The obvious solution to this is to devise policy documents and train staff to be aware of security issues. Staff members are rarely savvy about security and a lack of understanding can lead to errors. They are often working to meet deadlines and such pressure can lead to shortcuts. It is not unusual for pressurised staff to take copies of documents relating to their work so that it can be finished at home.
The best practice is to disable any port that can be used for copying. USB ports are obvious candidates, but there are also issues with Bluetooth, Wi-Fi and CD/DVD drives that must be addressed.
Huggins says: “Questions that must be asked are, do you have Bluetooth open to the world? Are you connecting to the internet constantly? It’s more to do with the configurations of the devices rather than the software security that is deployed on them. One interesting thing I have seen deployed on BlackBerry Enterprise Servers and also on other mobile manufacturers’ offerings is a ‘remote-kill’ feature. When you have a standard platform, you’re able to put in a server that can send remote-kill commands. If a device is endangered, you press the button and it eradicates its memory and kills itself. This is incredibly valuable, especially when combined with local device encryption.”
Various companies, including mobile device suppliers and network operators, aside from BlackBerry manufacturer Research In Motion, are starting to offer remote-kill facilities. There is also a burgeoning market for remote-kill services for laptops. In these cases, it is wise to ask what kind of service is being provided. Does the erasure process only delete files, or does it overwrite the data on the disk? If it merely deletes data, then an undelete application, freely available for download on the web, can retrieve the files.
There is no substitute for encrypting infor-mation to protect mobile data. It is common practice to encrypt transmitted data, but not many people encrypt hard drives, optical discs, backups and USB drives. Huggins believes that this is essential. “If we’re talking about laptops, I advise full disk encryption,’ he says.
“Some people seem happy to go with encrypted areas of the disk, where people are supposed to put secure files. Good security in business is about people making the best decisions based on training awareness and policy, but technology should also support them because they may not necessarily make the best decisions. Full disk encryption means people don’t have to be relied on to make the right decision – it’s just done.”
The idea is to reduce the value of any stolen device to the hardware costs. The harder it is to get at the data, the less valuable the device becomes to professional thieves seeking industrial espionage potential. Eszter Morvay, senior research analyst for European personal computing at analyst firm IDC, feels that even more protection is required.