Mobile devices today have considerable storage capacity, are smaller and more portable, and unfortunately are very easy to lose, misplace, conceal or get stolen.
Recent news items of high-profile security breaches indicate that it’s both easy for a security mishap to occur, and most companies haven’t done very much to address the possibility. Whether it is a misplaced laptop with confidential records, the incoming transfer of a virus from an infected USB drive, or an actual theft of data by downloading to a personal device, the potential for serious loss is evident, and can ultimately be avoided.
Case in point: In mid-2009, two laptops containing personal patient information were stolen from a lab at the University of Alberta Hospital. The laptops contained names, birth dates, personal health numbers and lab reports for communicable and reportable diseases on more than 300,000 people. None of the data on the drive was encrypted and therefore, accessible in plain text.
The issue is really one of risk management. How much attention to security you deploy depends on how sensitive your data is, how complex and onerous you care to make it, and how much time and money you have to invest.
Wireless communication can also lead to loss of data. If unprotected, a device can be hacked without physical contact, or an enterprise compromised from a car parked down the street.
Users can also unintentionally save data in places that are not protected. Moving data to a home computer, or not encrypting the email on an iPhone, or even installing a “trusted” application on a company BlackBerry could transfer malicious software to internal data and systems.
SO, WHAT’S A BUSINESS LEADER TO DO?
Security of mobile devices is not a simple topic. The device itself has to be protected, as does the data stored on it, not to mention the network it will interface with.
The following list of ideas should be considered your “first plan of attack”. Any or all should be considered, depending on your appetite for risk, and the importance of the data that may be at risk.
In the office:
- Policies around who has access to certain data
- Auto-lock timed screen savers
- End-user firewalls and endpoint protection
- Network access control to restrict unauthorized machine
- Two factor authentication
- Configure the system to require a password whenever a user logs in
- Encrypted hard drives
- Mobile technologies such as Citrix/VDI to keep data in the office
- Set an idle timeout that will automatically lock the phone when not in use
- Encrypted data stores
- Mobile VPN to detect compromised (jail-broken) phones
Portable Storage Devices:
- Configure a username/password combination to access the data/device
- Encrypted USB drives