Whether a mobile device is stolen, forgotten or merely misplaced, it can pose a serious threat to enterprise security. Yet studies show that many Canadian organizations don’t seem to recognize the risk posed by these roaming devices. Here’s an update on this growing problem – and some advice on what you can do to help solve it.
As mobile devices become more pervasive in the business environment, organizations are scrambling for ways to expand corporate IT security policies to these nomadic extensions of the enterprise.
The enterprise’s ability to secure its mobile and wireless devices comes under scrutiny after incidents of stolen laptops continue to gain high-profile attention. These notebooks often contain huge amounts of personal data, a pool of personal information that can trigger a massive chain of identity fraud exploits.
Statistics are pointing to a consistent trend of losses and breaches.
Eighty-one per cent of companies worldwide have suffered at least one incident of a lost or stolen laptop in the past 12 months, according to a survey by security and privacy research firm Ponemon Institute in Elk Rapids, Mich.
In London, over 63,000 mobile phones, 5,838 PDAs and 4,973 laptops have been left in taxicabs in the last six months, wrote Jeff Yates, executive director of the Agents Council for Technology, in an article entitled, Managing the Security Risks of Portable Devices. In Chicago, 21,460 PDAs and Pocket PCs were left in taxicabs over a six-month period, Yates added.
Last year, laptop theft cost U.S. organizations over US$4.1 million, according to the 2005 Computer Crime and Security Survey, a joint study by the Federal Bureau of Investigation and the Computer Security Institute.
Despite these compelling statistics, many Canadian organizations don’t seem to view mobile and wireless devices as a real threat to enterprise security. This is what IDC Canada found in its recent survey of medium and large-sized organizations in Canada, where 54.4 per cent of mid-sized firms and 35.4 per cent of large organizations tagged mobile and wireless tools as “no real threat” to corporate security (see sidebar).
“Most people have this attitude of, ‘It can’t happen to me.’ If you combine the practice of putting sensitive financial data or sensitive corporate data on a machine, and then add wireless capability, I think it’s going to be a very high threat,” says Tom Slodichak, chief security officer at IT security consulting firm White Hat Inc. in Burlington, Ont.
The first line of defense is to keep sensitive data behind the corporate firewall whenever possible, suggests Slodichak. “My personal opinion is that these massive databases of financial data belong on servers; they don’t belong on machines that can be left in cars and stolen.”
However, if the business case dictates that certain information needs to be kept on mobile devices, the security executive says this sensitive data should be encrypted.
Need for central management
Mobile devices can be classified into two categories: portable communication devices such as smart phones and PDAs, and portable PCs. Each one is capable of storing enough sensitive data to potentially bring down a company.
The volume of data that is lost either inadvertently or through an act of theft is an indication that mobile security “hasn’t been top-of-mind in a lot of organizations,” says Ross Chevalier, CIO for Novell Canada in Markham, Ont.
“When companies provide commuters with mobile devices and don’t reinforce security measures in a standardized form, it creates an aura around the technology that these tools are not that important; they are not disposable, but are not business-critical tools either,” explains the Novell executive.
Because of its small form, portable communication devices have a higher probability of getting lost or stolen, he says. The fist step in securing these small but powerful machines is having the ability to centrally manage them.
“Smart companies will leverage a centralized device management software product that will allow them, from a central location, to say, ‘Our policy for these devices is the following.’ And as users connect to the network, they will have these policies written out to them,” Chevalier explains.
Review security policies
Centralized management policies can include mandatory password use at every level of the device operation, such as power-on password, disk-access password, and a screensaver password, says IBM Canada’s chief security officer Oscar Vaz. Such policies should be configured into the device, making it easier for a user to adhere to security standards, he adds.
Vaz says when formulating corporate standards on mobile security, the company must undertake an assessment of its entire data assets, such as what type of data needs to be protected and who should be given access to which type of data.
Policies are then created based on this framework, says Vaz. These standards, however, must continuously be updated to conform to new threats and new technologies.
IBM, for instance, conducts annual and bi-annual reviews of its security policies to ensure that the company remains current with its standards, says Vaz. IBM’s strategy for mobile device protection includes multi-level password mechanisms, e-mail and other critical data encryption, and secured remote access to the corporate network. These protective measures are designed to make it as difficult as possible for an unauthorized individual to gain access to information inside the device and the corporate network, says the IBM executive.
To be effective, mobile device management and security policies should be tied in with overall corporate standards imposed across all company assets, suggests Marc Camm, vice-president for smart phone solutions at Computer Associates in Islandia, N.Y.
Extending corporate policies to laptop computers should not be difficult, says Camm, because notebooks often operate under the protective shelter of the corporate firewall.
Where it becomes more challenging is when such rules are enforced on smart phones. Unlike desktop PCs and laptops, which typically run on a Windows-based platform, smart phones deployed across the enterprise are often a mix of various operating systems including Windows Mobile, Symbian and other proprietary systems such as the Motorola OS for its Razr series, Camm explains.
“The challenge that you have is that even if you standardize on a number of types of devices in your enterprise, those devices will potentially be running different operating platforms, and different operating platforms introduce complexity in being able to manage all platforms from one place,” he says.
There is, however, hope in the horizon as the industry moves to introduce standards around device management through the Open Mobile Alliance Device Management specifications, notes Camm. Such standards would enable IT administrators to easily manage and configure these intelligent devices and enforce consistent security policies with less difficulty.
The human element
A vital component for a successful enterprise-wide mobile security strategy is employee cooperation, where they fully understand the risks and willingly accept the policies imposed by the company.
“No security system will survive someone who doesn’t understand the value in using security and who isn’t going to be compliant,” says Novell’s Chevalier.
IBM’s Vaz notes security enforcement should always be a partnership between the company and the employees. Provide them with the necessary tools that make compliance easier for them. More importantly, demonstrate to them not only what the policies are but why such policies are being enforced.
“Part of the employee awareness strategy is pointing to what can really happen when an end user’s mobile device is stolen. We found, in our experience, that demonstrating problems can have a very dramatic effect,” Vaz says.
Centralized security configuration of mobile devices that require the minimum amount of intervention from the user is an effective strategy for both maintaining ease-of-use for the end users and ensuring that the device is always compliant with company policies, explains Vaz. “[When] you have a mobile device where the end user has to do a lot of configuration on it, it becomes a challenge because the users can make mistakes.”
The bottom-line is keeping it simple and educating users regularly, he adds.
Side bar 1
Underestimating the mobile security threat
If a recent IDC Canada report is any indication, high-profile cases of stolen mobile devices and compromised personal information may have little effect on how Canadian businesses view security threats to wireless and mobile devices.
According to IDC’s Enterprise Security Survey: Threats and Issues, over 35 per cent of large organizations believe wireless and mobile devices pose “no real threat” to IT security, while only 27.3 per cent view these devices as a significant threat.
The discrepancy is even greater among medium-sized firms, where more than 54 per cent said these devices are not a real threat and only 14.7 per cent said they pose security risks.
IDC probed 200 medium-sized organizations and 170 large enterprises in Canada. Trojans, viruses and worms topped the list of security concerns.
“I don’t think medium-sized companies think about security nearly as much as they should and it could potentially be a problem for them down the road,” said Joe Greene, vice-president of IT security research at IDC Canada.
He added that organizations tend to focus more on the “wired world” of worms and viruses, but wireless technology is becoming so pervasive that organizations have to adopt a more holistic strategy around IT security.
While many high-profile breaches have involved stolen laptops, other mobile communication devices such as personal digital assistants (PDAs) and smart phones are also at risk, as they can likewise store significant amounts of sensitive corporate data.
At last month’s Defcon hacker conference in San Francisco, security researcher Jesse D’Aguanno demonstrated what he called the first Trojan horse malware for the BlackBerry device. It was written to show that while these devices are often not treated with the same concern as PCs, they can be equally dangerous, said D’Aguanno.
A big part of the problem around the security of mobile and wireless devices is the lack of education among employee and business executive users on the risks associated with the use of these types of gadgets, said Ross Chevalier, chief information officer at Novell Canada.
“There’s certainly an element that says maybe folks aren’t as aware as they should be of some of the risks,” Chevalier said. “No security system will survive someone who doesn’t understand the value in using security and who isn’t going to be compliant or try not to be compliant.”
Mobile security and policy enforcement forces people to change the way they use their device, such as locking and unlocking it through a password mechanism or encrypting sensitive files, Chevalier explained.
Policy enforcement is one thing, but getting people to understand why the company is imposing such rules is another. And that is important in getting the organization to become collectively united to protect corporate information assets through mobile use policies, said Chevalier.
Chevalier cited Novell Canada’s own corporate policy for mobile and wireless security. Novell has made it mandatory for all devices to have passwords for user access. A “device-kill” policy was also enabled on wireless machines. Device-kill is a function in the operating system that deletes all files contained in the device in the event that the password is keyed incorrectly after a prescribed number of attempts.
Mari-Len De Guzman is a writer for IT World Canada.