Mobile Insecurity

Sep 1, 2008 12:00 PM, By Derek Benz


         Subscribe in NewsGator Online   Subscribe in Bloglines

In a world where convenience is king, global markets demand mobility, and the sun never sets on business. The idea of increased security chafes like a leash on 21st-century businesspeople. It seems every day there is another hacker incident, another nation-state poised to pounce on our indiscretions, another tale of the rising shadow of organized cybercrime — but many people figure that, statistically speaking, they will be able to dodge the bullet, that it won't happen to them. Enter the world of mobile insecurity. This is where employees spend their waking lives: the airports, the train stations, the subways, the coffee shops and even the Olympic five-star hotel in Beijing. They travel everywhere; they eat wherever is convenient; they chat on their phones while hailing a cab. They are like a nonstop machine driving value to the bottom line. But even not considering hackers, the real risk may be in simply being human. Humans have a habit of leaving their “stuff” just lying around. Loss of mobile assets is on the rise. According to Pointsec Mobile Technologies, a 2005 survey of Chicago-area taxicabs revealed the staggering loss of 85,000 cellphones, 21,000 PDAs and more than 4,000 laptops in a six-month time period. In their words:

“Pointsec first commissioned the study four years ago in London; this year's results indicated a significant worsening in the problem, with 71 percent more laptops and 350 percent more Pocket PCs/PDAs being left behind in that city than in 2001.”

That was three years ago. Things are still spiraling.

Dell recently released the results of a study conducted by the Ponemon Institute that found that more than 12,000 laptops are lost by businesspeople in U.S. airports every week. These aren't thefts. Like the taxicab survey, these are what people leave behind, and many of these forgotten items store data that could lead to lawsuits, stock dives and identity theft.

There's a lot of technology on the horizon aimed to help us make a change in how we safeguard our mobile assets. In the meantime, here are a few suggestions you could implement within your organization now.

  • Leave the laptop behind. Laptops are our biggest issue; they have more data capacity than most mobile assets and they are where we do our work. Set up a policy that allows travel with laptops only on an exception basis, allowing your travelers to bring only their PDA. A PDA, such as a BlackBerry, can be encrypted and can also be remotely wiped when reported stolen. You can also get them quickly replaced. If you meet resistance to the policy, consider that airlines are beginning to charge for luggage and are severely limiting how much you can bring on board. After your travelers pick up the wreckage of their laptop from checked baggage, they will start to support your policy with more enthusiasm. And on a brighter note, more executives are starting to travel light. While this might be more out of convenience than security awareness, it amounts to the same thing: reduced risk. (Check out the Department of Commerce's approach: cio.noaa.gov/CITR.PDF.)

  • Use a loaner pool. The solution for traveling employees who consider an airplane a second office is to set up a loaner laptop pool in your organization. Chances are, travelers have to set up their travel in advance, using a travel agency or approved booking process. Make the loaner laptop part of the process — but make it an exception, not the rule. Also, ensure that any loaner is freshly imaged/wiped, with only standard applications. Think about including an encryption program, such as PGP, to allow the traveler to secure those files that they bring with them.

  • Loss reporting. Employees tend to report their laptop or BlackBerry loss, which can lead to the recovery of the asset or allow time to mitigate the risk. However, employees rarely report losing smaller mobile devices, such as USB flash drives or burned CDs. Although easy to replace, employees should consider how much confidential data can be squeezed onto one of these devices. Institute a travel policy that requires the reporting of any lost or stolen mobile assets, no matter how small.

  • Secure all devices. For laptops, consider whole disk encryption solutions, such as McAfee's SafeBoot. For BlackBerrys, ensure your devices are encrypted and capable of remote wipe. For thumb drives and other data storage devices, start thinking about encryption solutions. This way, if the asset is lost, your company's reputation isn't.

In the near future, all mobile assets will continue to converge into one single device. These devices will be fully encrypted, remotely wipeable, have GPS tracking similar to LoJack and will be replaceable at little cost. Human nature won't change anytime soon. We'll continue to leave belongings in taxis and hotel rooms. But technology and simple processes should go a long way to help ensure that the loss won't end up on Wall Street.


DEREK BENZ currently serves as the chief information security officer (CISO) within Honeywell International, a member of the Security Executive Council. He has responsibility for the Specialty Materials and the Transportation Systems divisions. He previously served as CISO for the $14 billion Automation & Controls division, as well as heading up Global Security Risk Management within Honeywell.

Security Executive Council
Leadership Solutions

This article is presented in partnership with the Security Executive Council (www.SecurityExecutiveCouncil.com), an international professional membership organization for leading senior security executives spanning all industries, both the public and private sectors, and the globe. For more information about the council, visit www.SecurityExecutiveCouncil.com/?sourceCode=access.

Want to use this article? Click here for options!
© 2014 Penton Media Inc.

Today's New Product

Product 1 Image

Privaris Biometric Verification Software

In support of the Privaris family of personal identity verification tokens for secure physical and IT access, an updated version of its plusID Manager Version 2.0 software extends the capabilities and convenience to administer and enroll biometric tokens. The software offers multi-client support, import and export functionality, more extensive reporting features and a key server for a more convenient method of securing tokens to the issuing organization.

To read more...


Govt Security

Cover

This month in Access Control

Latest Jobs

Popular Stories

Back to Top