Worker mobility impacts SMB data protection

To maintain security, small and midsize firms must adopt strategy that combines people, processes and technology focused on preventing data leakage.

perspective Advances in technology have increased the mobility of workers and this has impacted how small and midsize businesses (SMBs) protect confidential and proprietary information.

Current trends in technology are forcing SMBs to shift their security approach from putting up walls around their infrastructure, to finding ways to control the access and use of data while still making it available.

Today's workforce is increasingly mobile and more workers are using a wide range of mobile devices to access business data over insecure public and home networks--all potential sources of data leaks.

SMBs are facing the challenge of keeping their information widely available, while at the same time managing control over how it is being used and who has access to it.

A 2007 Gartner report identified the arrival of consumer-based technology into the workplace as the biggest threat to a company's security. According to the report, the four technologies that present the most risk are:

  • USB devices: The practice of downloading sensitive business data on devices such as portable memory sticks and MP3 players, poses a substantial security risk. Most SMBs find it increasingly difficult or impractical to ban the use of such devices. In the absence of an outright ban, SMBs should take precautions to limit the risks of these devices.
  • Social networks: An increasing number of employees now post blogs and participate in social networks and other Web 2.0 applications, both inside and outside of the workplace. To protect intellectual property and other important data, SMBs need to adopt clear policies on how sensitive information should be handled on blogs and social networking sites.
  • Mobile devices: Today's smart phones can be used like a computer and have increasingly become the target of malicious attacks. Without stringent compliance with security policies, the use mobile devices can place a business's confidential data at risk.
  • Remote connectivity: Allowing employees to connect to business resources from remote locations increases productivity and saves costs for many SMBs, but it also means that workers are accessing corporate data over insecure public and home networks.

A carefully thought-out and comprehensive approach to data protection starts with SMBs having a clear understanding of what data loss prevention (DLP) really is.

The data leakage checklist
DLP is the combination of people, processes and technology focused on preventing confidential information or other sensitive data from leaving an organization. Some of the questions that SMBs should ask themselves before embarking on their DLP journey include:

  • Where is their business data stored?
  • How do their employees, partners and customers use it?
  • Is information being downloaded on USB drives and other portable devices?
  • Is proprietary or confidential information being sent via e-mail?
  • Is there a clear company policy regarding how sensitive information should be handled, and if so how is it enforced?

An e-mail health check that Symantec ran on 560 companies in the Asia-Pacific region from November 2007 to February 2008 found that while 47 percent of APAC businesses use mobile devices like laptops, PDAs and mobile phones to access their e-mail, the majority fail to deploy proper security solutions as:

  • 69 percent of these mobile warriors do not have mobile security policies
  • 73 percent do not have antivirus software
  • 75 percent do not have firewall software

This is worrying because mobile devices, while providing a means to increased productivity and flexibility, can be easily lost or stolen, and the data on them accessed by an unauthorized third party if there is no security software in place.

Endpoint encryption is extremely important, yet it is often overlooked by many SMBs, despite the fact that many mobile devices contain sensitive information such as business data, financial records, or confidential customer information. Endpoint encryption should be applied as part of a larger information protection strategy to help protect sensitive information and interactions.

With encryption in place, mobile devices are ensured protection from unauthorized access, and sensitive data will not be exposed should these devices be lost or stolen.

Organizations everywhere now rely on high-speed networks and mobile computing to more easily share and access information. The growing popularity of consumer technologies in the workplace is a constant challenge to the traditional security models of SMBs. Such businesses will continue to face unrelenting pressure to protect their confidential and proprietary information, and must leverage technology to meet their current and future security needs.

Eric Hoh is Asia South vice president and head of global account, Asia-Pacific and Japan geography, Symantec.