Protecting the Mobile Workforce

Where did I leave my #&%! Palm Pilot?

A salesperson for an international conglomerate with more than 50,000 employees probably uttered a similar phrase while rifling through pockets and suitcases looking for his PDA while traveling on business.

After a lengthy search, he believed the mobile device was simply lost. But later he would learn that it was actually stolen. The salesperson had been targeted by a competitor. The thief wanted access to his contact list of fellow sales reps at the company. Weeks later, 80 percent of the sales force also disappeared, lured away by more lucrative pay packages.

True story. Think it can’t happen to you?

Today’s highly mobile workforce, coupled with an explosion of new mobile gadgets that give users access to the Internet from anywhere, has created nightmares for security managers, who are losing control of what devices employees use at work.

As mobile devices are becoming physically smaller and logically larger, employees can easily take large amounts of valuable corporate information with them anywhere. Today’s multiuse cell phones, for instance, can hold up to 2GB of data on a removable miniSD (secure digital) card. BlackBerrys, iPhones and laptops are equally mobile, loaded with company data and susceptible to loss or theft.

“The edge of the corporate network is that [mobile] device, and the security controls in the device are a disaster,” says Matthew E. Luallen, president of Sph3r3, a security consulting firm in Chicago. “Security, by far, is not keeping up.”

Among the culprits: Default settings on mobile devices are too easy to use and infiltrate; most mobile file systems aren’t siloed, so when one area is affected, the whole device goes down. Patches are hard to administer and enforce on myriad devices.

There are two types of mobile threats that security professionals must considerprotecting data that’s on the device and preventing malicious Web access to corporate networks through the mobile device.

With smaller devices, “you don’t necessarily even have the processing power or the resources available to protect the data,” Luallen adds. Cell phones, for instance, lack the processing power to accommodate fast, effective encryption tools. Some cell phone encryption software can take up to 10 minutes to decrypt data. “That typically conflicts with what we’re trying to provide for a mobile workforce,” which is ease of use and performance, he says.

What’s more, wireless capabilities are being integrated into every piece of technology. The new SD card from Eye-Fi, for starters, embeds wireless capabilities in the memory card. It promises to effortlessly upload pictures from digital cameras to a PC.

Employees might think that the chances are slim that a lost laptop, cell phone or PDA will actually fall into enemy hands. But the doom factor increases exponentially if it happens at a business conference or trade show. “If you lose your hard drive or flash drive there, the chances of someone picking it up and knowing what to do with it are pretty good!” says Jack Gold, president and principal analyst at J. Gold Associates.

“Know that you are going to lose assets,” Luallen cautions. “So protect it so that somebody else can’t read it. Then make sure it’s backed up somewhere.” Security analysts offer their advice for protecting employees’ mobile devices from thieves, hackers and just plain stupidity.

1. IT should control the outbound

“You need to start treating these [mobile] devices just as you would your PCs,” says Stacy Sudan, research analyst for mobile enterprise software at IDC (a sister company to CSO’s publisher). “They are minicomputers, and you need to treat them that way. Security is clearly a part of that.” That means centralizing a mobile security strategy and tying it to the broader corporate security strategy.

Identify what information is being accessed, tag it as sensitive or unclassified and then control its dissemination.

At health benefits firm Cigna, in Philadelphia, several hundred systems contain sensitive health and financial data protected under HIPAA and other regulatory guidelines. CISO Craig Shumard uses role-based access software from Aveksa to determine which of the 27,000 employees are granted access to these systems.

“We really restrict access to our resources to Cigna machines,” including 9,000 laptops, Shumard says. “We don’t allow folks to attach using their home computers. We only allow BlackBerrys as the approved device for remote e-mail and phone. We don’t allow people to have their own phones and e-mail connections.” In B2B cases, the company requires VPNs or other types of security mechanisms, he adds.

2. Add another layer of security

Most companies should look for three capabilities in their mobile security software: authentication, wipe-and-lock features that can remotely render the device useless and encryption, Sudan says.

“If you have some kind of power-on password, the thief can’t even get into the thingthat’s a good first step,” says Sudan.

She also recommends adding the ability to swipe or lock the devices remotely, but Luallen cautions that unless the feature is activated quickly, a would-be intruder could simply pop out the battery and deny any access to the device.

Until cell phone and PDA encryption processing speeds improve, “you may not want to encrypt the full disk right now,” Sudan says. “But at least have the ability to encrypt files and folders—or at least your e-mail,” Sudan says.

At Cigna, all laptops have full-disk encryption and some have a second layer of encryption on specific files. “It protects the data from somebody who has to log on to fix the machine. But since they’re not logging on with the user’s credentials, they still don’t have access to the data,” Shumard says. Users haven’t complained about slow processing times so far.

Cigna also deploys technology that prevents users from downloading data to a travel drive and copying information to CDs. These and other security features are available today in most mobile device management products and mobile security products offered by a range of vendors.

Large systems management vendors include CA, IBM and Hewlett-Packard. Mobility vendors, such as BlackBerry, Motorola and Nokia offer both categories of products, as well as pure-play security management system vendors. Most products support the two most common mobile operating systems in the U.S.—Windows Mobile and BlackBerry.

There are differences between mobile security products and mobile device management software. MDM includes software distribution, asset management, remote control and some baseline security features”what you would find in a PC device management product,” Sudan says.

Mobile security products are specifically focused on security—with mobile VPNs, mobile antivirus, mobile firewall, as well as the device swipe-and-lock and encryption features also found in MDM software.

3. Prevent Web-based mobile attacks

In 2006, IDC saw an increase in the volume and sophistication of mobile malware, which has prompted analysts to recommend that companies begin evaluating MDM and mobile security products. According to an IDC report, “Several viruses have been specifically developed to exploit vulnerabilities in mobile phones and handheld devices.” The majority of these have been low-level threats, but they have laid the “proof of concept” groundwork for others to follow.

Some MDM solutions offer feature-block capabilities, which disable Bluetooth, SMS or multimedia messaging service (MMS) messaging, so viruses can’t get into the phone. It also allows administrators to disable USB connectivity, turn off cameras and disable ActiveSyncor any other ports that can sneak viruses inside.

4. Understand the default settings on mobile devices

Default settings on mobile devices may make them easy to set up, but they also create big security holes. For instance, cities like Chicago require motorists to use hands-free devices when driving while using a cell phone, so a growing number of drivers are buying Bluetooth headsets. To get up and running quickly, users often choose the manufacturer’s discovery mode by default and easy security PIN codes. The problem is that now there are attack tools that can take advantage of those default features. Hackers can potentially eavesdrop on phone conversations, Luallen says.

5. Educate employees and “put money where your mobile is”

Have a written policynot a 30-page document, but something more like a seven-point plan, Gold says. Employees should learn to treat all data as a corporate asset.At some companies, talk was indeed cheap, so they’ve added a monetary punch to their written mobile policy. Some large companies have included provisions within their employee agreement that tie a percentage of an employee’s bonus or raise to any security incidents that may have involved them, such as the loss of a laptop, PDA, cell phone or flash drive. “Slowly, people are realizing that this is the only way they’re going to be successful. “If there is no ‘me factor,’ then nobody’s going to do it,” Luallen says.IT and security managers may also want to define a policy for using an employee’s own mobile device at work. “Some companies have policies where you’re only going to be able to use the device that they provide” so they can control access and security features, Sudan says. Other companies let employees use their own mobile devices, “but you have to bring it in, let them know that you’re using it and certify it” with the security features including antivirus, firewalls, authentication and encryption.

6. Don’t forget mobile device etiquette

About 72 percent of Americans say that the worst cell phone habit is having loud conversations in public, according to a national poll by market research group Synovate in Chicago. Not only is it annoying, it’s potentially dangerous if the subject is business. You never know where the competition lurks—on a commuter train, on an airplane, at the next table at a restaurant, in the next bathroom stall. Likewise, employees need an occasional reminder that anyone sitting nearby in a coffee shop or on an airplane may have a view of sensitive data, trade secrets or other intellectual property on an injudiciously placed laptop screen.

7. Find a product that balances security with usability

Choose processes in which security is going on in the background and users don’t have to worry about it.

“If your employees have to enter a password every time they have to make a phone call, or if their device has to be unlocked after every 30 seconds, that’s going to drive them to not want to use the mobile device,” Sudan says. “You want your employees to get the productivity gains that you’ve invested in.”

Industry watchers say that a proactive stance will help companies rebound quickly when mobile devices are inevitably infected, breached, lost or stolen.”

Most companies are just beginning to realize that they need some kind of baseline mobile security,” Sudan says. “There’s no dominant model in place quite yet, but they are figuring out that they need to do something about it.” ##