An IT Manager’s Insight into Mobile Security

[Free CISSP Exam Study Guide] Get expert advice that will help you pass the CISSP exam: sample questions, summaries of all 8 CISSP domains and more!

Mobile security is a hot issue, but who is listening? Who really cares? The mere word of security sends most people running. Investing in preventative IT security has never been a very popular topic. Most board directors clam-up and switch off at the words “Your Company could be at risk if you don’t invest in XYZ technology”. It’s a hard sell for IT managers and it often takes a competitor or themselves to become a victim of crime before they sit up and listen. Users too are very lazy and complacent when it comes to IT security – they don’t value the information they carry around with them and most are just too busy to worry about anything further to complicate their lives. This was made very clear in the Mobile Usage Survey conducted by Infosecurity and Pointsec which found that a third of users don’t both protecting their mobile device with password even though they store highly confidential company and personal information on them including all their other passwords, Pin numbers and bank details.

Surprised by these figures? I doubt it! If you’re an IT manager you’d have been there. In-fact you’re users have probably lost more laptops than you can remember? Surveys show that any large organisation lose between 3-5% of their laptops every year. Relaying laptop theft stories in the local pub is almost as common-place as people boasting how much their houses have shot-up in price over the last two years. However, with an increasingly mobile workforce, often using privately bought mobile devices, the board and IT departments have to take greater notice of who is carrying what around with them and take a rain check of the damage that could be caused if this information was lost and broadcast to the outside world. It is often fine when company information just resides on PCs and servers in an office as the IT departments have far greater control over the information and what is being sent out. Now the same information is being carried out of the office, left in bars or restaurants, at the back of taxis or trains and most commonly forgotten in airports, the IT manager has a nightmare job on his/her hands.

Insuring against hardware theft is rapidly becoming pointless and expensive and few companies bother to take out policies because the premiums are now so high. Plus, companies are now realising that the true cost of a stolen item of hardware is not the device itself, but the information it contains. No company are without laptops, PDAs or smart phones these days, so if you want to make sure your company does not become another statistic or victim of data theft here are a few golden rules you may want to follow.

Golden Rule Number One:
You must have a mobile Use policy or ensure that your corporate IT security policy has specific provision for mobile devices and you update it whenever you adopt new hardware categories such as combined PDA/phones. The information that needs to be protected is the same, it is just different ways of storage it.

Golden Rule Number Two:
Take the responsibility of IT security away from the end-user and centrally manage and deploy it. Work on the premise that no-one can be trusted to safeguard their device. Wake up to the fact that they are just not interested in security.

Golden Rule Number Three:
Invest in a solution which is usable and flexible. Easy access and transparent encryption that does not slow down a user’s device is now available on the market – they’ll go to whatever measures to disable the device or buy their own if security gets in their way.

Golden Rule Number Four:
Have a blanket approach to security by owning every mobile device that leaves your office and make access control and encryption mandatory. DO NOT allow users to use their own mobile device to store company information. Don’t be fooled into believing that they are already protecting their devices with the “factory” password settings or encryption. Nine times out of 10 they won’t be. Record the serial numbers of all PDAs and similar devices including memory cards.

Golden Rule Number Five:
Be realistic with passwords – Users hate them! An enforced, long and difficult, password will result in them writing it down or forgetting it. If they can choose themselves, they will pick the easiest passwords they can such as their pet or child’s name, anniversaries or birthdays. You bet after a long Christmas holiday or annual leave they’ll make a call to the helpdesk to ask for a reset. One way around this is to dispense with the idea of passwords altogether. Pointsec has, for example, presented a new idea with their PicturePIN access control which consists of a series of pictures chosen by the user from a, randomly displayed, larger gallery. Instead of having to remember a password in order to access his encrypted information, the user simply points out the pictures corresponding to “his” story. Not only is this system just as secure as traditional passwords, but there are other advantages too. Its novel, so there’s more chance that people will want to use it. Plus, visual images are much harder to forget than faces. There is even a possibility to add your own pictures for your organisation. And just in case the user is tempted to write down his “password”, he’ll find it very difficult to do so.

So the thief who steals a machine and expects to find the password for the encrypted drive written on the base of the device is going to be sadly disappointed.

Golden Rule Number Six:
Become a realist – but still endeavour to educate your users! Accept the fact that users won’t take a blind piece of notice of security, however, don’t give up – send them a mobile security use policy – make them sign and return it by getting HR to work this policy into their appraisals. Try and make them streetwise but accept that they will still leave their mobile devices in the car, in airports and have them pick-pocketed in
crowded places.

Nothing can be guaranteed, but by following these rules, you can show that you have taken adequate steps to protect your organisations information and hopefully rest at night, safe in the knowledge that when thousands of mobile devices get lost or stolen this year, yours won’t be the one hitting the papers with embarrassing and expensive consequences.