Accidental Disclosure

By  Peter Ferenczi — September 25, 2007

Everyone makes mistakes, but the nature of the mobile enterprise means employees have more chances to make simple mistakes that come with major consequences. Their mobile devices are points of ingress and egress that introduce risks above and beyond "standard" IT security concerns. Think sensitive corporate data, massive liability, sitting on a table in a bar late on a Friday night. Laptops laden with customer data connecting to oh-so-convenient, completely unsecured WiFi access points. "

Depending on who you talk to, the percentages vary, but [I.T. security] problems are now more internal than external," said Roy Balkus, senior VP and CIO of Naugatuck Savings Bank, who noted that spam filters, antivirus software and firewalls do a decent job of keeping external threats at bay. It's those inadvertent inside jobs you have to watch out for.

Disappearing Gear

Statistics vary, but it's common knowledge that thousands of mobile devices go missing every year in major cities, whether left in taxis, stolen from cars or misplaced in airports. When those devices contain sensitive data, it means real headaches for the individuals whose information is compromised and for the companies that may need to publicize the loss under disclosure laws, resulting in PR nightmares and damaged customer trust.

People know they're not supposed to lose their devices, but it's going to happen, and there are several strategies for mitigating the damage when it does. According to Tim Sox, customer enrollment technical manager for Colonial Life and Accident Insurance, data encryption is critical. "Because of the nature of the personal information in the insurance industry, we probably handle more sensitive data than [other industries] as far as financial and health information," he said. Colonial's 3,500 independent contractor agents are constantly on the road. "The agents have the laptop in and out of their car, they leave it in a conference room. That was the risk we wanted to mitigate," Sox explained, when the company adopted Sybase's iAnywhere Afaria solution. "We did full hard disk encryption," he said, a process that was accomplished remotely on 3,500 laptops over the course of a month. "The encryption doesn't stop people from stealing the laptop, but if it does get stolen they can't access any information," he said.

And if someone does manage to access the encrypted drive with the right password (Sox noted that agents occasionally tape their passwords to their laptops), Colonial can effectively kill the laptop if it connects to the Internet, rendering the data unreadable. Known as "remote kill" or a "poison pill," this critical feature makes doubly sure a lost device can't be read or used to access corporate resources. The Sybase solution, like those of many vendors, can also remotely lock handheld devices, whose always-connected nature make them easier to terminate if required. It also has a Data Fade feature that lets administrators specify that a device be locked or wiped if it hasn't communicated with the corporate network for a certain number of days.

Colonial has discovered that the payoff for tight mobile security reaches beyond damage control. Sox related the story of a "problem agent" who made a fuss about having another password to remember. The day he finally allowed his laptop to be encrypted, a potential customer pointedly asked him what steps the company took to protect data. "The agent called us back that afternoon and basically apologized, saying, 'You guys helped me get this account,'" recalled Sox.

Their Gear, Your Fear

"One of the biggest issues that corporations have to deal with is users bringing devices from home, removable memory drives, their own laptops even, and trying to connect them to the corporate network," said IT security expert Benjamin Halpert. Besides carting off sensitive data on unprotected storage, personal mobile devices may also introduce malware that can infect devices across the corporate network.

As CIO of Naugatuck Savings Bank, Balkus knows the smell of this fear. "Thumb drives are probably the scariest thing because you can put gigabytes of data in your pocket-- and lose it," he said. To address this danger, he deployed Centennial Software's DeviceWall, an endpoint security product that provides control over how employees can use USB ports, optical drives and other points of access on their PCs. Balkus said it was the software's fine-grained control that impressed him most. "I could get down to the device level, so I could say, 'You can connect a PDA but not a digital camera.'" He also noted that he can schedule temporary access granting, for example,  a week of DVD-ROM read privileges to an employee on the road with a presentation to deliver.

A remote worker can also request special access if required (for example, an unexpected and legitimate need to burn a CD-ROM), even if a laptop is offline. In such cases, device access can be enabled with all activity being monitored for potential auditing.

If employees are allowed to use removable mass storage, Balkus said that DeviceWall's mobile encryption minimizes loss risks. "You're really being foolish if you're putting unencrypted information on any kind of portable device," he said.

Sybase's iAnywhere suite also supports removable storage encryption and enables read privileges to be limited to just the user's device, a certain subset of an organization or the entire company.

Wide-Open Worries

Connectivity is the lifeblood of the mobile worker. But making connections without protection is as ill-advised in networking as in other aspects of life. And yet people will do it. "If employees are traveling and they need to connect and the only place is an unsecured hotel network or a WiFi hotspot, they're going to use it because they have a deadline," said Halpert.

"There is a real, valid risk from using unsecured WiFi hotspots," he said. "There are people that set up wireless networks that impersonate legitimate networks and try to trick individuals into connecting to steal information. If a malicious individual can convince a user to connect to their access point, they can extract information from the user. "

Halpert said the best practice is just three letters long: VPN. A virtual private network provides an encrypted tunnel between the user and corporate resources that's secure even if the network connection is wide open. "If you're using an organizational asset, launch a VPN as soon as you can connect," advises Halpert.

That's what Fiberlink's Extend360 mobility suite does, according to Jim Burris, IT network operations manager for Kenco Group, a logistics service provider. This gives the company's 300 roving laptops a safe way to call home.

WiFi hotspots get a lot of press, but any Internet connection is insecure if unprotected by encryption.

Policy into Practice

Deploying solutions that protect employees from themselves is important, but Halpert warned against blind faith in product claims. "Organizations shouldn't place implicit trust in products just because they're marketed as such. More often than not, they don't do what they say they do," he said.

He also stressed the importance of informing employees. "Organizations need a corporate policy in place that delineates proper use of corporate assets so employees know their responsibilities. To support that policy you need to properly educate employees," said Halpert. "You can't just put it on paper. You have to put that information in front of them and ensure they understand it."

Sox said Colonial implemented a "security privacy certification" that agents had to pass in order to be issued a laptop. "We forced all current laptop users to take the test, and we set an aggressive deadline," he said.

Sox recognizes that teaching employees isn't a one-off. "The training department is keeping a close eye on the changing security environment to determine when people need to be certified again," he said. "We realized once we got into this that security is a process. The rules out there change daily, so we have to stay educated." //


comments powered by Disqus

RATE THIS CONTENT (5 Being the Best)

Current rating: 0 (0 ratings)



Must See


What Enterprise Apps Need Now

Mobile Enterprise explores how companies across all segments are increasingly leveraging mobile apps to enhance productivity for everyone, from field service workers to C-level executives.