Smart Devices Call for Intelligent Security

thePoint
October 21, 2005

Worried about sensitive company information disappearing or being compromised, "companies are peeling back some of the convenience of mobile devices in favor of extra layers of password protection and other restrictions," according to the Washington Post.

As data proliferates and the use of mobile devices rises exponentially, security risks increase. The danger lies not in just a lost or stolen device, which are easily replaceable, it lies in the potential breach of corporate and personal security.

Risks include:

• Mobile handheld devices—personal digital assistants (PDAs) and smart phones—frequently lost or stolen.
• Corporate information downloaded to a portable storage device or transferred through file sharing.
• Failure to adopt security appropriate to emerging needs.

These add up to major data security threats. "Companies wanting to get on top of this will have to do more than rely on their employees' best intentions," according to European IT security firm Quocirca. The reasoning—mobile devices are simply too easy to use without regard for basic security.

Easy to Use, Easy to Lose

In Chicago, 160,000 portable devices are left in taxicabs every year, according to Pointsec Mobil Technologies, a security software firm. Although 50% to 60% of those are reunited with their owners, the problem gets worse each year. "Mobile users are in an even worse position now because they're far more reliant on their mobile devices to store large amounts of sensitive information with very few concerned about backing it up or protecting it," says Peter Larsson, Pointsec CEO.

Mobile Data

Companies used to be concerned that a disgruntled employee would save company data to a floppy disk and take it to their next employer. "Today, these same users can take your entire customer database showing purchasing, prices, and history on a single USB drive," according to Computerworld. Due to large capacity, portability, and simplicity, removable media such as memory sticks have become popular. "They're quickly becoming the preferred method to store business proposals, accounts, client details, marketing plans, and other confidential company information, says the magazine.

Another security challenge, according to Computerworld, is fast Internet access in the office, which makes it easy for employees to use the company network to download files. A disloyal employee could attempt to install a peer-to-peer (P2P) network on the desktop computer, moving files between the office and other locations and exposing the company's internal structure.

Security Upgrades Needed

Employees now have the capability to carry around a lot of corporate (and personal) information, which facilitates day-to-day business. But what happens when a person loses one of these devices? If it's a laptop, at least a certain level of protection should be in place, beginning with a standard challenge/response password system. More sophisticated measures help ensure that should anyone compromise the system they would not be able to cause havoc across the company.

Handhelds, however, are different. Very few people set up any level of security on these devices; most even fail to use the four-figure PIN on start up. Encrypting data is almost unheard of. Antivirus software and firewalls for these devices are in their infancy. As these devices are used in more critical ways—to access e-mail and corporate applications, and to store a list of contacts—firms become increasingly vulnerable to breaches through loss or theft.

Policies, Procedures, Protection

Protection starts by recognizing users as the most fallible link in any security chain. Beyond that, experts blame "poorly designed software, inattention to data security, and an underappreciation of the problem by top management," according to the Washington Post.

A survey sponsored by software security firm Symantec Corporation shows 37% of smart-phone users store confidential business data on their phones. Only 40% of those surveyed worked at companies with corporate policies about wireless security.

Controls on mobile devices are an extension of the internal security policies and procedures surrounding information and data access. Begin by working with your legal, compliance and management teams to determine appropriate policies for your credit union.

Users must be educated in what policies and procedures mean to them. They need to know which are acceptable devices, and recognize the need to secure data on those devices. Presently, low levels of user support and training compound IT security problems.

Breaches such as mortgage data from General Motors Acceptance Corporation Corp. that was stored on a stolen laptop leave consumers wondering whether companies take seriously the security threats. What credit union would want to become the latest public example of compromised security?

And if that thought isn't enough to propel management and IT toward higher levels of security, consider the observations of a federal prosecutor now in Internet security: Concerning security breaches, "the company has to try to protect against every kind of attack. The intruder needs to find only one."

This article was prepared by the staff at the Point for Credit Union Research and Advice and is published online at http://thepoint.cuna.org/. Reprinted with permission.