And 35,000 feet in the air, the company's head sales woman is on a flight headed to New York where she'll start making some key pitches. Wanting to go over her information one more time, she fires up her laptop and brings up her PowerPoint presentation. The people sitting across the aisle and one row in back of her have a perfect view of everything on her computer screen.
The executives in this scenario may have all the best security bells and whistles on their laptops, cell phones and PDAs, but they're not doing them much good right now. Simple human errors are poking giant holes in the company's otherwise well-thought-out security system, and critical corporate information is streaming out. Now the acquisition, which is no longer a secret, could be in jeopardy.
And how is the chief security officer or an IT manager supposed to plug up a security hole like that?
''Human behaviors are a huge impact on security,'' says Richard LeVine, senior manager of Accenture, a Chicago-based global management consulting and outsourcing company. ''The people who are mobile are the people who shouldn't be mobile. Does anyone tell the CEO he can't take the laptop with him because it has the firm's information on it? This is the person with the critical information and he's the one on the road.''
So what is IT to do? How does a security manager or an IT administrator keep mobile workers, and their information, secure? How do they deal with laptops and PDAs -- full of financial, marketing or personnel information -- being left behind in taxi cabs or hotel rooms?
It's a huge problem, says LeVine. And it's one that's not so easily solved.
Consider, he says, the number of cell phones that were reported left in London cabs back in 2004 -- 63,135. There also were 5,838 PDAs left behind, and 4,972 laptops were forgotten. And figuring in how many more cell phones, PDAs and laptops are being carried around now than two years ago, the number of machines being left in taxis, hotel rooms, restaurants and conference centers must be even greater today.
And according to Gartner, Inc., a major industry analyst firm, 70 percent of mobile workstations and devices taken outside traditional business offices in 2006 will not be backed up sufficiently.
''People are the biggest deficiency in any security program bar none,'' says Paul Stamp, an analyst at Cambridge-based Forrester Research, an industry analyst and research firm. ''Most people just don't know how sensitive the information they have really is. And if you don't know how sensitive it is, how do you know how to deal with it properly?
''If you talk about private things routinely. If you deal with private data in public places routinely, sooner or later it's going to get seen by the wrong person,'' adds Stamp. ''It can be horrendously dangerous. The risk might seem small but the type of circles that business people travel in means that the likelihood of the wrong person seeing that information or hearing that information is much greater than you'd think. Just because we're in an airport doesn't mean we're shrouded in a cloak of anonymity.''
Forget critical financial information for a second. Stamp notes that something as innocuous as a company phone directory can be sensitive data -- and it can cause a lot of problems if it ends up in the wrong hands. To a recruiter or to someone looking to wage a social engineering attack on the company, a list of names, email addresses and phone numbers can be a hot commodity. And do mobile workers think twice about protecting that list? And how many of them carry that list around on their laptops or PDAs?
''The list of human errors goes on and on,'' says Eric Maiwald, a senior analyst at the Burton Group, a research and advisory firm based in Midvale, Utah. ''Sensitive information that someone has left someplace is just as significant a problem as someone breaking into your system to get that information.''
The Mobile Worker Evolution
LeVine says workers are changing the way they work -- they're changing the devices they use and they're increasingly moving out of the office and doing their work on trains, planes and partner sites. That means it's going to take a new way of thinking, and some specific technology, to keep their information secured.
''We should recognize that we're seeing a generational evolution in work style,'' LeVine said in a one-on-one interview with Datamation. ''Instead of trying to stop it, we need to look for ways to work with them more securely. Ultimately, IT is a service function for the staff. They're giving IT direction in the way they want to work. They're actually out there trying to do more work for the firm.''
IT shouldn't try to fight the mobile worker or the growing shift to mobile working. And they shouldn't close their eyes to it, either, says LeVine. Recognize that workers are on the road and they're taking not only company data, but Blackberries, smart phones and laptops with them. Then figure out how to best deal with it.
''Mobility is something your workers do to you,'' says LeVine. ''They will be mobile whether you want them to or not... Why fight it?''
First off, someone -- probably the CIO -- needs to talk with the top business executives, including the CEO. Talk to them about the security risks involved with taking their laptop and PDAs on the road with them. Talk about what would happen if that information is lost -- if customer lists were made public, if acquisition plans were prematurely released, if financial information was leaked out.
Maybe the CEO could travel with a secondary laptop -- one that just goes on the road with her and doesn't contain all the sensitive data that her main computer holds.
Training and awareness also are key.
LeVine says that users have to be made to understand how sensitive the data is that they're carrying around. Tell them exactly what would happen to the company if they had to make it public that they had sensitive information. What would happen to the company's stock price? Could there be layoffs? ''Tell them that when someone leaves a PDA in a cab, the company might go out of business,'' says LeVine. ''Look, Dude, we might go out of business because the company has to admit that it lost customer data or corporate lists.''
Once they understand how important it is to safeguard company data, then teach them how to do it. And don't just give them security training when they're hired. Make it periodical. Make it frequent.
Use encryption on smart phones for data in transit.
Set up policies and make sure employees know them and understand them. What usage is appropriate for all of these different devices? What devices are employees allowed to use for business? Can workers use their own devices or only devices supplied by the company?
And set up policies specific to mobile workers, LeVine recommends.
Talk to road warriors about keeping public cell phone conversations quiet and private. If they're on a plane, make it clear that they can't call up sensitive information on their computer screen if someone is in a position to see it. Give them a strict -- and frequent -- backup policy.
LeVine also recommends that workers' devices be registered and tracked. ''You need to manage these devices,'' says LeVine. ''If you allow ad hoc employee device usage, it will put you in legal hot water.''
Also make sure that employees are using device passwords and PIN numbers to prevent data leakage and network access by intruders. And ensure that there are personal firewalls on laptops and handheld devices. Use encryption.
Another thing that LeVine recommends is making sure IT has the ability to remotely access devices and make sure they are conforming to company policy. If policy states that the cameras be turned off on cell phones, make sure they are. If Bluetooth wireless access violates policy, make sure it's shut down.
''I know it sounds really cliche, but it's all about awareness, awareness awareness,'' says Stamp. ''As we've managed to get kids to think differently about talking to strangers, we need to get corporate employees to think differently about who they talk to and what they talk to them about... and who they talk in front of. Situational awareness has to be a part of any training... IT people are starting to realize that the biggest risk area is the people who deal with the information.''