Bring your mobile security up to scratch
It's an expensive business having your laptop stolen, as the Nationwide Building Society found out last month — and Worcestershire County Council may soon discover.
But the biggest cost doesn't necessarily come from having to replace the lost system. Rather, in Nationwide's case, the main outlay ended up being the £980,000 fine imposed by the Financial Services Authority, for what the regulator deemed were serious information-security lapses. Much time and money were also spent in informing customers of the potential risks they could be exposed to because of the theft, which took place at an employee's home in August 2006.
As a result, although Philip Williamson, Nationwide's chief executive, said "there has been no loss of money from our customers' accounts as a result of this incident", and that if there were they would be reimbursed anyway, the situation has nonetheless led the company to commission "a comprehensive review of information security procedures and controls".
Worcestershire County Council, meanwhile, was informed by its IT supplier Serco that an employee had a laptop stolen from them in a street robbery over the weekend. The laptop contained the personal details, including bank and national insurance information, of 16,239 staff and former personnel, laying them open to possible identity theft.
The council has alerted affected staff of the incident by letter and opened a hotline for them to call in order to obtain more information on how they can protect themselves from possible fraud.
But these two organisations are not the only one to have laptops disappear on them. According to a Freedom of Information enquiry undertaken by our sister publication silicon.com in August 2006, a swathe of government departments have suffered losses of their own.
The Ministry of Defence, the worst affected, reported 21 laptops stolen between July 2005 and July 2006. The Home Office saw 19 filched, the Department of Health, 18, the Department of Trade and Industry, 16, HM Prison Service, eight and the Identity and Passport Service, four.
But theft is not the only means by which laptops go walk-about. A 2005 survey of London taxi drivers undertaken by Taxi, the magazine for the Licensed Taxi Drivers Association, and sponsored by mobile security supplier Pointsec, found that over a six-month period passengers left an astonishing 4,973 laptops behind — although 96 percent were returned to their owners after the drivers went to the effort of tracking them down.
A further 5,838 PDAs were also abandoned in this way along with an astounding 63,135 mobile phones — an average of three per cab — although in the latter instance, drivers managed to return about 80 percent.
This would all seem to indicate that, in spite of offering convenience and flexibility to an increasingly dispersed workforce, mobile devices are nonetheless generating their own set of information-security risks.
One of the key concerns here relates to data leakage and the fact that unauthorised people could potentially get their hands on sensitive corporate information if laptops are lost or stolen.
Despite this, according to the Department of Trade and Industry's Information Security Breaches Survey 2006, undertaken every two years by PricewaterhouseCoopers, four-fifths of UK companies still rely on nothing more than passwords to protect their systems.
The problem with this, points out David Perry, a principal analyst at research company Freeform Dynamics, is that passwords are notoriously insecure. "People often use an unoriginal password or have it socially engineered out of them during a quick phone call. Quite a few are also in the habit of writing them down, but thieves always know where to look. For example, if they nicked the laptop bag too, it may well be in there," he says.
The situation is compounded, however, by the growing presence of wireless networks, used by staff when they are out and about and, to an increasing extent, when working from home.
Where the difficulty comes in here is that it is currently more or less impossible for users to know whether they are hooking up to a legitimate network or to a rogue hotspot — an issue that is particularly acute for users of Intel Centrino-based laptops, which look for a signal as soon as they are fired up.
This troublesome state of affairs is not helped by the fact that wireless security technology is still in its infancy, although products such as AirTight Networks intrusion prevention software are starting to emerge to tackle the issue.
Another potentially dangerous situation, says Ian Kilpatrick, managing director at distributor Wick Hill, is that of someone creating a so-called man-in-the-middle scenario.
"The user may believe that they've successfully connected to the wireless network, but someone else may have already got onto it and they could be connecting through them," he explains. "This means that person could log in using the employee's details and see any data that's flying back and forth, although the biggest single issue is that once they've got an identity, they've got it for ever."
As a result, Kilpatrick recommends that organisations ensure staff use SSL or IPsec virtual private networks when connecting to the internet from their machines, and also that laptops come with two-factor authentication products such as tokens or digital certificates to ensure that users are who they say they are when they try to log onto the corporate network.
Another vital tool is encryption software to protect any sensitive data that is held locally on the laptop. This, Kilpatrick says, can cost as little as £70 per machine these days if purchased in volume, "which compared to potential fines and reputational damage is trivial money".
A further worry, meanwhile, is the extent to which laptops can leave the corporate network open to infection by malware. According to a study by Symantec's Enterprise Security Group in 2005, the most common source of automated worm attacks was employee laptops, with 43 percent of organisations saying that incidents had been generated in this way. A further 34 percent indicated that infections were caused by the laptops of non-staff members.
Unfortunately, however, says Phil Huggins, chief technology officer at security consultancy Information Risk Management, the use of programs other than antivirus and anti-spam to protect client devices is erratic at best.
"The concept of endpoint security tends to be a very basic thing. It's pretty accepted now that you'll put antivirus software and maybe some anti-spam on all laptops, but deploying things like intrusion prevention, personal firewalls or encryption software, all of these are patchy," he says.
To make matters worse, while organisations may be vigilant in ensuring that their internal systems are patched and security software is kept up-to-date, all too often they are haphazard in lavishing the same care and attention on their laptop estate.
This is where remote management software can prove useful. Such systems can...
... be configured to ensure that applications are kept current, that security updates are applied automatically and that the correct connectivity settings are in place. They can also be used to remotely disable and wipe data from stolen or lost laptops when the next attempt is made to connect to the network.
Another useful tool is network access control (NAC) software, sold by vendors such as Cisco and Juniper Networks. This denies laptops access to the corporate network if they do not comply with internally set security policies, and quarantines them until they can be either cleaned up or their software updated.
As Kilpatrick points out, simply deploying clever technology is not enough, however. "Technology is what you deploy at the back end when you've determined what the problem is and what level of risk the business can take," he says.
This means that to make information security as effective as possible in this area, it is crucial for organisations to formally assess how and why they want to exploit mobile technology and to undertake a risk assessment on that basis. The risk assessment and any subsequent gap analysis should then form the basis of a mobile security policy and a statement for staff relating to acceptable usage.
Perry explains: "You have to understand where you are vulnerable and the risk you can tolerate. Everything else flows from that — the user training, the policies you introduce and the technology you deploy should all be driven by this top-down view. It's the anchor point for everything."
In terms of user training, which Perry sees as crucial, it can be useful to conduct a walkthrough of potential risk scenarios and how to deal with them in order to raise awareness. It may also be worth encouraging staff to work on the assumption that "stuff is always going to get lost" and to remind them that their laptop is the property of the company, not their own.
The aim of this is to help them appreciate the need for security mechanisms in the first place, which may otherwise be disabled or bypassed if they are felt to be too inconvenient.
And this is an important point. If mobile devices are locked down too tightly, the very ease-of-use and convenience that have made them so widespread may be compromised. So it is crucial to get the balance right.
Another thing to bear in mind, says Kilpatrick, is that it is always cheaper and more effective to embed security into organisational behaviour from the outset rather than try to retrofit it later.
"If security isn't dealt with as part of a business case, it tends to be viewed as an expensive add-on and a bit of a pain in the backside. But if the business acknowledges from the start that security is necessary, even though it will add maybe £250 to the price of any new machine, it will be prepared to factor that in," he says.
This means that it is crucial for the business to understand the security risks they face and to be prepared to take responsibility for them. As Kilpatrick points out, if the last employee to go home for the day left all of the doors and windows of the office open and told the security guard to go home, they would be held accountable for any incidents and would probably be sacked for misconduct.
"But it's considered acceptable to let staff wander round airports with no security on their laptops, potentially broadcasting their log-in details all over the place, and then to have that individual feel no responsibility. What it's about is having the board understand the risks and understand that it has responsibility for them, not the IT department," he concludes.