Security to Go

By next year, one and a half million Canadians will be “teleworking” – spending at least part of the week working outside the office. Businesses that have embraced this trend report increased productivity, improved employee morale, reduced staff turnover and considerable savings on the cost of office space. What they don’t often talk about are the challenges this e-migration has created, particularly for IT departments and CIOs concerned about the security of business-critical information.

Whether at home or on the road, mobile workers require access to the same electronic information a traditional office worker uses, such as shared files and databases, personal voice-mail and e-mail, and in many cases, highly sensitive information such as HR and accounting files. Recognizing this need for remote access, businesses from the smallest start-up to the biggest multinational are employing mobile devices to connect distant workers to central networks.

Mobile phones, for example, were once a “for emergencies only” convenience. As most wired workers can attest, mobile phones have since moved into the realm of necessary accessory, and are now only one of the links in the connectivity chain, fighting for space in the padded briefcase along with personal digital assistants (PDAs), laptops, pagers and other mobile devices.

How wired is the wired (and now wireless) worker? IDC predicts that by 2003, 16.6 million Canadians will be subscribed mobile phone users. By that time, there will be nearly 33 million PDAs installed worldwide – and already virtually every company has made significant investments in portable computers. The implications of this widespread use of mobile devices are as large as the geographic area they cover – especially when it comes to network security.

Convenient Access vs. Serious Security

To understand the security challenges presented by a continuing increase in mobile computing, take a moment to think about how information security is handled within bricks-and-mortar office walls. Executives, eager to focus on business practices that provide immediate returns on investment, turn their attention away from security policies as soon as they are developed. IT managers, overwhelmed by daily demands, assume that security policies are being followed throughout the organization. And employees, more concerned about access than security, assume that their responsibility for securing company information stops at a single password.

It doesn’t take a particularly paranoid personality to imagine the consequences of an enterprise-wide laissez-faire approach to information security. It only gets worse with the addition of each mobile device – just as a chain is only as strong as its weakest link, a converged (wired and wireless) network is only as secure as the least secure device involved. And the least secure device is most often a mobile one – laptops, PDAs and other devices expose corporate networks to new and unexpected vulnerabilities every day.

As the network of mobile devices expands, the proprietary information that is the lifeblood of competitive companies is placed at ever-increasing risk. If a mobile device is lost, stolen or misplaced – not an unlikely scenario with 1.5 million Canadians teleworking and millions more travelling each year – this business-critical data is “out there” for the use or misuse of anyone skilled enough to know how to access the information.

Tales from the Unencrypted

How alarmed should a CIO be about the security challenges presented by a mobile yet connected workforce? Consider the worst-case scenario described below – then imagine explaining the situation to your executive team, whose competitor has just “acquired” your company’s quarterly projections and new product release schedule.

A new employee is in a busy international airport, heading home from a whirlwind tour of your regional offices, when he realizes that his computer bag (containing his PDA, pager, laptop and mobile phone) has been stolen. It’s reasonable to assume that the preference for quick access has won out over basic security measures and that the PDA is not access restricted, the hard drive and BIOS of the laptop are not encrypted or protected, and there is no password required to operate the phone.

Forgetting about the mobile phone and PDA (together offering a treasure-chest of everything from customer contact information to expense statements), the laptop alone can provide an unauthorized user with access to the most sensitive and valuable information residing on your company’s network. After all, the internal dialler is preset to call the main office. To avoid having to remember passwords, all user passwords are set in memory, and the auto login is preset as well. Once connected to the office, the user simply uses the same laptop passwords to access the network, the printers, the shared servers, and so on. The laptop’s e-mail isn’t encrypted, so the inbox, outbox and filed client emails are easily viewed, and since the PDA’s desktop software isn’t privacy-protected, all of the data stored on the PDA since the last synchronization is also up for grabs. This laundry list of insecure practices may sound unlikely, but they’re not uncommon.

Even without network access, the laptop is a dangerous commodity. Think about your own portable PC – does it contain any unencrypted spreadsheets or documents outlining current business activities? Any proposals or contracts that detail the scope, staffing and costs of existing projects? Any business or marketing projections? Any other proprietary information your competitors would love to get their hands on?

It’s a fine line between being alarmed and being alarmist, but CIOs are well advised to err on the side of caution. After all, in the ultimate worst-case scenario, the laptop isn’t simply stolen by someone who wants a new machine with a good street value, but by a rogue competitor or someone interested in extorting funds from your company in exchange for the “safe return” of the information. And in the best-case (most secure) scenario, a CIO’s only concern need be the replacement cost of the lost or stolen item, not the possible dissemination of all the corporate secrets.

Tips For Mobile Security

What can a company interested in protecting its digital assets do in the face of increasing mobilization? Here are a few recommendations that will help ensure your security measures are up to snuff.

1. Treat information like money

Wired workers must treat information like money, because information is money (companies who have experienced security breaches are the first to agree that they are one and the same). If you are a pharmaceutical manufacturer that has just invested $4 million in the development of a new drug, then any device that allows a competitor to access the details of those trial studies is worth $4 million. No intelligent employee would turn his back on a bag filled with $4 million in cash while he claims his boarding pass. Every mobile device user must be taught to think of the devices as access points to valuable information – information worth money.

2. Lock every door

All it takes is one “screen door” for corporate information to become public. At minimum, every mobile device throughout the organization should be protected with a password or other authentication method that is not preset or stored in memory. The same holds true for individual files and applications. The question to ask is, “how excited would my competitor be if they could see this information?” Anything that elicits a reaction above a yawn should be encrypted. And users who complain about extra steps taking precious seconds need to be reminded that convenience can end up bankrupting a company that doesn’t take security seriously.

3. Implement comprehensive security policies

It may seem obvious, but it’s important nonetheless – all corporate security policies should include specific guidelines for the secure usage of mobile devices. Because security policies are, by their nature, fluid documents that are in need of continuous review, all new and existing employees must be kept informed of any additions or changes to policies. Consider regular audits to measure the degree of ongoing compliance with security policies.

4. Know what’s out there

Part of policing the degree to which security policies are followed is keeping track of the mobile devices themselves. Inventories of IT equipment should always be kept up to date, and policies and procedures for the acquisition of future equipment should always take security considerations into account. It is now possible for organizations to track mobile devices right down to a geographic location, and many companies are introducing “secure travel” procedures for workers who are frequently on the road. These methods may seem onerous but can prove invaluable in the event of an incident, providing an immediate return on investment when time and information are in short supply.

5. Give staff the tools to protect themselves

The greatest security threat to a corporate network is not a malicious hacker, it’s the ignorance of the end-user. When employees underestimate their key role in the ongoing security of their organization, lapses in security will naturally occur. Whether a five-minute demo on how to secure a mobile phone or a half-day seminar on how to manage a supply chain within a virtual private network, educating staff about the secure usage of mobile devices is key.

6. Scan the horizon

Mobile devices are two-way doors. Just as they provide ways into corporate networks for the purposes of accessing information, they can also act as the perfect conduit for malicious computer viruses. Cross-platform viruses that allow affected mobile devices and networks to continually re-infect themselves will present ongoing challenges for IT departments and mobile end-users. Regardless of the core business, when IT departments are given the resources to include “preventative medicine” as part of their service offerings (such as regular scans of on-line virus alerts), security across networks and mobile devices will improve.

A well-known maxim in the security industry is that 100 per cent security is available, it’s just not affordable. It is possible, however, to protect the information sources that are essential to the success of an e-enabled business. By respecting the value of information and educating employees about the cost of carelessness, mobile devices can move beyond the office – without leaving the door wide open.

Mark Fabro is Senior Scientist and Managing Director for Guardent Canada Inc., a digital security services firm providing strategic solutions for technology-enabled enterprises. He can be reached at