http://www.itbusiness.ca/index.asp?theaction=61&lid=1&sid=57610 By Lynn Greiner 12/8/2004 The most secure company probably has a gaping hole in its corporate pocket, which allows crucial data to slip out. Yes, the network is protected by a firewall, intrusion detection system and virus scanner. The PCs on that network are locked down. The wireless network is encrypted and secured. Data is properly backed up. All is mellow. Then the senior vice-president tucks his personal digital assistant (PDA) into his jacket pocket and heads out to the fitness club, where that jacket will be left unattended while he works out. Or the marketing manager grabs his cell phone and runs to a meeting, where he will leave the phone on the conference room table while he visits the washroom. What's protecting the data in those devices? In a study conducted earlier this year by the Graziadio School of Business and Management at Pepperdine University in Los Angeles, 81 per cent of respondents said they carry "somewhat valuable" or "extremely valuable" information on their PDAs. Sixty per cent of executive-level respondents said their business would be "somewhat" or "extremely" affected if the data on company-issued PDAs were lost. And 24 per cent have experienced loss or theft of at least one PDA. Devices become life repositories Despite this, half of the respondents did not have any security on their PDAs, beyond (perhaps) a power-on password. That blood-curdling scream you just heard is your security officer, who until now thought he had a handle on vulnerabilities. With any personal device, be it company-issued or employee owned, management is a major headache. It's as much a social problem as a technological one. Users treat their PDAs and cell phones as life repositories, storing business and non-business data cheek by jowl, and consider attempts to manage the devices as affronts to their privacy. Yet as long as there's a scrap of business data on the device . a phone number, a password, even a meeting reminder . the "private" device is very much the company's concern. Managing it, however, is easier said than done. It's easy to back up data on a PDA if it synchs to a company computer - just back up the files on the computer. The trick is in protecting it while it's out and about in the handheld. That mainly entails preventing the user from turning off any security on the unit. That's not all there is to management of mobile devices, however. There's asset management: controlling who has which device, operating system and so forth. There's configuration management: making sure that all applications are installed that should be, in their correct versions. There's encryption. If the machine has communications capabilities (802.11b, for example, or if it's a smart phone), there's network and virtual private network (VPN) configuration and security to worry about. Fortunately, there are both standalone products and modules for enterprise management suites that can handle the job. They can even program the handheld to erase all of its data after a predefined number of bad login attempts; a thief may get a free PDA, but company information will be protected. Unfortunately, these products can cost several hundred dollars per protected unit (for small license counts). Despite this heavy hit on the corporate wallet, IDC says that the market for mobile management products is expected to achieve a compound annual growth rate of 44.9 per cent through 2008, when it will be a whopping $US911.4 million. Tell the boss what's at risk Before you manage mobile devices, though, you have to find them. And if users have local administrator privileges on their PCs (generally a bad thing, by the way), it may be easier said than done. In that case, when users acquire their new mobile toys, they can just quietly install the synchronization software and merrily start pulling corporate financial spreadsheets onto their devices without anyone's knowledge. The first IT will hear about it is when the handheld hiccups and its owner comes for help, or a PC acts up and the responding tech notices the new software. Then, of course, the user will howl when told that he or she shouldn't be loading company information onto a personal device. It, after all, increases their productivity. And they're probably right, but convincing them that it also increases risk to the company is usually a losing battle. You might have better luck persuading them to enable power-on passwords, insisting they use encryption software for business information (for which the company will pay), and insisting that the device be locked when idle. You also need to make sure that the edict comes from the top. Chances are, the boss is one of the culprits. Convince him or her of the ri$k to the company, and guilt will do the rest. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Dec 09 2004 - 00:41:56 PST