Article: Analyze The Threat From Mobile Devices
Protect Devices With Security Policies, Plans For Information Recovery from Processor.com featuring Philip Farina, CPP
Analyze The Threat From Mobile Devices Article, Processor
1. Tech & Trends Click To Print
General Information
September 24, 2010 • Vol.32 Issue 20
Page(s) 41 in print issue
Analyze The Threat From Mobile
Devices
Protect Devices With Security Policies, Plans For Information
Recovery
Among the greatest workplace changes taking place
Key Points within the past decade or so is the amount of enterprise
information leaving the office along with employee
• With increased use of
mobile devices comes the
laptops and smartphones. Even one decade ago,
need for a mobile device employees seldom worked from home or while on the
security policy. road, and they certainly didn’t tote small computers
everywhere, says Stephen Midgley, vice president of
• Thieves now realize the global marketing at software security maker Absolute
importance of information
stored on mobile devices
Software. With the explosive growth of enterprise-
and are specifically targeting issued mobile devices comes the threat of theft and the
them. access by outsiders to the information on them, he says.
• Software installed at the To add another wrinkle, attackers now understand the
enterprise level is capable of
tracking lost devices and of
value of the enterprise information stored on mobile
wiping them clean of devices and are specifically targeting them, be-cause
sensitive enterprise they’re so widely used, says Hugh Thompson, program
information. committee chair for the RSA Conference, an annual IT
security conference.
Because the enterprise information value can far outweigh the value of the device itself,
experts recommend IT managers have a plan for mobile device use by employees and for
information recovery in the event of theft.
“When organizations are allowing users to connect their devices to the network and
download confidential business data--whether that’s internal information or customer
data--you need a security policy that states how the devices should be encrypted,” says
Matt Bossom, the program manager for technology solutions at IT security company
”Accuvant (www.accuvant.com).
Policy In Place
2. The enterprise will need to budget for mobile device security, Midgley of Absolute
Software (www.absolute.com) says, because the IT department will need authentication
tools and likely special software to track a device and wipe its hardware in the event of
loss.
Bossom recommends IT managers take authentication steps beyond the authentication
available with the device out-of-the-box. Many mobile device platforms for use at the
enterprise level include stronger authentication than the authentication installed within the
device itself, he adds.
“The same authentication policy can be used for all different types of devices and can be
pushed out across the network,” Bossom says. “This is the same way Windows Server
pushes out updates using group policy.”
This type of authentication means employees will have to enter a password every time
they access the device. IT managers must ensure passwords aren’t easy for thieves to
guess (“no one, two, three, four” says Bossom) and that employees haven’t taped the
passwords to the device itself or placed it somewhere within their laptop bag, says Philip
Farina chief executive officer of Farina and Associates, Ltd. (www.farina-
associates.com), a security and risk consultancy for the hospitality industry.
Sure it’s a hassle for employees to enter a password each time they check their phones for
new emails, but doing so reminds them they’re using a workplace-issued device that
includes confidential information, he adds.
Of course an enterprise mobile device security policy will need to set out rules for use that
may seem almost common sense, but having them in writing helps, Farina adds. He
recommends IT managers warn employees against leaving their device in sight on a
restaurant table or bar--employees should carry it in their purse, pocket, or a carrying case
they have beside them at all times. When staying in a hotel room, lock the device in the
safe or lockbox when not in use.
To that end, ask employees to call ahead to ensure their hotel room will be equipped with
a lockbox and that they select only hotels that include the feature, he says.
They should also ask employees to keep the devices to themselves, the RSA Conference’s
Thompson adds. “You have to take into account [the] social and free nature with which
people pass these things around,” he says. “If it’s a work laptop, they might not let
someone use it for a second to look something up, but with a smartphone, they’d be more
inclined to hand it over to let someone call up a map or something.”
In Case Of Theft
An enterprise’s mobile-device security policy should also outline the steps employees
must take should their device go missing. “Usually that means contacting a response
center or the IT department or someone else in corporate so the phone can get shut down
ASAP,” Farina says.