exact phrase  any/all
Managing the enterprise information network
denotes premium content | Feb 7 2012 

Feature

posted 5 Oct 2004 in Volume 1 Issue 4

Managing mobile risk

As more employees remotely connect to corporate information, unwanted guests are becoming more of a threat. In this second ei examination of mobile working, Conrad Simpson of information-security consultants Celare, explains how to stop them.

Advances in IT and connectivity options over the past twenty years have provided organisations with the capability for business efficiency and commercial advantage through the adoption of mobile computing and home working.

Remote access provides users with connections between devices and centrally-held data over a transport medium. The device could be a workstation, a laptop, a PDA or a multifunction smart phone, which may connect via a number of transports such as public switched telephone networks, ISDN, DSL, WLAN, GPRS or the internet. The data may reside in a variety of applications and formats from e-mail to corporate databases. No matter what combination is used, it's essential the confidentiality, integrity and availability of the data is maintained.

The risks

Mobile-working practices put valuable information at increased risk and should only be deployed once the security implications have been suitably addressed. Some of the newer technologies, such as WLANs and PDAs, have been quickly adopted due to the functionality and flexibility they provide. However, this flexibility is often at the expense of security. Risks include the physical security of remote-computing devices, the introduction of viruses to the corporate network by remote users and the confidentiality of information once it leaves the traditional office environment.

Managers considering remote access must be confident that business information will remain secure outside the company's walls. They’ll need to consider how easy it is for someone to access information on a laptop if it’s lost or stolen, how to ensure antivirus updates are applied to remote devices and how data will be protected in transit between the network and the users.

Another overlooked issue is how organisations handle the use of user-owned equipment, such as a home computer remotely connecting to the corporate environment, or a PDA or smart phone synchronising with an office-based desktop. In both cases, this can lead to information leakage onto devices over which the business has no control.

Managing the risk factor

These threats don’t mean organisations should avoid embracing new working practices. Tools are available to provide robust and secure mobile computing, but organisations must carefully examine their working practises and manage the associated risks.

While there are many sophisticated security measures that can be implemented, such as wireless-intrusion-detection systems, a Celare survey conducted in Ireland and the UK in August-September 2003 shows few companies are implementing even basic measures. Yet by doing so they would ensure that some level of security is in place, which is better than none at all.

Companies must ensure security procedures are considered when planning remote-access solutions. They must understand what information is going to be exposed and then implement appropriate controls to adequately mitigate risks to this data. These controls should be a combination of policy, procedures, training and technology. The following provides a list of typical controls that might be adopted:

Non-technical

  • Issue all mobile users with a policy covering their own and company-owned equipment.
  • Security-awareness training around remote access should be provided;
  • Security operating procedures should be produced for remote access users;
  • Mobile-computing services should be included in regular security testing;
  • IT managers should log all mobile access with enough detail to identify the user and service access time and duration to assist in analysis, should malicious activity be detected.

Technical

  • Measures are required to prevent access to information on a lost or stolen device. User identification and authentication should be enforced before they access mobile devices to enter the corporate network;
  • Protect the integrity of sensitive information by encrypting it in transit and at rest;
  • Scan all information for malicious software before it’s stored on a mobile device or the corporate network;
  • Configure devices to automatically update their antivirus software before connecting to the network;
  • Software running on mobile computers should be centrally managed;
  • Data held on mobile devices should be regularly backed-up in case of equipment failure or theft;
  • Stored information should be protected from unauthorised access or amendment, particularly if it is given access to the internet.

A barrier to implementing security measures is financial constraints. With corporate budgets under pressure, every expense needs to be justified. Usually the benefits only become apparent when an incident occurs.

Companies must realise if they fail to put appropriate security measures in place they may be failing to meet their legal or regulatory obligations. A lack of these might not only lead to financial suffering but could impact the company's reputation.

Effectively managing the risks of mobile computing means understanding what information is at risk, where this information is in transit or at rest, and then ensuring that people, process and technology are all working together to protect it.

Sponsored links

Subscribe to the EI e-newsletter. Keep up-to-date with the latest news from EI magazine
Intranets and Portals report
Copyright ©1994-2005 Ark Group Ltd All rights reserved. No part of this site or the publications described herein
may be reproduced in any form without the permission of Ark Conferences Ltd, Registered in England, No. 2931372.