Recent horror stories in the news are prompting managers in organizations of all shapes and sizes to break out the industrialstrength Prozac:
Qualcomm CEO Irwin Jacobs’ laptop containing valuable, proprietary information vanishes after a presentation at a conference.
A former Morgan Stanley VP of mergers and acquisitions “innocently” auctions off his personal RIM BlackBerry handheld on eBay. For the bargain basement price of $15.50, the buyer receives more than 400 confidential e-mails and a database of more than 1,000 international Morgan Stanley execs.
Thieves nick notebook computers containing sensitive, classified information from the U.S., U.K. and Australian governments setting
off urgent inquiries into espionage of, quite literally, global proportions.
As more enterprises go mobile, dangers like these abound for major and minor breaches of security involving portable devices and data. Fortunately for you—and your psychotherapist—nightmares can be mitigated or even avoided altogether if security guidelines and technologies are put in place, implemented and enforced within your mobile workforce.
Corporate nomads and road warriors are let loose on the world at large armed with laptops, smartphones and PDAs with wireless capabilities seamlessly plugged into HQ and chock full of sales databases with confidential information. Of course, these devices are fully susceptible to crooks, hackers and, oops, outright forgetfulness. Your employees, excited about the cool new PDAs they bought on sale this weekend at the local megastore, start synching up a storm with their office PCs and your e-mail servers, thereby ensuing a very dangerous tango with your network apps and data.
As a number of factors converge to increase the vulnerabilities inherent in mobile enterprises, so does the availability of tactics and solutions that can help you protect your wireless devices and sensitive corporate data. This is good news for you—but only if you employ them in the context of a smart mobile strategy that is as well-scrutinized as your existing in-the-office game plan. Here are a few key tactics to incorporate into your mobile security blueprint:
1 Back it up!
So wouldn’t you know it: as your intrepid reporter was filing this story, her laptop froze up beyond all reach of CTRL+ALT+DEL. Scared straight and in a cold sweat, she swore that this was divine intervention and she needed to implement her own back-up policy post-haste!
With tools that make sticking to a low-hassle backup routine easier to deploy than ever, your road warriors can keep their data secure—even when on the move. Notebook CD-RW drives are the gold standard, but they’re not without limitations. Even high-capacity CDs only hold a max of 700 MB of data—and users will need to store them safely (i.e., not in a laptop case that can easily walk off) and protect them from damage. Online ASPs provide backup services which can be both convenient and secure, but you’ll need to navigate through scheduling and monthly/annual fee structures based upon storage volumes.
Gaining in popularity are mini USB drives or “pocket drives,” a mobile worker’s dream come true. The new generation of Iomega Mini USB drives use Hi-Speed USB (USB 2.0) technology that offers data transfer up to nine times faster than USB 1.1 drives. While tiny drives have great mobility appeal and serious cool factor, many are not designed with security features in mind. With storage capacities ranging from 8 MB to a full gig, products such as M-Systems’ encryption-backed DiskonKey and Trek’s password-protected ThumbDrive Secure provide both portability and data security for Windows users.
Simply said, data backup is your first line of defense against the loss of critical and sensitive information. Whichever method or methods you choose, ensure your mobile security policy mandates that each of your mobile workers is backing up critical company data on a weekly—if not daily—basis.
2 Device Security: Low Cost, High Return
Laptop loss and theft continues to rise, as noted by Safeware Insurance Group in their 2002 PC Loss Survey, so physical security is also a vital (and relatively low-cost) scheme for frontline protection. According to Pointsec Mobile Techologies’ 2003 PDA Usage Survey, PDAs are most often lost in taxis, followed closely by bars, restaurants and nightclubs. Of course, one of the simplest ways to protect your hardware is to train your road warriors to know where their devices are at all times—especially after happy hour.
Thieves specifically target business travelers in airports and hotels, so keeping telltale laptop cases safe requires extra diligence. For starters, consider travel cases that don’t look the norm, but provide needed padding to transport the computer safely. Alarm systems and motion sensors can be strapped to a laptop bag to provide an additional deterrent to thieves eyeballing the goods. Alarms alert everyone within earshot with shrill notification that will send any perp running.
Don’t neglect to protect those portable PCs when your mobile workers take them home for the night. Physical device security is easily safeguarded via the use of steel cables, which can be secured either with a combination lock or a master key. Many heavy-duty options exist that deter potential bandits from cutting through your cable. Your company policy should require that laptops always be securely anchored while employees are in the office or at home, but implementing this policy is equally, if not more, important than any cable. Some organizations will actually patrol HQ and remove any unsecured laptops, causing confused and indignant staffers to lose productivity tracking them down and earning them a well-deserved security lecture from tech support.
3 Know the code, and use it—wisely
Passwords are the most popular method for authentication on mobile devices, but developing smart passwords is the most effective means for guarding devices and data. Your first step is to dissuade users from keeping their default passcodes. Also ensure that codes contain a minimum number of alpha and numeric characters—the longer the better—and that users change them at frequent intervals.
Be warned to never rely solely on passwords, however: Philippe Oechslin of the Swiss Federal Institute of Technology recently published a paper proposing an algorithm that enabled his team to crack alphanumeric Windows passwords in 13.6 seconds.
4 Encryption Software
The minute your corporate data walks off campus, security concerns increase exponentially. In addition to password protecting your most sensitive data, encryption provides a solid secondary line of defense by converting text into code, preventing unauthorized users from reading your files. Encryption ensures that your mission-critical documents, as well as the numerous temp files that are created and forgotten, are safe by assigning a standard algorithm or a public/private key scheme. Transparency is key, so users can make encryption an easy part of their routine without needing any additional steps. Products like Asynchrony Solutions’ PDA Defense add multiple layers to standard encryption, such as system lock-outs and a bit-wiping bomb that completely clears the device if it falls into unauthorized hands.
Synching PDAs and handhelds with networked PCs can also open the door to potentially debilitating viruses and worms. While attacks on handhelds have not been a major problem, hackers may eventually seek to use them as “carriers” to gain access to PCs and networks during sync-ups, and solution providers are at the ready. PDA users may wish to check out Symantec’s Anti-Virus for Handhelds or McAfee’s VirusScan Wireless, which offers auto-synch and on-device scanning for Palm, PocketPC and Symbian EPOC.
5 Wireless Wiles
The growing popularity of wireless data devices creates a potentially ugly breeding ground for security threats. Nowadays, if a crook lifts one of your company’s $400 wireless PDAs, he doesn’t have to be anywhere near your office to crack into your million-dollar network. According to Alex Glosby, senior analyst at global consulting firm IDC, companies running Palm, Pocket PC and Windows CE devices can protect themselves by incorporating VPN software into their wireless strategies to secure the tunnel between handheld and your company’s back end.
Hardware providers increasingly understand that security can be a deal-breaker with enterprise customers and are rising to the occasion by offering stronger solutions. Palm’s new Tungsten C, for example, offers Certicom’s MovianVPN, a software client that resides on the device, and connects to VPN gateways over a wired or wireless connection.
6 Smart Cards and Tokens
A smart card, or plastic card with an embedded processor chip, allows storing and processing data between users, and requires a reader to facilitate the exchange. According to David Melnick, Mark Dinman and Alexander Muratov, authors of PDA Security: Incorporating Handhelds Into the Enterprise, smart cards can provide tamper-proof storage of user and account identity, and protect against threats and careless password storage.
Many companies find that employees are forgetting to remove their smart cards from their laptops, rendering them all but useless from a security perspective. Instead, they are opting for the simplicity of tokens–devices that users can simply pop out or carry on a key chain. Griffin Technologies’ SecuriKey is an example of a token that must be physically attached to a computer’s USB port before the user is allowed to type in her log-in password, offering an extra level of user authentication.
7 Getting on Track
Anti-theft tracking software is also available, including packages such as zTrace Technologies’ zTrace, Absolute Software’s ComputracePlus and CSS’ The CyberAngel. These programs operate much like the LoJack system does in a stolen car. When the missing laptop is connected to the Internet, the application traces its physical location. Solution providers work with law enforcement agencies to assist you in retrieving your hardware. The downside exists that if the thief doesn’t attempt to connect to the Internet, the software will not activate.
As an added resource, the Stolen Computer Registry (www.stolencomputers.org) provides a searchable database of serial numbers of computers that have gone missing, and the service is available free of charge.
Once the stuff of sci-fi movies, biometrics are entering the corporate world as an advanced measure for user authentication. Biologically-based measures such as fingerprinting and iris-scanning are typically reserved for high-security needs such as classified government data, but other industries are considering the costly technology as well. Devices such as HP’s iPAQ 5455 offer built-in biometric authentication, namely fingerprint identification.
The Bottom Line
Despite concerns raised by some of the horror stories we’ve mentioned, there is some good news to report. Overall, “Leading-edge enterprises who are investing in mobile workforces and rolling out PDAs are doing a pretty good job with security (because) they understand the benefits of doing so,” says IDC’s Glosby. And, thanks to the requirements established by these leaders, manufacturers and solution providers alike are doing a better job of addressing security concerns with successive versions of their products. For example, “RIM does a good job with over-the-air disablement, and Symbol is exemplar of a platform provider addressing user concerns,” according to Glosby.
A critical caveat to consider: Despite the best intentions of solution providers and IT departments, the number one challenge to ensuring mobile security is “humanware”—the end users themselves. All of the policies, procedures and tools in the world mean nothing without a concerted effort to raise awareness within your mobile workforce and push them to be part of the solution.
Make security everyone’s responsibility and inspire them with a sense that they have a personal, vested interest in keeping their devices and data safe. Hold a seminar at your next staff meeting, bring in a security expert to explain the nuts and bolts of protecting your assets–and don’t forget to reward your mobile workers for compliance whenever possible.
Randi Rosenberg is a freelancer writer and consultant based in New York City.