Mobile security: How to protect against employees' bad habits
By Rich Freeman
Employees routinely commit a variety of security errors when using mobile devices. Here are some simple ways to safeguard your systems and data.
In summary
| • | Deploy mobile security software or use a mobile operating system that automatically encrypts data and enforces passwords. |
| • | Use wireless intrusion-prevention systems and messaging encryption to guard against unsecured wireless networks. |
Imagine if this scenario involved your company: In 2003, an executive at a major brokerage house sold his PDA through an online auction site. When the buyer switched the device on, he found some 200 internal company e-mail messages and contact information for more than 1,000 employees. The original owner had neglected to clear the system's memory—or password-protect the device.
Such shocking security lapses are, sadly, all too common when it comes to mobile technology. Fortunately, you can significantly reduce your risk of exposure to mobile security breaches by implementing a few simple measures.
Use passwords, encryption, and wipe technology
Despite the fact that mobile devices are easily lost or stolen, only about half of U.S. device owners use passwords, says Lisa Phifer, vice president of Core Competence, a security consulting firm based in Chester Springs, Pennsylvania. Similarly, less than 20 percent of companies encrypt data on mobile devices, according to a September 2006 survey of global IT professionals by security software maker CREDANT Technologies of Addison, Texas.
Numerous third-party software vendors make mobile security suites that automatically encrypt mobile data and enforce passwords. Windows Mobile 6 provides such features and also enables you to encrypt data on removable memory cards. "You can put gigabytes and gigabytes of data on an external memory card, and [it] can easily vanish," observes Carmi Levy, a senior research analyst and security specialist at Info-Tech Research Group in Ontario, Canada (a company that advises more than 20,000 IT professionals worldwide).
For more protection, consider local wipe tools that automatically lock a mobile device if someone tries unsuccessfully to enter a password several times. Remote wipe systems enable network administrators to erase a mobile appliance's memory. Many mobile security suites offer local and remote wipe support, as does Windows Mobile 6 (and Windows Mobile 5.0 via the Messaging and Security Feature Pack).
Watch out for unsecured wireless networks
Wireless networking is so convenient that mobile workers often overlook the risks. To avoid connecting with a so-called "evil twin" hotspot—a seemingly legitimate network maintained by identity thieves—ask an employee at the hotel or coffee house where you work to advise on the best network to use. Wireless intrusion-prevention systems can also give mobile workers advance warning of potentially unsafe connections.
Even the most diligent employee will occasionally use an unsecured network by mistake, however, so be sure to encrypt the data streams flowing to and from your company's messaging servers. "The major messaging products support this [functionality] out of the box," Levy says. A one-time client configuration can enable this encryption. You should also install the latest firewall, antivirus, and anti-spyware software on all wireless-enabled notebook computers.
Of course, training employees in the practices of secure mobile computing is always an important first and last step. "If you make no technical changes at all, you will significantly improve your mobile security by ensuring that end users are up to speed on the latest best practices," Levy says.
Rich Freeman is a Seattle-based freelance writer specializing in business and technology. He has more than 14 years of strategic marketing and communications experience in the IT industry.
