Mobile Security: Data goes walkabout
By Magnus Ahlberg, Managing Director of Pointsec Mobile
Wednesday, 4 May 2005 13:02 EST



Mobile security is a hot issue, but who is listening? The mere word 'security' sends most people running. Investing in preventative IT security has never been a very popular topic. It often needs a competitor or an organisation itself to become a victim of crime before senior executives sit up and listen.

In addition, users are lazy and complacent when it comes to IT security: they do not value the information they carry around with them, and most are too busy to worry about anything that will further complicate their lives.

Surveys show that big organisations lose 3%-5% of their laptops every year. And recent research by my own company shows that such machines quickly end up on the open market. We found that laptops lost in transit at the UK's Gatwick and Heathrow airports or on Eurostar trains or handed in to the police were put up for auction if they were not reclaimed after three months.

We visited an auction used by Gatwick airport and found that even before buying any laptops we were able to start them up to inspect whether they worked - and using password recovery software we were able to access the information on a third of them; we also bought second-hand disc drives - and all their information - for just £5 through an online auction service.

Personal digital assistants (PDAs) have fast become even more of a risk to companies than laptops, if anything. PDAs are now firmly entrenched as corporate communication tools: almost half are used to receive and view corporate emails, and a third now double as a phone.

Research by this year's UK Infosecurity event and my company found that a third of users do not protect their mobile device even with a simple password, even though they typically store highly confidential company and personal information - including all their other passwords, personal identification numbers and bank and credit card details.

Two-thirds of users do not have their data encrypted - a figure that has remained roughly unchanged for three years.

These figures suggest that the importance of security is not registering, or that company policies are not being enforced, even though more than 50% of companies now have mobile security policies, compared with 27% last year.

All this means that information is vulnerable to opportunists, hackers or competitors. A lost PDA could have huge impact on customer confidence and do untold damage to a company's reputation.

The figures become even more worrying when taken alongside the finding that 13% of respondents have lost their PDA or had it stolen.

As well as the potential damage to their company or themselves through confidential information falling into the wrong hands, there is considerable personal inconvenience: our survey found that it takes users an average of two days to recover and enter data into a new PDA if their previous device has been lost or stolen; in addition 40% would not be issued with a new company mobile device, and 18% would be reprimanded.

With an increasingly mobile workforce - often using privately bought mobile devices - executives and IT departments must take more notice of who is carrying what information around with them, and make sure the devices are under control. Here are some simple pointers.

First, take responsibility for IT security away from all mobile staff and centrally manage and deploy it. Work on the premise that no staff can be trusted to safeguard their devices. Accept that they are just not interested in security.

Ensure that there is a mobile use policy or that the corporate IT security policy has specific provision for mobile devices and that it gets updated whenever you adopt new hardware categories such as combined PDAs and phones. The information that needs to be protected is the same; new devices just offer different ways of storing it.

Have a blanket approach to security by owning every mobile device that leaves the office, and make access control and encryption mandatory. Do not allow users to use their own mobile device to store company information.

Record the serial numbers of all PDAs and similar devices, including memory cards.

Do not be fooled into believing that users are protecting their devices with the factory password settings or encryption. Nine times out of 10 they will not be doing this.

Invest in a solution that is usable and flexible. Users will disable security if it gets in their way. Easy access and transparent encryption products that do not slow down user devices are now available.

Be realistic about passwords: users hate them. An enforced, long password will either get forgotten or written down because it is hard to remember - potentially compromising security. If users can choose themselves, they will pick the easiest ones to crack, such as their child's name. One option is to dispense with passwords altogether: for example my company offers access control based on a series of pictures chosen by the user from a randomly displayed larger gallery. Images are hard to forget. And it is difficult to write down this 'password' for others to find.

Accept that users will take no notice of security, but do not give up: send them a mobile security use policy - and make them sign and return it by getting the human resources team to work the policy into their appraisals.

Educate users to make them streetwise but accept that they will still leave their devices in the car, a bar or an airport or get pickpocketed in crowded places.

Mobile security need not be complicated. It is simply a matter of having a blanket approach with central administration of all devices and centrally managed encryption and password protection that users cannot get round. This approach can give the organisation the insurance it needs - and is inexpensive to administer.

USB menace

Fast growing use of small devices with simple USB connections is increasing the amount of company information being carried around in public by staff with little regard for security, according to new UK research by encryption products specialist BeCrypt.

Nearly two-thirds of people questioned said they connected devices such as memory keys, flash drives, music players and smart mobile phones to company computers to download information - and more than a third said their devices had been received as gifts, with no clearly identifiable source.

In addition, nearly a quarter admitted to having lost portable storage devices. More than half claimed ignorance over the impact that the misuse of portable storage devices could have on overall data security.

BeCrypt's recommendations on mobile security are in line with those of Pointsec Mobile Technologies (see main article). BeCrypt recommends a clearly defined process for communicating to staff the security policies covering USB devices, and the risks; clear guidelines to staff seeking to connect USB devices, and how to get them authorised; and clear procedures for reporting the theft or loss of a portable storage device.
BeCrypt also suggests a need for flexibility that takes into account the diverse needs of different users.

'Sloppy security practices and policies are making the rise of USB devices a real menace for employers,' says BeCrypt chief executive Peter Jaco. 'USB means users are free to connect any device they wish. Security policies need to lock down USB device use, but also to regulate and permit use where devices are truly useful.'