However, theft of mobile devices is a problem for many reasons, not least of which is because access permission is often set on the mobile device and there is no local security to prevent a thief from booting up the computer. For this reason, even allowing remote access can open a back door to systems.
The biggest hack to date is the well-publicised attack on retailer TJ Maxx, where an estimated 45 million customer records were stolen. The attack started by compromising a wireless LAN that only used Wired Equivalent Privacy (WEP) encryption that can be cracked within 10 minutes by an experienced hacker.
The compromised network allowed entry to other systems and the breach has, according to the company, cost an estimated $12m (£6m), but analysts believe this may actually stretch into more when the full cost of the remedial work and harm to the brand is taken into account.
Ensuring compliance through best practice
Bob Tarzey, service director at analyst firm Quocirca, offers the -following advice on compliance where mobile data is concerned:“Ensuring you comply is a problem because the laws are -changing at all levels via legislation and legal precedent. The -application of best practice is needed, and these should be rigorous and reviewed continuously to withstand legislative requirements.
“Should the need arise, these precautionary measures will have to convince a judge or jury that all reasonable steps had been taken to ensure security.”
- Either making sure that sensitive data cannot be copied to mobile devices or, if it is necessary, data is encrypted on the device.
- Blocking sensitive data is a tagging issue and requires -content filtering at the host to control what can and cannot be copied.
- Making sure employees use security access keys and ensuring these are not left attached to devices.
- Providing locked-down devices for users who only need limited capabilities so they can only access the functions they need and have no ability to copy data.
- Disabling Bluetooth.
- Using phones without built-in cameras, or disabling the camera function, as malicious employees can use the camera for data theft.
- Making sure lost devices can be disabled remotely or, preferably, erased if they are authorised to store sensitive data.
- Providing education around adhering to best practice that is related to the job.
However, before the issue of mobil-ity can be addressed, it is necessary to understand the extent of the problem by taking an audit of all the mobile devices used within a company. Capricode has developed SyncShield, one of a growing number of mobile device management products that help to manage smaller mobile devices such as smartphones and PDAs. “The first step is to get information on the types of phone you have and the software used into one database. And while you can do it with Excel or with asset management products, it entails extensive manual work,” says Erkko Vainio, business development director at Capricode.
“A mobile device management product which is really designed for business use can allow you to collect the information over the air after you’ve installed a client on the phones,” explains Vainio.
According to Vainio, this could extend the problem as it introduces some unpleasant surprises. “You may find that some people, even though most will have business phones, will be using their own private phones. This means that even though a company may have issued, for example, Nokia phones, the actual mix could include iPhones and BlackBerries.”
Vainio recommends limiting the number of operating systems and phone models to make the system more manageable. “When you commission a new laptop, it will have been standardised so you have a limited number of configurations. You can decide what kind of software you want to have on it and what the settings should be, whether it’s done by the reseller or using your own image. This is what IT managers know how to do, and this is what to aim for with the smartphones as well,” he comments.
Phil Huggins, chief technical officer at Information Risk Management, agrees with Vainio. “The big problem – and mobile is a really obvious indicator – is that people aren’t clear what their data is, or where it is,” he says. “As enterprises expand, more work is being done by people over remote browsers on BlackBerries and other mobile devices rather than at desktops. The big challenge is to understand how much risk you have already placed outside your traditional boundaries.”
Huggins adds that there are several issues that need to be considered around mobile device use. “Mobile devices are very easy to lose. As a valuable item to sell, these devices are quite highly targeted. I don’t think people are necessarily stealing these devices to get hold of data, but this could change. People are using their phones to store data and they’re also using USB drives. Companies are deploying applications specifically developed for mobile devices that allow employees to access dashboard applications, financial spreadsheets and such. The key problem is that people aren’t aware of the risks they are taking in the first place.”