Bring your mobile security up to scratch
Published: 02 Mar 2007 12:26 GMT
... be configured to ensure that applications are kept current, that security updates are applied automatically and that the correct connectivity settings are in place. They can also be used to remotely disable and wipe data from stolen or lost laptops when the next attempt is made to connect to the network.
Another useful tool is network access control (NAC) software, sold by vendors such as Cisco and Juniper Networks. This denies laptops access to the corporate network if they do not comply with internally set security policies, and quarantines them until they can be either cleaned up or their software updated.
As Kilpatrick points out, simply deploying clever technology is not enough, however. "Technology is what you deploy at the back end when you've determined what the problem is and what level of risk the business can take," he says.
This means that to make information security as effective as possible in this area, it is crucial for organisations to formally assess how and why they want to exploit mobile technology and to undertake a risk assessment on that basis. The risk assessment and any subsequent gap analysis should then form the basis of a mobile security policy and a statement for staff relating to acceptable usage.
Perry explains: "You have to understand where you are vulnerable and the risk you can tolerate. Everything else flows from that — the user training, the policies you introduce and the technology you deploy should all be driven by this top-down view. It's the anchor point for everything."
In terms of user training, which Perry sees as crucial, it can be useful to conduct a walkthrough of potential risk scenarios and how to deal with them in order to raise awareness. It may also be worth encouraging staff to work on the assumption that "stuff is always going to get lost" and to remind them that their laptop is the property of the company, not their own.
The aim of this is to help them appreciate the need for security mechanisms in the first place, which may otherwise be disabled or bypassed if they are felt to be too inconvenient.
And this is an important point. If mobile devices are locked down too tightly, the very ease-of-use and convenience that have made them so widespread may be compromised. So it is crucial to get the balance right.
Another thing to bear in mind, says Kilpatrick, is that it is always cheaper and more effective to embed security into organisational behaviour from the outset rather than try to retrofit it later.
"If security isn't dealt with as part of a business case, it tends to be viewed as an expensive add-on and a bit of a pain in the backside. But if the business acknowledges from the start that security is necessary, even though it will add maybe £250 to the price of any new machine, it will be prepared to factor that in," he says.
This means that it is crucial for the business to understand the security risks they face and to be prepared to take responsibility for them. As Kilpatrick points out, if the last employee to go home for the day left all of the doors and windows of the office open and told the security guard to go home, they would be held accountable for any incidents and would probably be sacked for misconduct.
"But it's considered acceptable to let staff wander round airports with no security on their laptops, potentially broadcasting their log-in details all over the place, and then to have that individual feel no responsibility. What it's about is having the board understand the risks and understand that it has responsibility for them, not the IT department," he concludes.
Previous
Did you find this article useful?
29 out of 29 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
