PocketPC handheld computing device is more powerful than most laptops of the early 1990's:
- Storage – Base memory of 32-64MB is common with add-ons of up to 1 GB on removable media such as a Compact Flash card.
- Processor – 200-400 MHz processors are the norm.
- Connectivity – some combination of serial, USB, infrared, Bluetooth, cellular, WiFi and wired network connectivity support is built into almost every device manufactured.
- Applications – sophisticated and ubiquitous software such as Microsoft Word, Excel and PowerPoint applications, not-to-mention databases, are available on even the lowest cost device today.
- Ease of use – bundled synchronization software coupled with wireless/internet services makes it simple to always stay in touch with the latest information needed by the mobile professional.
And, almost more important than the device's powerful capabilities, is the price tag. For example, a handheld device ranges in price from $100 - $600 or roughly one-tenth to one-half the cost of a low-end laptop. This means that these devices are priced appropriately for birthday or Christmas gifts and accessible to the masses of corporate workers who will benefit from their power. And due to the nature of these devices, high concentrations of users are found in corporate environments – even though these devices may be employee-owned and not provided by the company. IDC states that there are 134 million mobile devices in use today and estimates that by 2005, over 229 million devices will be used by mobile professionals in Fortune 2000 companies worldwide.†
If you couple a mobile device's powerful capabilities, which can be obtained at a reasonable price, with the capability to wirelessly access information anytime, anywhere, the potential value to an organization is staggering. If sales people can easily access account, order history, pricing, product availability and roadmap information while sitting with the customer, they can dramatically decrease the sales cycle. If physicians can easily obtain access to patient information and drug interaction data, they can provide higher quality patient care. And, if managers can access e-mail while in the field, they don't lose touch with the office. Response times on critical issues decrease and ultimately the corporation can do more and better with less.
With improved productivity, comes risk
But consider the ramifications to an organization as more and more employees use mobile devices to access and store corporate data.
- Email – Is there anything in your mailbox you'd like to keep confidential? Or, is it okay for the media or a major competitor to have this information?
- Contact and calendar information – Low risk, right? Wrong! How valuable would contact information for the key decision maker at your most important account be to your competitor?
- Documents – Would it be a problem if your company's price list, proposals, product roadmaps, contracts, and presentations got in the hands of a competitor? These documents are extremely valuable to the mobile professional and the risks to the enterprise are huge.
- Business applications – What if an unauthorized user could tap into your company's business applications? Does your security strategy utilize layered security techniques that exist with networked computing systems and networks?
For many organizations, the question boils down to this. If the above information were to fall into the wrong hands, would it impact your corporate brand and what are the legal and financial implications?
But wait a minute, is it really that bad? Can't we trust employees to take adequate precautions and treat sensitive information appropriately? Unfortunately, it's not just a matter of employees taking precautions, although most employees rank data security concerns low on their list of priorities. But even if employees were perfect, mobile and wireless devices are exposed to inherently more vulnerable environments simply because they are mobile. Mobile and wireless devices face the following risks that stationary computing workstations do not encounter:
- Higher incidence of loss or theft. Because they are smaller in size and used more frequently, there's a higher likelihood that mobile devices will be lost or stolen.
- More encounters with foreign wireless or infrared network connections. Many mobile devices have wireless networking capabilities through Wi-Fi or Bluetooth and nearly all have infrared capabilities. As WiFi hotspots become more prevalent at locations such as coffee shops, airports and trade shows, the likelihood increases dramatically for an illicit connection to the device. And with the promiscuous nature of today's native networking capabilities, any connection is likely to reveal all data on the device or provide hackers with the ability to plant Trojan horses or viruses which can later be transferred through sync channels onto corporate networks.
- Peer-to-peer usage models. PDA's make it easy to beam applications and contact information using infrared (IR) communication or ad-hoc Wi-Fi or Bluetooth network connections. Such connections inherently avoid central management and control infrastructures allowing the potential for viruses or Trojans to spread more effectively without any detection or protection and/or the unauthorized transfer of proprietary information to another device.
- Because today's PDA is really a converged device that can connect to cellular, Wi-Fi, Bluetooth and IR networks simultaneously, there are risks associated with the bridging of public and private networks. For example, if a device user is connected to his/her corporate network via VPN over Wi-Fi, a hacker at the next table can simply use a Bluetooth connection, to gain access to your corporate network.
Making mobility safe
In light of these risks and ramifications, what can be done to stop the increasing flow of sensitive, unprotected corporate information stored on mobile and wireless devices? There are a number of possible, but not always effective, approaches to take.
Some organizations use the "Ostrich Defense" and continue to ignore the problem, wistfully hoping that they will suffer no harm tomorrow because none is yet known today. Of course, ignoring the problem does not make it go away, rather it limits ones ability to plan affectively or respond intelligently to the problem. Meanwhile, more and more proprietary enterprise data is being collected and stored on devices outside the control of IT – increasing an organization's risk of public embarrassment and exposing it to financial and legal liabilities.
Other organizations have tried the "Big Brother Defense." In an effort to keep corporate data within the safe confines of the secure networked perimeter, these organizations create heavy-handed policies restricting the use of mobile and wireless devices. Unfortunately, this never works since employees largely ignore such policies in the interest of "getting the job done." Most IT professionals concede that this approach is unenforceable and largely "a joke." However, in the absence of other alternatives, the "Big Brother Defense" has been the only real option available until recently.
However, leading organizations in distribution, financial services, government, health care and manufacturing are experiencing the power of mobility while effectively protecting mobile data with security management software that can ...
- Detect the use of mobile and wireless devices allowing companies to quietly assess their exposure to security risks and then manage their use.
- Protect mobile devices from unauthorized use with user-friendly device-resident security controls.
- Effectively manage and enforce the on-going compliance of security policies for thousands of mobile professionals using diverse mobile and wireless devices from a single security management console.
History has shown that technologies offering users improved productivity, efficiency and quality of life, create a flip side of exposure and vulnerability to the enterprise. This fact has been true for PCs, the internet, and now, mobile devices. Once information is moved beyond an organization's span of control, existing security technologies used to fortify the network are no longer adequate. In recognition of the changing landscape, organizations must re-examine the way employees use corporate information and consider the new financial and brand risks posed by mobile and wireless technologies. With these risks assessed, rapid and decisive action to implement mobile security policies and management tools is needed to protect the increasing amounts of proprietary data that flows out of the enterprise each day due to mobile device use.
Chris Burchett is the Vice President of Engineering at Credant Technologies, a mobile data protection company.