As IT administrators and CIOs arm their mobile workers with laptops and
send them out into the concrete jungle to connect with customers,
consultants and the home base via wireless networks, very few of them are
doing it securely.
While IT shops are increasingly telling end users to take advantage of
the convenience of wireless connections, securing those connections —
and securing the mobile worker in general — is an afterthought. And this
is leaving a gaping hole in a lot of corporate networks.
”Most mobile workers are unprotected, and it’s as scary as the value of
the data on that machine,” says Ken van Wyk, principal consultant for
KRvW Associates, LLC and a columnist for eSecurityPlanet. ”You lose a
laptop and it’s worth maybe $1,500 or $2,000. So what? In the grand
scheme of things, it’s not a big deal. If you’re processing information
on your laptop that is worth a lot more than the laptop itself, then its
foolhardy to not protect that data.”
And many end users are not protecting their data, says van wyk. Most
likely following the lead of their IT administrators, they probably have
anti-virus software on their laptops, but is it updated? Are they
patched? Are they running a firewall? Encryption?
The answer is most likely not. And that’s a dangerous game to be playing,
say industry analysts.
Having an undersecured mobile workforce is especially dangerous when that
workforce is growing by leaps and bounds.
According to a survey from Senforce Technologies Inc., an endpoint
security company based in Draper, Utah, 87 percent of critical business
data is found on endpoint machines. And 56 percent say their current
wireless network security strategy is inadequate.
”The worry goes back to the phenomenon that the endpoint user is not
just working on the corporate network,” says Kip Meacham, director of
product management at Senforce. ”They’re going to be moving through a
variety of networks while they do their jobs — the corporate
infrastructure, hotels, airports, coffee shops, their homes. Looking at
the world as being either trusted or untrusted is an oversimplification
of how the world is working.”
Tim Cranny, a senior security architect at Senforce, says IT shops just
aren’t putting enough effort and muscle into securing their mobile
workers.
”Companies aren’t taking enough steps to secure them, to secure
wireless,” says Cranny, noting that the problem stems from a lack of
money, a lack of time and a lack of knowledge. ”What we’re talking about
here is a need for a cultural change to realize that the ground is
shifting beneath their feet. There are fundamental new challenges.”
The Senforce survey shows some of these shifts:
in and out of the network perimeter, and
while off the managed network.
”Well, we know that security is difficult at best in today’s complicated
world,” says Ken Dunham, a senior engineer for VeriSign iDefense
Intelligence based in Mountain View, Calif. ”It’s hard enough on a
corporate network keeping machines fully patched and updated. It’s
exacerbated when you have a mobile user. One of the weakest points of
network security today is the mobile user. When people have laptops for
use in the home office, as well as the corporate office, they tend to be
less compliant and less up-to-date as the office computer.
”What it means is this is a whole different medium to manage,” he adds.
”If you’re going to have mobile users, you have to manage them.
Companies struggle to identify what the risks are for mobile users. They
don’t have good models in place because they’re not used to dealing with
it. But today a lot of people are using laptops so we’re going to see
better security than we have in the past. It does mean there are unique
challenges to making sure laptops are secured and locked down.”
van Wyk says the first line of defense for mobile users has to be
up-to-date anti-virus software and a personal firewall on every laptop.
And he adds that users need to use the firewalls to close down all
incoming services except the ones absolutely needed. Add to that
encryption software.
”Another very real concern is physical theft of the laptop,” says van
Wyk. ”All the other software just goes to crap if the laptop gets
stolen. That’s when you need to have some sort of encryption. That way if
somebody were to steal your machine, they’d get the laptop but not your
data.”
The problem, says van Wyk, is that very few mobile workers are using
encryption, and many aren’t even using firewalls.
”From my over-the-shoulder glances on airplanes, I’d say hardly
anyone,” says van Wyk. ”I think the number is nearly inconsequential
when you’re talking about encryption. I almost never see somebody doing
that… I think companies are just handing out a laptop and maybe they
give them anti-virus. But it’s pretty darn rare for companies to hand out
more protection than that.”