Securing information in a mobile world

Whether it's an employee making a tree change or a sea change, an executive who spends the majority of their time on the road, or simply a staff member who wants to stay connected outside of work hours, remote and mobile workers are now firmly entrenched in Australian businesses.

Within Australia, we have seen an explosion in the popularity of endpoint devices - such as mobile phones, PDAs and laptop computers - to meet the demand of this changing workforce. We have also witnessed a rising trend of employees choosing to use personal devices on the corporate network rather than company-issued devices, and an increasing adoption of DVDs and USB storage devices in the workplace.

Social networking is also being embraced by organisations both internally and externally, and in many cases it is now the norm to allow employees to access popular social networks and use wikis to improve information-sharing between teams and enhance productivity. However, with the rise of web-based attacks, protecting these interactions has become critical. According to Symantec's latest Internet Security Threat Report, web-based attacks are now the primary attack method and 63 per cent of vulnerabilities reported in 2008 affected web applications.  

The bottom line is that we now live in a world where information can be accessed virtually anywhere, anytime, and from any device. And while businesses are embracing these changes, many are struggling to adequately protect their information, which is now is as mobile as their workforce. The result is that businesses are changing the way they secure their information. Rather than security revolving solely around a company's infrastructure or devices, it now should revolve around an organisation's most important asset: their information.

Managing Risk in a Mobile World
So how can organisations reap the productivity and business advantages that come hand-in-hand with these recent trends without exposing themselves to an additional set of IT security risks? The answer lies in protecting the information as well as the device it resides on through the implementation of security technologies, development of policies and processes, and education for all employees and visitors to the network.

One of the most important ways a company can protect their information is by managing access to confidential information. This in turn minimises the number of mobile devices this information can be accessed from and consequently reduces the chance of a breach. In addition, by installing the right data loss prevention technologies, the processes supporting these policies can be automated and provide a range of options to quickly respond to policy violations.

For example, a business might decide to establish a policy stating employees cannot put customer credit card data on a USB key. To support this policy, it installs a data loss prevention solution that recognises this information and when it is copied. One day this technology registers that an employee has downloaded a spreadsheet containing credit card numbers onto a USB device and issues an alert that triggers a series of processes. The business is then in a position to warn the employee, lock down the computer's USB drive, isolate the computer from the network, or take other appropriate actions.

These policies and technologies can also provide a business with options if the information, regardless of the medium, is lost or stolen. This includes barring network access from the device, disabling any active passwords, and quickly identifying any sensitive information that may reside on it.

Businesses should also ensure that any device that hosts or sends sensitive data is equipped with up-to-date security software and patched regularly. The recent Conficker worm infected millions of PCs, and many of these systems were infected largely because they had older versions of security software installed on their network or mobile devices.

When investing in a security solution, businesses should consider a solution that is sophisticated enough to defeat not only known threats, but unknown threats as well. Businesses need to know that their critical information is safe - wherever it's used or stored. That means in laptops, desktops, mobile devices, on servers, in email, over the network, and in storage devices.

Many businesses have or are already considering endpoint virtualisation solutions. These solutions provide instant on-boarding for the full-time and casual mobile worker. Applications as needed are delivered and updated instantly, as are online and offline support and policy-driven functions. IT can enforce central policies for specific virtual applications and OS settings, while users can control their own personal system and application settings.

Education Is Key
It is also important to remember that one of the most critical elements or strategies for minimising the risk of breaches from mobile devices is a comprehensive user education program. No matter which security and back-up system is employed, the best policy is undoubtedly educating employees on the potential threats and encouraging them to take precautionary measures. This includes educating staff on specific security policies related to mobile device usage, providing training for mobile device users with simple security guidelines and protocols on reporting any lost or stolen devices, and creating security policies specifically for mobile device users, such as mandatory password protection on all devices and encrypting any sensitive data stored on the device.

Making the most of mobile devices and new communications media, such as social networking sites, can supercharge your business but it is vital to limit associated risks. By combining a comprehensive education program with an information-centric approach to security and strong security policies, you can minimise the risk of security threats to your business.

Craig Scroggie is the vice president and managing director of Symantec in the Pacific region.