07 Nov Security concerns grow with mobile tech devices
Madison, Wis. – When it comes to reporting lost mobile data devices, federal agencies have nothing on Chicago cabbies.
By now, most technologically savvy people have heard the horror stories about mobile communications devices, mostly laptops, being reported lost or stolen from entities like the Veterans Administration.
According to PointSec, the data encryption software developer, more than 85,000 cell phones (plus 20,000 personal digital assistants and 4,400 laptops) were abandoned in Chicago taxis during a six-month period.
Depending on the degree of functionality, losing a cell phone may not be a big deal, but losing a smart phone, some of which might contain sensitive documents, can be a very big deal.
A few more tidbits to consider:
• The United States Commerce Department has reported that it lost 1,138 laptops since 2001, and 249 contained personal information.
• Heathrow Airport in London auctions off 730 unclaimed laptops and 1,460 unclaimed mobile phones each year, according to PointSec, which says 60 percent of information theft results from lost or stolen equipment, and only 25 percent results from network intrusion.
• Los Angeles International Airport reports that 400 mobile phones are lost in its facility each month.
Clearly, this is just the tip of the iceberg. “I think the frequency is probably under reported for liability and a whole host of reasons,” said Lance Berg, director of infrastructure services for Paragon Development Systems. “It happens a lot more than people think.”
As communication expands from company confines, concerns about network security and management expand along with it. Some on-the-ball companies are protecting laptops, smart phones, and PDAs as much as they protect financial data.
What is the best way to protect your company’s data in the event that a mobile device, especially one containing critical data, is lost or stolen?
Mobile best practices
The interest in wireless mobile technology continues to grow. A 2005 survey by Gartner, Inc. indicates that 64 percent of the 200 networking and technology businesses surveyed in North America and Europe said they would increase wireless local-area network (WLAN) deployment, which applies only to laptops, in 2006.
The most oft-stated reason – cited by 44 percent of respondents – was improving productivity, followed by improved access to places impossible to wire (21 percent), and affordability in relationship to LAN connectivity (13 percent).
To the surprise of few, security was among the top five concerns in adopting WLANs, noted by 95 percent of respondents, and 60 percent did not believe they were adequately protected.
According to Berg, security centers on the quality of the technology implementation and what it’s meant to accomplish. Any company that wants to implement a wireless mobile system should have both a security policy and a mobile data security policy.
Mobile encrypters and the ability to remotely “wipe” data from build-in memory are among the newer technologies, but policies and practices come first.
John Girard, vice president and analyst with the Gartner, suggested that the decision about who can take sensitive information from the office is a matter of need to know – not every employee needs access to sensitive information.
Beyond that, best practices vary based on the mobile device and the type of data shared by that device, Berg said. “If we were to roll out a new mobile data service to a client, we would go through a pretty extensive investigation,” he said. “Through the use of that information, we would craft [employee] training and marry that to the technology.”
Once a technology solution is chosen, it is critical to train the end-user to the inherent security risks because there will be failure points in the technology. In the case of mobile devices, the training often involves what not to do, such as a policy of not sending highly confidential information using a wireless connection. It’s not as easy as it sounds because employees might normally do just the opposite in a non-wireless environment.
“Sometimes people have to be trained in the culture about how to properly use e-mails, particularly in the environment of [Wi-Fi] hot spots,” said Paul Hunter, an attorney in the Intellectual Property Practice Group of Foley & Lardner.
Often, the training is wedded to encryption, a technology that goes down the aisle with two-factor or two-part authentification – something the user has and something the use knows – and occasional re-authentification, just enough to make for an impossible hacking challenge. It’s not that all of the data stored on a mobile device needs to be encrypted – only the clichéd “mission-critical” data need apply.
The knock on encryption is that entering the required codes can impact the speed and usability of the mobile devise, and discourage users from using it. The good news is that encryption need not be an overarching solution because it is a security option that should be linked to the frequency of use and the importance of the voice, video, data, or e-mail that will flow on the device.
Girard, a strong advocate of encryption, said the enormous challenge of encryption poses to cyber criminals is especially important if users have storage devices like flash drive plug-ins, an external hard drive where information can be extracted.
Berg offered an example of a solution, noting that companies with Microsoft Exchange Server 2003 as a platform are in a position to leverage the messaging and security feature pack for Windows Mobile 5. This enables network and security administrators to have built-in support for 128-bit encryption, NTLM authentification, and other standards that often apply to desktop e-mail communications and Wi-Fi security.
It also enables them to enforce security policies remotely, including the ability to lock a mobile device after a number of incorrect attempts to guess a password.
Remote wipe, however, is considered a higher level of protection because network administrators have the ability to issue remote “kill bits” orders to wipe both data and credentials from a devise after it is reported lost or stolen, according to Berg.
Girard isn’t sold on remote wipes, which he dismissed as “Dick Tracy stuff.” He said it’s better to make sure the information is protected without relying on remote erase. “How do you know someone didn’t copy your hard drive before the data was zapped?” he asked.
Girard also is not impressed with the use of biometrics – most commonly, a fingerprint – unless it is used as a single authentification factor in combination with a non-repeating or one-time password scheme. The reason? It’s only a single authentification factor and one that can be stolen.
One technique Girard does endorse is using an electronic signature as a log-in. “It’s a better third layer of protection, and it’s hard for someone to forge a signature,” he said.
Shopping for solutions
The breach of information at the Veterans Adminstration – the official line is that it involved an employee taking a laptop home, where it was stolen – involved the personal information of 26.5 million people. Since that time, a spate of information breaches have been reported, but the full cost may never be known.
However, anyone who conducts a Google search of mobile data security is likely to find no shortage of technological answers. “The number of incidents is shocking, and it is shocking because information is vulnerable for years,” Girard said. “The tools to protect information are mature, but the struggle is to get people to buy these products.”
• Chris Shipley: Treo 700w solves my smart phone woes
• Chris Shipley: Am I spoiled if I expect well-designed mobile devices?
• Chris Shipley: Webaroo aims to make mobile search relevant
• GE Healthcare releases new mobile computing capabilities for physicians
• Cisco manager touts wireless advantages