Sean Glynn, Credant Technologies: Mobile Security – the time has come for action
February 2010 by Sean Glynn, VP Director of Product Marketing of Credant Technologies
The outbreak of potential data breach reports in the UK prompts obvious and inevitable questions: How can these things happen in the first place? How many more times is personal information lost without anyone’s acknowledgement and, some would argue most importantly, what can be done to secure the corporate defences?
Mobile computing allows individuals (both consumers and professionals) to stay in touch and work together effectively, but to do this, they need access to up-to-date data. No longer restricted to laptops and mobile phones, the growing trend is for employees to take advantage of the latest must have gadget, even using personal devices to supplement company owned technology, to maintain contact whilst out of the office. One such development is the growing popularity of netbooks which are small, low on power, ultra-cheap, super portable and the fastest growing segment of the computer industry. During 2009, the year with the worst recession since the Great Depression, netbook sales managed to soar over 100% compared to all of 2008. However their lack of an optical disk drive is fuelling increased usage of USB devices to transfer, and in some cases, store data. Whilst memory sticks are arguably still the weapon of choice, even those whose primary purpose isn’t data storage are being used to conceal sensitive information - from iPods to digital cameras, in fact anything with a digital memory capacity.
How big is the iceberg …
Whilst the significant economic benefits to this data migration are obvious, so are the problems it causes :
Companies are increasingly utilising and deploying laptops and smartphones to their workforce as part of their critical business processes, so the data they contain can be extremely confidential. Organisations are now using small, cheap devices such as memory sticks to store and move data – unfortunately, these devices are easy-to-lose, and just as easy-to-read. Data which is stored on these mobile devices typically is not protected (encrypted) in any way … if the device gets lost, then the data it contains gets lost too, and becomes available to anyone who finds it.
A further complication presented by a lost or stolen mobile device is, if they are not properly protected, they can provide an entry key to the soft underbelly of the corporate network for opportunists, hackers or competitors. The weakest link in any corporate security defence is typically the end user themselves who characteristically bypasses password authentication for the device. Another common situation is automatic form completion, including passwords, to access online services – for example the users hotmail account, but this often includes authentication to other systems, such as the organisations VPN, from where the corporate gems are left bare for all to see and be taken. Unbelievably, it is also common for users to keep a document, detailing log on details and passwords, in an unprotected file stored on the device.
Since 25 million child benefit records went missing in November 2007, more than 700 organisations across the public, private and third sectors have reported security breaches to the Information Commissioner’s Office (ICO), however in only 231 cases the data was specifically targeted and stolen.
It’s as if no-one cares
Organisations have always had an obligation to protect data in order to comply with regulatory requirements, however there were some who argued that the government needed to create the right legislative framework to motivate companies to adopt a ‘customer data protection’ mindset. In January this changed with the announcement that the Information Commissioner has finally been granted new powers to issue fines of up to £500K, starting in April, to anyone who knowingly or recklessly flouts any of the eight principles of the Data Protection Act. With the cost of data breaches already staggeringly high for UK businesses; last year the average breach cost £1.7 million, or £60 for each identity lost, from April this cost could exceed £2M. The ICO does not want to stop there, if he gets his way breaches of data protection law could one day be punishable with jail sentences for those involved.
Even on a personal level, it’s hardly going to help your promotion prospects, nor look good on your resume as is more likely the case, if you’re ultimately responsible for a breach - regardless of whether it’s a corporate or personal mobile device.
The time has come for action
Security is a two way process – at the end of the day employer and employee are both playing for the same team as insecure data is bad news for all, and ultimately affects everyone’s pockets. The most effective strategy is to complement sensible, workable policies, with centrally controlled security technology, combined with trust, education and understanding :
1. Educate the workforce, not just those considered as mobile, to the risks posed by their activities and the devices that they use
2. Dictate the management of all mobile devices, irrespective of ownership, in a security policy
3. Specify that all staff members sign the security policy to ensure they will not download unnecessary sensitive information, nor will they disclose this information to a third party, and make sure the appropriate software is in place to enforce the policy
4. It should never be left up to the end user to make data secure – they don’t have the time or the knowledge, and it certainly wouldn’t be considered as “reasonable and appropriate” (the underlying theme of mobile security regulation) if the device, and the data it contained, was lost or stolen.
5. Encryption software is now available which can protect data on virtually every end-point
6. The ICO will require some form of evidence of data security so the ability to prove it is paramount if a £500K penalty is to be avoided. By using a solution that includes a central management console every device, regardless of type or ownership, is protected and can be tracked.
7. Make users of iPhones and other smartphones with full mobile internet access aware of the risks of opening attachments or clicking on links to potentially malicious websites and ensure the device’s firmware (operating system) and browser are updated to the latest version and patched with any security upgrades.
Companies, now more than ever, have got to protect their intellectual property and employees must play their part by respecting the information they are working with and correctly using the devices they’re accessing it with, for everyone’s benefit.