|
||||||||||
| Home | Products | Order | About Us | Contact Us | ||||||
|
Mobile security - Protecting laptops and other mobile devices that your employees take on the road every day is a major problem. By Jayne Parkhouse and Louise Murray Contrary to popular belief, we haven't got any better at looking after mobile security. Last year 600,000 laptops were stolen - according to statistics compiled by Safeware Insurance (www.safeware.com); that's a staggering 53 per cent hike on Y2K figures. So why, when we are experiencing a 'security' frenzy, are we so vulnerable on this front? Surely corporate policy should enable a security conscious approach to all information sources that will potentially leave their control? Do you know if it's missing? Is there really enough accountability for lost or stolen corporate assets? If your equipment is simply written off without an investigation, what's to stop an employee handing over your 'crown jewels' without fear of retribution, simply because he or she can report it as a 'theft' - if they report it at all. A 43-page report by the US Inspector General, Glenn Fine, revealed some staggering facts. Accountability in areas where you'd expect the highest levels of security to be in place is more than a little thin on the ground. FBI guidelines, for instance, state that employees must report assets that have been lost or stolen, but provide no information as to where the report should be filed. Worse still, reports that have been mislaid have taken up to 23 years to be filed. Given that the number of laptops within the FBI authorised to carry sensitive data classified as 'Secret' or 'Top Secret' equates to more than half of the 8,000 laptops in their use, there is a real potential for a national security breach. And, more, the average time to file a lost or stolen laptop within the Bureau has been four years. But, the FBI was not the only organisation to come out badly. The US Immigration and Naturalisation Service didn't fare any better; it couldn't provide an account of the number of laptops it owned, let alone how many may have been lost or stolen. The same appears to be true of the Drug Enforcement Agency. It could account for 6,134 laptops, but couldn't provide a figure for any that may have been lost or stolen. These figures, from agencies with very sensitive data, must be seen as totally unacceptable. With little accountability there could be a serious breach of security. However, given the facts and assuming that businesses take a different stance on 'accountability', proper asset tracking and auditing could provide the level of security that we should all be striving to attain. Not only does this make sense from a security perspective, but knowing what you have and where it is makes for good business practice. Hold on to your assets A laptop that has access control, data encryption and other relevant protection will ensure that the user has the means to protect it, while it is in their custody. Don't forget that you still need clear-cut rules on reporting losses, with unambiguous time restraints on where and how such reports must be handled. And if you have data that someone else could use to their advantage and you can't ensure its safety, you shouldn't let it leave your control. Users should only carry the minimum data needed, and remote users should not be able to download information that is overly sensitive, or copy data unencrypted on to removable media. Make your workforce accountable and provide the training they need to help them act responsibly. A little training can go a long way - if your employees know the dangers, at least they can guard against them. Of course not everyone is after your data. Hardware components could be the order of the day and these end targets, combined with a lucrative trade in stolen goods, ensure that a steady stream of thefts will continue. Given the facts, disabling booting from removable media while using a quality access control solution, will ensure that the goods are not so readily shifted. Add to this an anti-tamper device and the hardware becomes useless. Deterring potential thefts with an alarm, cable and a 'This Equipment is Protected By' sticker makes sense; these may be seen as a pain by their users, but given the facts we should all just get on with it. Accountability and responsibility go hand-in-hand here, but the first positive step must come from within the corporate culture before it can take full effect. Positive steps taken now could bolster security awareness and promote an enlightened attitude across your entire workforce, not just the guys on the road. Think of the benefits and plan your next move. There are a variety of solutions to consider working into your corporate security, which SC Magazine has reviewed, giving you a feel for their effectiveness and ease of use. If they disrupt normal practices they'll be ousted, so we look for practical, user-friendly products. After all, we don't want to alienate employees, only encourage them. Because, whether it's a genuine theft or an errant employee, we don't want anyone taking the PC - now do we? Source: November 2002 Security Computing Magazine. |
||||||||||