"One of our laptops is missing". These are words no IT manager ever wants to hear. Beyond the embarrassment, there is the danger of seriously bad publicity, damage to brand equity and legal liability. It is possible that losing even a single mobile computer loaded with sensitive information can kill an otherwise thriving business.
The good news is that current technologies and best practices can lower the risk dramatically when mobile computers are lost or stolen.
The first step is to recognise that a lost or stolen mobile device is a data management problem, not a physical-asset inventory problem. A laptop or any other computer is just a container. It's the information on the machine that can hurt you if it falls into the wrong hands. Mitigating the risks involves proactively managing and protecting sensitive information from unauthorised access or disclosure before that asset goes missing.
IT managers traditionally have faced three hurdles in protecting sensitive information on fixed and mobile devices.
- Lack of real-time visibility into the configurations and kinds of information on individual assets. The majority of organisations don't have the foggiest idea about what information is on these devices, much less how well it is protected. This means that anytime a mobile device disappears, IT managers have to assume the worst and warn stakeholders of the maximum potential harm.
- Inability to set and enforce information management policies for individual assets. There are a number of actions managers should take to protect information on mobile assets. These include encrypting data; building in strong user-access controls; blocking data transfer from secure to non-secure devices (such as USB drives); and keeping antivirus, anti-spyware and anti-intrusion software up to date.
- Inability to manage information on assets intermittently connected to enterprise networks, that is, laptops and other mobile computers. Too many management tools have a blind spot when it comes to mobile systems. Either they ignore such systems entirely or access them only when hard-connected to enterprise networks. Needless to say, there is ample opportunity for roaming mobile systems to drift out of policy compliance.
Overcoming these hurdles at first sounds like a tall order, but technologies exist that enable effective, proactive protection of sensitive information on mobile devices. In particular, technologies combining agent-based client management, real-time reporting of client configuration and state, and ability to manage devices anytime they can "phone home" to the enterprise, offer the preconditions for building a proactive approach to reducing mobile-computer data-leak threats.
So, what happens when a mobile computer managed through these methods goes missing? First, managers will have a good idea of the kind of information it contained and the extent of the threat the loss represents to enterprise operations and company reputation.
Second, managers will be able to report to their bosses and the public that any sensitive information on the missing computer has been protected with state-of-the-art measures.
Finally, in the event it might log on to the Internet after it goes missing, a machine can be pre-programmed to identify itself automatically to managers and subject itself to actions that range from wiping clean all data on a disk or otherwise rendering itself inoperable. Here, however, managers should be aware that not all machines log on to the Internet and, as noted earlier, thieves can access the hard disk directly to explore it for data.
The best way to reduce business risks from wayward mobile computers is to focus on pre-empting the problem with effective management of sensitive data. While accomplishing this ideal sounds daunting, commercially available solutions can bring this vision close to reality.
Amrit Williams is CTO at security vendor BigFix.