The trouble with mobility

There are a lot of benefits from accessing information remotely. But, as mobile access to sensitive data gets more popular, security becomes a key consideration.

  • E-Mail
By  Caroline Denslow Published  October 16, 2005

|~|main_mobile_security.jpg|~|While mobility gives businesses increased operational efficiency, the same features that make mobile devices useful put companies’ valuable information at even greater risk.|~|By 2006, the number of mobile and remote users will increase from 110 million employees worldwide to 162 million, says IDC. Over the same time period, the number of Wi-Fi hotspots globally will reach 100,000, according to a report from research firm Informa Telecoms and Media. These reports, along with other studies conducted by different analysts and researchers, confirms the growing number of mobile workers today. The ability to stay connected to your office, even when you are not at your desk, has proved to be greatly appealing to companies that have longed for increased operational efficiency. Organisations that are heavily dependent on data find the benefits of mobility too good to pass up. Indeed, mobility has brought organisations a wide range of advantages. The main one is improved data collection and accuracy, as data is input directly into applications and can be validated in real time or near-real time. Being mobile improves performance, productivity and efficiency at reduced costs, as well as enhancing accountability for work processes, task assignments, resource utilisation, and the quality of services to customers. Unfortunately, the same features that make mobile handheld devices so useful to companies are also putting them at even greater risks. The devices’ portability, power, connectivity, and storage capacity add up to a ticking bomb that is silently counting down, waiting to explode and expose a hole in your corporate network. “The more mobile people get, and the more different ways they can [connect to their corporate networks], the riskier it is going to be,” says Juhani Kivelä, regional manager for regional sales at F-Secure, a security company. One of the more pressing issues concerning mobile security is the threat of viruses. While companies are hardly coping on with the attacks their networks now exposing mobile employees to sometimes unsecure public wireless access probably doubles or triples the risks they are facing today. The continuous advancement of mobile technology is contributing to the evolution of mobile viruses as well. Today, laptops are not the only devices prone to attack; an increasing number of other mobile devices, such as PDAs and smartphones, are also falling prey to such malicious attempts. “As mobile technology continues to become more mature,” Kivelä says, “it will become much easier for hackers and virus writers to launch attacks.” The proliferation of different wireless technologies and standards has increased the number of channels through which hackers can launch their attacks. Meanwhile, as handheld devices become more mature — more processing power, better memory, and larger hard disks, for instance — virus writers are given more opportunities to create more sophisticated malware. “At the moment, the maturity of smartphones makes them the riskiest devices [among handheld devices]. Right now, Symbian-based devices are the targets for more than 90% of mobile viruses we have seen so far,” Kivelä says. While Kivelä is quick to add that insecurities in handheld devices today do not pose any significant danger to corporate networks, a key concern is the fast rate at which these mobile viruses are appearing. “If that trend continues, we will soon have a real problem,” he notes. So far, with today’s mobile malware, hackers have just been testing their mettle against current mobile security, but the threat will increase as more virus authors get into the game. “If something is connected to Windows, we automatically relate to this long history in virus writing and then it becomes more and more risky,” elaborates Kivelä.||**||Physical threat|~|main_pointsec_beyer_sascha.jpg|~|“Practically everyday you find companies are leaking information, and this is not only their own information, but it’s their customers’ data,” says PointSec's Sascha Beyer.|~|There are a lot of things you can lose on the backseats of taxicabs: a harp, a baby, a dog, artificial limbs, dentures, and even laptops and handheld computing devices. In fact, a study conducted by mobile device security expert PointSec in April last year, showed that in a span of six months, 63,000 smartphones, 5838 PDAs and 4973 laptops had been left by passengers in cabs in London. Indeed, aside from viruses, mobile computing devices are also at great risk of being lost or stolen. Physical security issues, like software security, can impose incalculable losses if proper measures are not implemented. Losing the device itself is not too difficult to bear. True, it can be expensive but it is also replaceable. What is alarming, however, is if the contains confidential files that can jeopardise a company and its customers’ security. Take, for example, the case of an MI5 agent who lost a laptop notebook containing sensitive government information at Paddington train station in the UK in 2000. While it caused extreme embarrassment for the security agency and the government, it also exposed them to the danger of jeopardising national security. On the business front, corporate data is even more susceptible. A lot of companies have valuable data residing or accessible from handheld devices — devices that are vulnerable to being lost or stolen. “Practically everyday you find companies are leaking information, and this is not only their own information but it’s also their customers’ data” says Sascha Beyer, managing director, PointSec Middle East and India, who adds that it could even get worse. As the adoption of laptops grows, the chances of exposing sensitive data becomes even greater, Beyer says. “In one of our investigations, we found that more than 40% of a company’s information will be saved on mobile units. At the same time, 60% of the top managers we surveyed said that their businesses would be damaged or extremely damaged if their smartphones or PDAs were stolen.” “These days, it has become more and more expensive for companies to have a security breach because it gets public, and if it becomes public there are regulations that force them to make it public when there is an information leakage, and this becomes so expensive,” Beyer adds.||**||Mobile set-up|~|main_dohms_khoory_sina_abdu.jpg|~|“Our wireless network does not allow any external devices to connect and it has security measures to prevent people from getting unauthorised connections," says Sina AbdulAziz Khoory, IT director at DOHMS.|~|The threats in security, however, should not discourage companies from having a mobile office set-up in place. With proper security planning and deployment, businesses can enjoy the added efficiencies that mobility can deliver without having to worry about breaches in their networks. One local institution that is creating a balance between mobile efficiency and mobile security is the Dubai Department of Health and Medical Services (DOHMS). Five months ago, DOHMS introduced wireless patient bedside computing to the three hospitals it manages — Rashid, Dubai and Al Wasl hospitals. The move improved the responsiveness of medical staff, as they were no longer tied to a specific location to access patients’ information. The wireless patient bedside solution, which uses Cisco’s Medical Grade Network portfolio of technologies, connects about 14,500 in-patients at bedside through more than 160 Cisco Access Points installed throughout DOHMS’s facilities. With the wireless solution, doctors at the hospitals are able to access patients’ records using laptops while doing their rounds. But while it provides greater efficiency to the medical staff, Sina AbdulAziz Khoory, IT director at DOHMS, is painfully aware of the risks of making sensitive patient information and critical applications available in a mobile mode. To ensure that DOHMS’s IT resources are well protected, Khoory and his team decided to build a multi-layered security infrastructure designed to prevent any kinds of security threats, be it physical- or software-based. It was a daunting task, Khoory admits, especially since the three medical facilities have 5000 computer users collectively out of a total of 8000 staff, and about 2600 computers connected to the network. To minimise the risks that comes with its wireless infrastructure, DOHMS limited the number of users — mainly just the doctors and some of the more senior members of its nursing staff — and the number of devices — 120 Dell D505 laptops — that are allowed access to the wireless network. The laptops are also installed in mobile carts that are lockable to prevent them from being stolen. Security personnel are also stationed at every entrance and exit points of the facilities to monitor the people who come in and go out of the hospitals. The range of the wireless access is also limited to the in-patient wards. “Once you take the notebook outside the ward, the communication will be disconnected,” says Khoory. DOHMS has also designed a zoning scheme for the areas that have wireless connectivity. “All our mobile notebooks are defined in our wireless security profiles. We define them according to the zones or areas they are in. So, for example, if a laptop is part of Zone 1, which let’s say is located in the first floor of one of our hospitals, then a person who moves that notebook from Zone 1 to another in-patient ward, will find that the laptop will not work,” Khoory explains. “This is just to protect the assets, and for them not to be moved from one ward to the other because it will not work and it will not connect to our network if it is moved,” he adds. And to ensure that unauthorised wireless-enabled devices cannot access the network, DOHMS is implementing the open-standard WPA (Wi-Fi Protected Access) authentication with TKIP (Temporal Key Integrity Protocol) encryption, for verifying devices that attempt to log into the network. “Our wireless network does not allow any external devices to connect and it has security measures to prevent people from getting unauthorised connections. A person with a personal notebook or a handheld device cannot intrude into the network and connect themselves,” says Khoory. On top of all these is a range of multi-layer protection software that has been installed to protect DOHMS’s network from viruses and other malware. “There are multiple levels of anti-virus, firewalls and protection programs that we have in place that detects any virus, any worms and any types of attacks to our network,” notes Khoory. “So it does not matter if the device is wirelessly connected to our network or through a wired connection. Our network can already detect the viruses before they come to the PC.”||**||User policies|~|main_oomen_saji.jpg|~|“Some users may view company-issued mobile devices as personal property, putting their own data and even games on them. They may also feel a certain amount of freedom as they walk out the door with a mobile device,” says Saji Oomen of the Al Batha Group. “Our policies help keep them in line.”|~|As well as deploying applications and tools to fortify the security framework of a company’s mobile IT infrastructure, users’ security policies have to be created to maintain some sense of control over users and data once they leave the office. User policies regarding access controls and data that can be stored on a mobile device must be clearly explained and strictly enforced. After all, no matter how advanced your tools are if, at the end of the day, your mobile employees are unaware of the potential dangers that they are exposed to, then chances are, confidential data is bound to leak out one way or the other. Mobile security policies are useful guidelines that help employees understand what they can do and what they cannot do. The Al Batha Group, for example, has included in its security policies a definition of what types of data their mobile users can store in their handheld devices. This extends to the type and size of files they can send and receive via e-mail and also the types of files they can download from the internet. “Within our security policies, we have defined responsibilities for our employees in terms of internet etiquette — what sort of information they can download,” says Saji Oommen, general manager, group information technology, Al Batha Group. “Some users may view company-issued mobile devices as personal property, putting their own data and even games on them. They may also feel a certain amount of freedom as they walk out the door with a mobile device,” says Oomen. “Our policies help keep them in line.” Policies, according to Oommen, are an important element of the group’s security measures. With over 3500 employees in 60 different locations across the UAE, it is difficult for Al Batha’s IT department to support all of its staff effectively, so everyone is made aware, through the policies provided to them, of their own roles in protecting the group’s IT infrastructure. Simple rules, like not allowing employees to bring in their own notebook computers to the office, have proven to contribute significantly to the security of the company’s network. “Employees are not allowed to connect to the internet on a dial-up line; Since they are already in our company network, doing so might affect the security of the whole network,” Oomen says. Security policies are important especially for mobile workers but they will only be effective if properly enforced, as users tend to be lazy and complacent when it comes to IT security, says Ramin Attari, vice president, Nortel Networks Middle East. “They do not value the information they carry around with them, and most are too busy to worry about anything that will further complicate their lives,” adds Attari. “The best way to enforce mobile security user policies is to present it like a contract and get your employees to sign up, and by including policy compliance as part of their appraisals,” Attari suggests. There are several things to consider when defining policies, says Joseph Mehawej, marketing and technical sales manager, Nortel Networks Middle East. “Assume that your staff cannot be trusted to safeguard their devices. Accept that they are just not interested in security,” Mehawej says. Installing monitoring tools that automatically implements rules defined by the administrator can make sure that security measures are being followed. At the same time, policies should be updated regularly, especially when your company adopts new hardware. “Although you will be protecting the same kinds of information, your storage mechanism will be different,” explains Mehawej. While there are other elements to factor in when designing your mobile security plans, it need not be complicated. The most effective way of ensuring your IT assets — whether they are within or outside your office — is to have a blanket approach with central administration of all devices and centrally managed encryption and password protection that users cannot get round.||**||

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code