Losing a laptop or handheld wireless device packed with sensitive corporate data is typically a serious breach of privacy. An employee at Toronto-based Hummingbird Ltd., for example, recently lost “a piece of computer equipment” containing names and social security numbers belonging to an estimated 1.3 million clients of a student loan firm.
Organizations can set up a number of safeguards to mitigate the risks associated with the loss of private customer information and other confidential corporate data.
The first step is to get a better grip on the network, says Steve Rampado, senior manager of enterprise risk services for Deloitte and Touche LLP. Once a company knows what devices are tapping into its data, appropriate policies must be implemented and adhered to, followed by effective security measures like passwords and encryption.
Rampado says most organizations need to begin by assessing the problem, by sizing up the risk, because they don’t even have a handle on what devices are connecting to their networks. “Quite often an employee will buy the PDA or phone they want and they’ll be connecting to corporate network.”
Handheld mobiles are becoming more like laptops and the network perimeter keeps expanding outward, says Rampado, with increasing numbers and varieties of wireless devices. Smart phones and PDAs, with storage of up to 20GB, are becoming full-fledged operating systems capable of supporting applications that run on a desktop.
“If you’re going to allow these devices to connect, you’ve got to have the appropriate infrastructure in place so they’re going through the right authentication mechanisms to gain access to the corporate network,” he says.
Part of assessing the risk is understanding what data is accessible, and how. Rampado says a lot of companies have no idea what other devices their employees are synchronizing to their handhelds. An individual may be synching their handheld device to their laptop, which may contain confidential information.
“The corporation has no control over what is being synchronized and how that information is being synchronized.”
Integral to developing a strategy is defining policies and standards for employees that dictate what’s acceptable, adds Rampado. Setting a proper governance structure helps to ensure the information doesn’t get into the wrong hands, at least internally.
Companies might allow network access to only certain devices; employees may be allowed only to synchronize their contacts; only these people at this level can synchronize their e-mail; and perhaps no one may be allowed to copy any sensitive files to these remote devices.
Another important and often overlooked strategy would be to train employees to become more conscious about security and raise their awareness of any corporate policies in