Keep mobile data from going walkabout
Published: 13 Mar 2008 16:52 GMT
...which provides a secure "tunnel" for internet traffic. However, you should consider additional methods of authentication, such as strong passwords or keycards, if information is particularly sensitive, Howard recommended.
The third layer of mobile security is the mobile device itself. This is where the biggest security risks are, said Monica Basso, a vice president with Gartner Research. Think about what happens if an employee leaves their laptop in a cab or if a smartphone is stolen. Would the thief be able to access the information contained on the device? Are devices vulnerable to web-based attacks from malware or viruses?
"On the device side, the priority is to authenticate the user, protect locally stored data and secure the network connection," said Basso. "At the least, you should have passwords. You may also want to think about controlling features such as cameras or Bluetooth, and limiting application installation and data transfer."
"Encryption of data on mobile devices is the absolute bare minimum and I think you'd be considered negligent if you failed to use it," added Ovum's Titterington. "However, it's important to remember that encryption is only as good as the key management that goes along with it. If the key is stored on the same machine, then you really might as well not bother."
In addition to encryption, Titterington recommended setting policies to ensure that all mobile devices are password-protected and run up-to-date antivirus software. It is also important to be sure that mobile devices running software are included in your company's regular patch-management programme, so that security holes aren't left unpatched on laptops or mobile computers.
There are a range of remote "wipe" products that can also be used to wipe a mobile device's hard drive if it's lost, often within minutes. This renders the information completely inaccessible to anyone who has stolen a device.
Encryption of data on mobile devices is the absolute bare minimum and I think you'd be considered negligent if you failed to use it
Graham Titterington, Ovum
Gartner has also recommended that SMEs use full encryption of application data, file systems for internal memory and external cards, device lockdown, remote wiping and port control.
"You should also have a single manager with responsibility for device management and policies, who is responsible for things like remote software downloads, upgrades and policy enforcement," said Basso. "This means mobile devices will all be secure and compliant with security policies."
Having a single manager also makes it easier to ensure that your overall security policy provides complete coverage of the three distinct elements of mobile working: the device, the network and the transmission of data.
"That's important because the market for mobile security is very fragmented," said Basso. "There are more than 100 different products that all address different aspects of mobile security, from device encryption to mobile VPNs and user authentication."
Most companies will probably need to invest in a number of different products on either the server or client side to provide full security, Basso said.
Finally, bear in mind that technology can only get you so far when it comes to mobile security and even the best IT systems are usually no match for a determined user. "You can usually guarantee that a user will find a way to get around almost any policy you care to set," said Titterington, "particularly because you can't totally lock down any device. You're constantly looking to balance security with usability."
For this reason, it's vital for companies to invest in training and education for workers, alongside the technology used to secure mobile workers. "Telling someone they can't access online games is one thing, but explaining to someone the risks of malware from unknown websites and the responsibility they have for protecting their employer from these risks is [much] better," said Kellett.
Ultimately, however, it's a mistake to assume that mobile computing will ever be 100 percent secure, said Titterington. "I'm not sure many firms could protect mobile devices from a really determined attacker. The reality is that you're protecting yourself against the 80 percent of thefts that are opportunistic and that's about the best you can do. Things like encryption, passwords and PINs are big hurdles for those kinds of people, and definitely worth using."
Previous
- The top five internal security threats
- Keeping mobile data from going walkabout
- Lib Dems call for data guardians
- Worker suspended over loss of prisoner data
- Ministry of Justice reports nine data breaches
- Foreign Office reports five data breaches since 2007
- ICO: Gov't ignoring data-sharing hazards
- Lords presses government for data-breach law
- Video: Get the most out of your data
- Justice minister urges overhaul of gov't data handling
- MoD announces data-protection action plan
- Systemic failure blamed for HMRC data loss
Did you find this article useful?
5 out of 5 people found this useful
Digg
Slashdot
Del.ici.ous
Stumble
Reddit
