Organisations of all shapes and sizes are increasingly reliant on mobile devices and wireless connectivity: we want to be ‘connected’ and able to ‘do business’ whenever and wherever it suits us. But our ever-increasing use of personal and corporate mobile phones, memory sticks, MP3 players, smart phones, PDAs, netbooks and laptops, has not been matched by a corresponding increase in security. Lesley Meall, FSN contributing editor looks at the measures you can take to secure the ever growing list of mobile devices.
“A lot of organisations still don’t have the basics in place,” asserts Mark Fullbrook, UK director of Cyber-Ark Software, the information security specialist.
Despite widespread awareness of the need to secure mobile devices and the corporate data they can provide access to, many organisations don’t even bother to use the security that comes as standard with many systems. Mobile devices without password protection are legion; wireless networks without firewalls are commonplace; unencrypted data is the norm, rather than the exception; the use of unsecured external networks by ‘roaming’ staff is pretty much endemic. So corporate networks, the data they contain, and reputations that rely on their safety, are all being put at risk.
It doesn’t have to be this way. But if organisations want to experience the upside of mobile devices, they also need to focus on the downside - and take steps to minimise the associated risks. These include the loss or theft of physical assets, such as corporate mobile devices, unauthorised access to corporate systems and the sensitive data they contain, and the potential damage that can occur if these risks are not adequately addressed – which can range from the cost associated with breaches in legislation (such as the Data Protection Act) to the reputational damage that can be caused by adverse publicity.
Knowledge is power
If you don’t know what you have, you have very little chance of managing it, so as a first step, all businesses should take an inventory of their corporate mobile devices. How many are there? Where are they? Who is using them? Assign ID numbers to each mobile device, and keep track of who is using it. This can be done in a variety of ways, including paper-based systems, spreadsheets, and dedicated tools that range from scanning and tagging systems for hardware to the complete asset management solutions provided by organisations such as Strongtech and Wasp – and should form part of a wider IT asset-management programme.
Managing the security issues raised by mobile devices is a little less straightforward, because it is multi-faceted and cannot be handled with a single off-the-shelf solution. But access control and data protection are the twin pillars of mobile security, so these should be the focus of your efforts. Always use passwords to control access to mobile devices and your business network. Make sure they are complex, changed frequently, and that staff do not share them, make data secure in the event of theft (of which more, later), and ensure that the data contained on mobile devices is backed-up regularly, along with other valuable corporate data.
Staff education is absolutely vital, if staff are to behave appropriately on a day-to-day basis and in the event of loss or damage. Even IT staff – who should definitely know better – don’t always bother to take the simplest precautions. When Credant Technologies conducted a mobile usage survey among IT professionals, it found that they were only marginally more likely (35 per cent) to password protect their business phones and smart phones, than the general population (40 per cent), even when the devices contained sensitive and confidential information.
“People responsible for IT security are not much better at protecting the information on their business phones than most of their co-workers, who don’t necessarily know any better,” comments Andrew Kahl, operations senior vice president at Credant, “which is alarming.” But it isn’t exactly a surprise, so it’s important to draw up a mobile usage policy, define the boundaries of acceptable, and unacceptable behaviour, and ask staff to sign and confirm that they have read and understood it. This will reinforce the importance of the corporate policy, and help to prevent many (if not all) misunderstandings.
But just as mobile IT asset management can not be considered in a vacuum, neither can mobile security. “All organisations need to undertake a thorough audit of their information security measures,” suggests Cyber-Ark’s Fullbrook, and this should be extensive. “It should encompass every member of staff no matter how senior, all contractors, every device they are authorized to use (to access, output or transport data), and every application and data port they have access to,” he explains. The latter is particularly important because of the prolific numbers of personal devices capable of transporting corporate data.
The new threat landscape
Before the ‘consumerisation of IT’ the only storage device that most employees used (or owned) typically belonged to the company. Today, everyone has their own collection of personal digital devices and many think nothing of hooking them up to the corporate network. “Memory sticks are the smallest, easiest, cheapest and least traceable method of downloading data,” says Fulbrook, but other popular methods include emailing, CDs, online encrypted storage websites, smart phones, DVDs, cameras, SKYPE, and iPods. So plans to protect corporate data need to consider the extended enterprise, and encompass everywhere that data could be accessed or reside.
Myriad information security tools and services have been designed to help secure data on corporate networks and mobile devices, but data can be secured without buying any specialist products. “Nothing protects better than encryption,” says Eric Domage, research manager for security products and services at IDC, “and it doesn’t have to be a big budget exercise”. Organisations including AlertBoot and PGP provide a range of managed services, and free encryption tools such as SafeHouse and TrueCrypt are available online, and software such as email management and operating systems often include encryption features. The Encrypting File System, for example, is part and parcel of Microsoft Windows.
Although access control and data security are the essentials on which most mobile security policies and procedures are built, the significance of physical security should not be underestimated. “One of the biggest business costs associated with mobile devices is the need to replace them when they are lost or stolen,” reports Craig Robinson, managing director with BBW Consultants. So he suggests that businesses seek out the sort of end-point security device that can provide access security, remotely lock down a missing machine (limiting its functionality), and provide location information - which could help with its recovery.
Offerings such as DeviceLock and Beacon Endpoint Profiler can locate, map and secure numerous types of mobile device, and secure and control uploading and downloading via USB and FireWire devices, WiFi and Bluetooth adapters, CDRoms and floppy drives, infrared, serial and parallel ports. Dedicated tools are also available for specific devices. Absolute Software, for example, provides Computrace LowJack for laptops, which they say tracks, locates, and helps recover stolen computers, and offers a Data Delete service that can be used to remotely erase personal and sensitive files from the hard drive.
A growing range of online data management services are also available to help with mobile information security. Organisations including Hyperoffice provide collaboration tools that can be used to minimise the need for storing corporate data on mobile phones and smart phones, while others focus more on securing the data held on these devices. Some or all of the contents of mobile phones can be backed up online, with services such as AllMyNumbers and Mobyko (which also offers other phone management features), and users of Windows Mobile can now access (the beta test version of) Microsoft’s free My Phone service.
So, although mobile devices have never been more prolific, and the challenges of managing them have never been greater, neither have the available options. Not everyone has the resources (or the inclination) to invest in dedicated tools; but basic access controls and information security measures (such as password protection and data encryption) can offer an affordable way for all organisations to improve their mobile security and minimise the associated risks.
