Thursday, March 28, 2024

Securing Mobile Workers and their Gadgets

Datamation content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.

The CEO of a fairly large mid-West manufacturing company is waiting in an

airport for his flight to start boarding. Anxious about his company

purchasing a major competitor in two weeks, he paces back and forth,

talking to his financial team on his cell phone. The more worked up he

gets, the louder his voice gets. Several people waiting at the same gate,

are intrigued and listening intently.

And 35,000 feet in the air, the company’s head sales woman is on a flight

headed to New York where she’ll start making some key pitches. Wanting to

go over her information one more time, she fires up her laptop and brings

up her PowerPoint presentation. The people sitting across the aisle and

one row in back of her have a perfect view of everything on her computer

screen.

The executives in this scenario may have all the best security bells and whistles on

their laptops, cell phones and PDAs, but they’re not doing them much good

right now. Simple human errors are poking giant holes in the company’s

otherwise well-thought-out security system, and critical corporate

information is streaming out. Now the acquisition, which is no longer a

secret, could be in jeopardy.

And how is the chief security officer or an IT manager supposed to plug

up a security hole like that?

”Human behaviors are a huge impact on security,” says Richard LeVine,

senior manager of Accenture, a Chicago-based global management consulting

and outsourcing company. ”The people who are mobile are the people who

shouldn’t be mobile. Does anyone tell the CEO he can’t take the laptop

with him because it has the firm’s information on it? This is the person

with the critical information and he’s the one on the road.”

So what is IT to do? How does a security manager or an IT administrator

keep mobile workers, and their information, secure? How do they deal with

laptops and PDAs — full of financial, marketing or personnel information

— being left behind in taxi cabs or hotel rooms?

It’s a huge problem, says LeVine. And it’s one that’s not so easily

solved.

Consider, he says, the number of cell phones that were reported left in

London cabs back in 2004 — 63,135. There also were 5,838 PDAs left

behind, and 4,972 laptops were forgotten. And figuring in how many more

cell phones, PDAs and laptops are being carried around now than two years

ago, the number of machines being left in taxis, hotel rooms, restaurants

and conference centers must be even greater today.

And according to Gartner, Inc., a major industry analyst firm, 70 percent

of mobile workstations and devices taken outside traditional business

offices in 2006 will not be backed up sufficiently.

”People are the biggest deficiency in any security program bar none,”

says Paul Stamp, an analyst at Cambridge-based Forrester Research, an

industry analyst and research firm. ”Most people just don’t know how

sensitive the information they have really is. And if you don’t know how

sensitive it is, how do you know how to deal with it properly?

”If you talk about private things routinely. If you deal with private

data in public places routinely, sooner or later it’s going to get seen

by the wrong person,” adds Stamp. ”It can be horrendously dangerous.

The risk might seem small but the type of circles that business people

travel in means that the likelihood of the wrong person seeing that

information or hearing that information is much greater than you’d think.

Just because we’re in an airport doesn’t mean we’re shrouded in a cloak

of anonymity.”

Forget critical financial information for a second. Stamp notes that

something as innocuous as a company phone directory can be sensitive data

— and it can cause a lot of problems if it ends up in the wrong hands.

To a recruiter or to someone looking to wage a social engineering attack

on the company, a list of names, email addresses and phone numbers can be

a hot commodity. And do mobile workers think twice about protecting that

list? And how many of them carry that list around on their laptops or

PDAs?

”The list of human errors goes on and on,” says Eric Maiwald, a senior

analyst at the Burton Group, a research and advisory firm based in

Midvale, Utah. ”Sensitive information that someone has left someplace is

just as significant a problem as someone breaking into your system to get

that information.”

The Mobile Worker Evolution

LeVine says workers are changing the way they work — they’re changing

the devices they use and they’re increasingly moving out of the office

and doing their work on trains, planes and partner sites. That means it’s

going to take a new way of thinking, and some specific technology, to

keep their information secured.

”We should recognize that we’re seeing a generational evolution in work

style,” LeVine said in a one-on-one interview with Datamation.

”Instead of trying to stop it, we need to look for ways to work with

them more securely. Ultimately, IT is a service function for the staff.

They’re giving IT direction in the way they want to work. They’re

actually out there trying to do more work for the firm.”

IT shouldn’t try to fight the mobile worker or the growing shift to

mobile working. And they shouldn’t close their eyes to it, either, says

LeVine. Recognize that workers are on the road and they’re taking not

only company data, but Blackberries, smart phones and laptops with them.

Then figure out how to best deal with it.

”Mobility is something your workers do to you,” says LeVine. ”They

will be mobile whether you want them to or not… Why fight it?”

First off, someone — probably the CIO — needs to talk with the top

business executives, including the CEO. Talk to them about the security

risks involved with taking their laptop and PDAs on the road with them.

Talk about what would happen if that information is lost — if customer

lists were made public, if acquisition plans were prematurely released,

if financial information was leaked out.

Maybe the CEO could travel with a secondary laptop — one that just goes

on the road with her and doesn’t contain all the sensitive data that her

main computer holds.

Training and awareness also are key.

LeVine says that users have to be made to understand how sensitive the

data is that they’re carrying around. Tell them exactly what would happen

to the company if they had to make it public that they had sensitive

information. What would happen to the company’s stock price? Could there

be layoffs? ”Tell them that when someone leaves a PDA in a cab, the

company might go out of business,” says LeVine. ”Look, Dude, we might

go out of business because the company has to admit that it lost customer

data or corporate lists.”

Once they understand how important it is to safeguard company data, then

teach them how to do it. And don’t just give them security training when

they’re hired. Make it periodical. Make it frequent.

Use encryption on smart phones for data in transit.

Set up policies and make sure employees know them and understand them.

What usage is appropriate for all of these different devices? What

devices are employees allowed to use for business? Can workers use their

own devices or only devices supplied by the company?

And set up policies specific to mobile workers, LeVine recommends.

Talk to road warriors about keeping public cell phone conversations quiet

and private. If they’re on a plane, make it clear that they can’t call up

sensitive information on their computer screen if someone is in a

position to see it. Give them a strict — and frequent — backup policy.

LeVine also recommends that workers’ devices be registered and tracked.

”You need to manage these devices,” says LeVine. ”If you allow ad hoc

employee device usage, it will put you in legal hot water.”

Also make sure that employees are using device passwords and PIN numbers

to prevent data leakage and network access by intruders. And ensure that

there are personal firewalls on laptops and handheld devices. Use

encryption.

Another thing that LeVine recommends is making sure IT has the ability to

remotely access devices and make sure they are conforming to company

policy. If policy states that the cameras be turned off on cell phones,

make sure they are. If Bluetooth wireless access violates policy, make

sure it’s shut down.

”I know it sounds really cliche, but it’s all about awareness, awareness

awareness,” says Stamp. ”As we’ve managed to get kids to think

differently about talking to strangers, we need to get corporate

employees to think differently about who they talk to and what they talk

to them about… and who they talk in front of. Situational awareness has

to be a part of any training… IT people are starting to realize that

the biggest risk area is the people who deal with the information.”

Subscribe to Data Insider

Learn the latest news and best practices about data science, big data analytics, artificial intelligence, data security, and more.

Similar articles

Get the Free Newsletter!

Subscribe to Data Insider for top news, trends & analysis

Latest Articles