Quocirca's Straight Talking: The way to mobile security

Come up with an airtight policy - then educate your users...

Come up with an airtight policy - then educate your users...

With more and more people using handhelds and mobile phones to store critical corporate data, the need to secure these devices has becoming increasingly dire. Quocirca's Clive Longbottom offers advice on how to safeguard your IT systems.

My laptop has, unsurprisingly, a 40Gb hard disk drive, on which I carry around a lot of corporate presentations, documents, contact details and the like. It also has a flash memory slot in which I can put up to an extra 8Gb of removable storage, and a few USB2 ports through which I can stream as much data as I want to external storage devices, be they thumb drives or portable hard drives.

This all adds up to a significant data security risk. Most companies accept this and enforce certain levels of security requirement on the user, such as two-factor authentication, firewalls, antivirus protection and so on.

I also have a PDA. This has 128Mb of memory (not even enough for a single PowerPoint file); a flash memory slot, which gives me the capability of an extra 8Gb of direct storage or more if I use multiple cards; and an SDIO card slot, which makes it possible for me to plug this little marvel into many other devices.

My smart phone has some storage (only 32Mb) but that can also be bolstered through the addition of MMC/SDIO memory cards.

What all of this means is that I have the capability to carry around a lot of corporate (and personal) information with me wherever I go. This undoubtedly helps me in my day-to-day business life. But what happens when I lose one of these devices? If it's my laptop, I at least have a certain level of protection via the standard Windows challenge/response password system, and it would be hoped my company has put in place certain other steps to ensure that should anyone compromise my system, they would not be able to also cause havoc across the company.

When it comes to handhelds, it's different. It's relatively difficult to leave a laptop behind anywhere - it's a 3kg block of weight that comes at a high cost and tends to be noticed. With a PDA or a phone, though, it's a couple of hundred grams of easily replaceable plastic and metal with little inherent value. After all, you'll be back up and running again in no time, yes?

Well, not necessarily. Very few people set up any level of security on these devices; most even fail to utilise the four-figure PIN on start up. And encrypting the data is almost unheard of. Antivirus software and firewalls for these devices are in their infancy - luckily, few vulnerabilities have been exploited so far. Yet as we begin to use these devices in more critical ways - to access our email and corporate applications, to store a list of contacts - it's still easy to carelessly leave them in the back of a taxi.

Companies wanting to get on top of this will obviously have to do more than rely on the best intentions of their employees

Quocirca research in this area shows the major hurdles for companies looking at putting in place a handheld usage strategy are the cost of managing the devices and the security issues around them. However, the issue of security was seen as being diminished by those who had already gone down the road of a controlled laptop implementation. Indeed, those who were the most advanced saw little difference in the real needs for security behind the use of handhelds and laptops.

For those with experience of mobile deployment, the biggest issues were data falling into the wrong hands or simply losing the data due to loss or theft of the device - which brings us back to the real problem: the user.

Mobile devices provide means of usage that are just too easy for bypassing basic security needs. You pay your money at the duty free or high street shop, and 10 minutes later you have a fully functional system that may have access back to the office (unless they've locked you out). You set up your email access, use the remote access client that's available on the device and - presto - you're thinking that there's no stopping you.

Then, you lose the thing - no problem, you can always expense another. But say someone finds it on the street. They press the 'on' button and the device automatically connects to your email inbox. Then the stranger can read, reply to and send emails in your name.

If only you'd put in that four-number PIN. It would have at least slowed them down.

Companies must have suitable policies and procedures for the security of mobile devices and users, which must reflect the internal security policies and procedures around information and data access. Users must be educated in what these policies and procedures mean to them - down to the level of acceptable devices, and the need to secure the device and encrypt the data on it.

And yes, because these carbon-based bits (i.e. the users) are the most fallible link in any security chain, you will need to have solutions ready for when someone comes up and says that their smart handheld device has been 'stolen' (aka 'I left it in Starbucks'). These solutions must be able to lock that device out of your system completely, and should be able to bomb the device itself, wiping any and all data that is held on it.

Yes, this will turn the device into a couple of hundred pounds' worth of mostly useless shiny plastic and metal - but it will also keep your systems compliant and safe.

Quocirca's report on this area, Mobile Devices and Users, is available free of charge from our website.