Keep mobile data from going walkabout

Mobile email is no longer the preserve of upper management but providing access to company information on the go has its risks
Written by Sally Whittle, Contributor

Scottish Law firm MacRoberts recently joined the ranks of companies who have decided to give employees access to email on the move. The firm recently issued BlackBerry devices and 3G data cards to staff to help them stay in contact with colleagues and clients.

"Mobile working definitely makes people more productive, and I think potentially [it] has helped us to retain clients by offering better service," said David Murphy, the firm's IT director. "It is increasingly something that people expect us to have."

Mobile working is coming to be seen as a standard service within the professional-services sector, Murphy added. The next step for the firm will be extending access to practice-management and document-management applications to mobile workers.

Research by RIM, the company behind the successful BlackBerry, suggests that using a mobile device to access information on the move can save workers as much as 90 minutes per day.

However, there is no question that mobile data can also present a security risk. Nine out of 10 companies say they aren't completely sure which mobile devices are used by employees or what information they contain, while 60 percent of data breaches reported to authorities involve lost or stolen mobile devices.

MacRoberts makes security a high priority for mobile workers, who may be accessing highly confidential client files, said Murphy. The company has a comprehensive security policy that users are expected to follow when using mobile technology.

A good mobile-security policy begins with a careful assessment of exactly what mobile working looks like inside your company, advised Adrian Tatum, mobile-solutions director with services company Computacenter. For example, are workers using laptops or a range of devices to connect to the network? Are they checking email or using applications and, therefore, writing data to the network? Are mobile workers free to download information to USB sticks or CD-ROMs if they are working from home?

"The biggest mistake is thinking that mobile working is just about a few BlackBerrys with email," said Tatum. "Many small firms think it's just about devices and they're coming at it from completely the wrong angle."

Once you have an idea of which workers are using devices and what information is being accessed, map this information carefully and consider whether it is appropriate. "Every time you have a new device connecting to information, or a new application being accessible to mobile workers, you're creating new copies of information and every new copy is a new risk," explained Graham Titterington, a principal analyst with Ovum. "Your job is to balance that risk against the benefits that mobile working will bring."

This assessment should give an idea of how much access different users need, and to which applications. "Often, you find people are walking around with access to the entire customer database, when they could really manage with a link into their calendar, which pulls relevant customer details needed on a particular day," said Titterington.

There are technologies available that will allow you to create web-based front-end applications for mobile workers who need access to a limited part of bigger enterprise applications, added Andrew Kellett, a senior research analyst with Butler Group. "It may be that it's more effective to have a small, web-based application written that sits on the device and allows people to record information on the move, which is then sent over a secure connection back to the main IT infrastructure."

It's also possible to configure many enterprise applications to provide differing levels of access for different employees. "Once you know what people need, you can set pretty much any sort of policy," said Kellett. So, for example, you could provide different levels of mobile access to financial records depending on an employee's security clearance, giving a director full access but sales staff more limited information. You could also impose rules about what sorts of devices can download information, so that certain data can only be viewed on laptops running antivirus software, for instance.

Once you have secured your corporate network, consider how to secure the connection between the network and mobile workers. "You need to look at how you ensure that, when workers connect to your corporate network, they are who they claim to be, and the connection isn't going to be intercepted and provide someone with a route into your systems," said Alec Howard, head of laptop connectivity with Vodafone UK.

The simplest and most inexpensive way for small firms to secure network connectivity is with an SSL VPN, or virtual private network...

...which provides a secure "tunnel" for internet traffic. However, you should consider additional methods of authentication, such as strong passwords or keycards, if information is particularly sensitive, Howard recommended.

The third layer of mobile security is the mobile device itself. This is where the biggest security risks are, said Monica Basso, a vice president with Gartner Research. Think about what happens if an employee leaves their laptop in a cab or if a smartphone is stolen. Would the thief be able to access the information contained on the device? Are devices vulnerable to web-based attacks from malware or viruses?

"On the device side, the priority is to authenticate the user, protect locally stored data and secure the network connection," said Basso. "At the least, you should have passwords. You may also want to think about controlling features such as cameras or Bluetooth, and limiting application installation and data transfer."

"Encryption of data on mobile devices is the absolute bare minimum and I think you'd be considered negligent if you failed to use it," added Ovum's Titterington. "However, it's important to remember that encryption is only as good as the key management that goes along with it. If the key is stored on the same machine, then you really might as well not bother."

In addition to encryption, Titterington recommended setting policies to ensure that all mobile devices are password-protected and run up-to-date antivirus software. It is also important to be sure that mobile devices running software are included in your company's regular patch-management programme, so that security holes aren't left unpatched on laptops or mobile computers.

There are a range of remote "wipe" products that can also be used to wipe a mobile device's hard drive if it's lost, often within minutes. This renders the information completely inaccessible to anyone who has stolen a device.

Gartner has also recommended that SMEs use full encryption of application data, file systems for internal memory and external cards, device lockdown, remote wiping and port control.

"You should also have a single manager with responsibility for device management and policies, who is responsible for things like remote software downloads, upgrades and policy enforcement," said Basso. "This means mobile devices will all be secure and compliant with security policies."

Having a single manager also makes it easier to ensure that your overall security policy provides complete coverage of the three distinct elements of mobile working: the device, the network and the transmission of data.

"That's important because the market for mobile security is very fragmented," said Basso. "There are more than 100 different products that all address different aspects of mobile security, from device encryption to mobile VPNs and user authentication."

Most companies will probably need to invest in a number of different products on either the server or client side to provide full security, Basso said.

Finally, bear in mind that technology can only get you so far when it comes to mobile security and even the best IT systems are usually no match for a determined user. "You can usually guarantee that a user will find a way to get around almost any policy you care to set," said Titterington, "particularly because you can't totally lock down any device. You're constantly looking to balance security with usability."

For this reason, it's vital for companies to invest in training and education for workers, alongside the technology used to secure mobile workers. "Telling someone they can't access online games is one thing, but explaining to someone the risks of malware from unknown websites and the responsibility they have for protecting their employer from these risks is [much] better," said Kellett.

Ultimately, however, it's a mistake to assume that mobile computing will ever be 100 percent secure, said Titterington. "I'm not sure many firms could protect mobile devices from a really determined attacker. The reality is that you're protecting yourself against the 80 percent of thefts that are opportunistic and that's about the best you can do. Things like encryption, passwords and PINs are big hurdles for those kinds of people, and definitely worth using."

Editorial standards