The CEO of a fairly large mid-West manufacturing company is waiting in an
airport for his flight to start boarding. Anxious about his company
purchasing a major competitor in two weeks, he paces back and forth,
talking to his financial team on his cell phone. The more worked up he
gets, the louder his voice gets. Several people waiting at the same gate,
are intrigued and listening intently.
And 35,000 feet in the air, the company’s head sales woman is on a flight
headed to New York where she’ll start making some key pitches. Wanting to
go over her information one more time, she fires up her laptop and brings
up her PowerPoint presentation. The people sitting across the aisle and
one row in back of her have a perfect view of everything on her computer
screen.
The executives in this scenario may have all the best security bells and whistles on
their laptops, cell phones and PDAs, but they’re not doing them much good
right now. Simple human errors are poking giant holes in the company’s
otherwise well-thought-out security system, and critical corporate
information is streaming out. Now the acquisition, which is no longer a
secret, could be in jeopardy.
And how is the chief security officer or an IT manager supposed to plug
up a security hole like that?
”Human behaviors are a huge impact on security,” says Richard LeVine,
senior manager of Accenture, a Chicago-based global management consulting
and outsourcing company. ”The people who are mobile are the people who
shouldn’t be mobile. Does anyone tell the CEO he can’t take the laptop
with him because it has the firm’s information on it? This is the person
with the critical information and he’s the one on the road.”
So what is IT to do? How does a security manager or an IT administrator
keep mobile workers, and their information, secure? How do they deal with
laptops and PDAs — full of financial, marketing or personnel information
— being left behind in taxi cabs or hotel rooms?
It’s a huge problem, says LeVine. And it’s one that’s not so easily
solved.
Consider, he says, the number of cell phones that were reported left in
London cabs back in 2004 — 63,135. There also were 5,838 PDAs left
behind, and 4,972 laptops were forgotten. And figuring in how many more
cell phones, PDAs and laptops are being carried around now than two years
ago, the number of machines being left in taxis, hotel rooms, restaurants
and conference centers must be even greater today.
And according to Gartner, Inc., a major industry analyst firm, 70 percent
of mobile workstations and devices taken outside traditional business
offices in 2006 will not be backed up sufficiently.
”People are the biggest deficiency in any security program bar none,”
says Paul Stamp, an analyst at Cambridge-based Forrester Research, an
industry analyst and research firm. ”Most people just don’t know how
sensitive the information they have really is. And if you don’t know how
sensitive it is, how do you know how to deal with it properly?
”If you talk about private things routinely. If you deal with private
data in public places routinely, sooner or later it’s going to get seen
by the wrong person,” adds Stamp. ”It can be horrendously dangerous.
The risk might seem small but the type of circles that business people
travel in means that the likelihood of the wrong person seeing that
information or hearing that information is much greater than you’d think.
Just because we’re in an airport doesn’t mean we’re shrouded in a cloak
of anonymity.”
Forget critical financial information for a second. Stamp notes that
something as innocuous as a company phone directory can be sensitive data
— and it can cause a lot of problems if it ends up in the wrong hands.
To a recruiter or to someone looking to wage a social engineering attack
on the company, a list of names, email addresses and phone numbers can be
a hot commodity. And do mobile workers think twice about protecting that
list? And how many of them carry that list around on their laptops or
PDAs?
”The list of human errors goes on and on,” says Eric Maiwald, a senior
analyst at the Burton Group, a research and advisory firm based in
Midvale, Utah. ”Sensitive information that someone has left someplace is
just as significant a problem as someone breaking into your system to get
that information.”
The Mobile Worker Evolution
LeVine says workers are changing the way they work — they’re changing
the devices they use and they’re increasingly moving out of the office
and doing their work on trains, planes and partner sites. That means it’s
going to take a new way of thinking, and some specific technology, to
keep their information secured.
”We should recognize that we’re seeing a generational evolution in work
style,” LeVine said in a one-on-one interview with Datamation.
”Instead of trying to stop it, we need to look for ways to work with
them more securely. Ultimately, IT is a service function for the staff.
They’re giving IT direction in the way they want to work. They’re
actually out there trying to do more work for the firm.”
IT shouldn’t try to fight the mobile worker or the growing shift to
mobile working. And they shouldn’t close their eyes to it, either, says
LeVine. Recognize that workers are on the road and they’re taking not
only company data, but Blackberries, smart phones and laptops with them.
Then figure out how to best deal with it.
”Mobility is something your workers do to you,” says LeVine. ”They
will be mobile whether you want them to or not… Why fight it?”
First off, someone — probably the CIO — needs to talk with the top
business executives, including the CEO. Talk to them about the security
risks involved with taking their laptop and PDAs on the road with them.
Talk about what would happen if that information is lost — if customer
lists were made public, if acquisition plans were prematurely released,
if financial information was leaked out.
Maybe the CEO could travel with a secondary laptop — one that just goes
on the road with her and doesn’t contain all the sensitive data that her
main computer holds.
Training and awareness also are key.
LeVine says that users have to be made to understand how sensitive the
data is that they’re carrying around. Tell them exactly what would happen
to the company if they had to make it public that they had sensitive
information. What would happen to the company’s stock price? Could there
be layoffs? ”Tell them that when someone leaves a PDA in a cab, the
company might go out of business,” says LeVine. ”Look, Dude, we might
go out of business because the company has to admit that it lost customer
data or corporate lists.”
Once they understand how important it is to safeguard company data, then
teach them how to do it. And don’t just give them security training when
they’re hired. Make it periodical. Make it frequent.
Use encryption on smart phones for data in transit.
Set up policies and make sure employees know them and understand them.
What usage is appropriate for all of these different devices? What
devices are employees allowed to use for business? Can workers use their
own devices or only devices supplied by the company?
And set up policies specific to mobile workers, LeVine recommends.
Talk to road warriors about keeping public cell phone conversations quiet
and private. If they’re on a plane, make it clear that they can’t call up
sensitive information on their computer screen if someone is in a
position to see it. Give them a strict — and frequent — backup policy.
LeVine also recommends that workers’ devices be registered and tracked.
”You need to manage these devices,” says LeVine. ”If you allow ad hoc
employee device usage, it will put you in legal hot water.”
Also make sure that employees are using device passwords and PIN numbers
to prevent data leakage and network access by intruders. And ensure that
there are personal firewalls on laptops and handheld devices. Use
encryption.
Another thing that LeVine recommends is making sure IT has the ability to
remotely access devices and make sure they are conforming to company
policy. If policy states that the cameras be turned off on cell phones,
make sure they are. If Bluetooth wireless access violates policy, make
sure it’s shut down.
”I know it sounds really cliche, but it’s all about awareness, awareness
awareness,” says Stamp. ”As we’ve managed to get kids to think
differently about talking to strangers, we need to get corporate
employees to think differently about who they talk to and what they talk
to them about… and who they talk in front of. Situational awareness has
to be a part of any training… IT people are starting to realize that
the biggest risk area is the people who deal with the information.”