July 3, 2006

Overall, having a laptop or handheld wireless device stolen with a lot of sensitive corporate data can be a very serious breach of security to any company or organization. For example, an employee at Hummingbird Ltd. recently lost a piece of computer equipment containing names and social security numbers belonging to an estimated 1.3 million customers of a student loan company.

Globally, government and businesses can set up a number of important safeguards to greatly reduce the risks associated with the loss of customer information and other sensitive corporate data.

The first step is to get a better grip on the enterprise network, says Steve Rampado, senior manager of enterprise risk services for Deloitte and Touche LLP.

Once a business knows what specific devices are tapping into its own data, appropriate policies can and should be implemented and adhered to, followed by effective security measures like passwords and data encryption.

Steve Rampado says most organizations need to begin by assessing the problem by carefully evaluating the risk, because they don’t even have a handle on what devices are connecting to their networks.

“Quite often an employee will buy a PDA or mobile phone they want and they’ll be connecting to corporate network.”

Handheld mobiles are becoming more like laptops and the network perimeter keeps expanding outward, says Rampado, with increasing numbers and varieties of wireless devices. Smart phones and PDAs, with storage of up to 20GB, are becoming full-fledged operating systems capable of supporting applications that run on a desktop.

“If you’re going to allow these devices to connect, you’ve got to have the appropriate infrastructure in place so they’re going through the right authentication mechanisms to gain access to the corporate network,” he says.

Part of assessing the risk is understanding what data is accessible, and how. Rampado says a lot of companies have no idea what other devices their employees are synchronizing to their handhelds. An individual may be synching their handheld device to their laptop, which may contain confidential information.

“The corporation has no control over what is being synchronized and how that information is being synchronized.”

Integral to developing a strategy is defining policies and standards for employees that dictate what’s acceptable, adds Rampado. Setting a proper governance structure helps to ensure the information doesn’t get into the wrong hands, at least internally.

Companies might allow network access to only certain devices; employees may be allowed only to synchronize their contacts; only these people at this level can synchronize their e-mail; and perhaps no one may be allowed to copy any sensitive files to these remote devices.

Another important and often overlooked strategy would be to train employees to become more conscious about security and raise their awareness of any corporate policies in ­effect. Rampado notes this is one of the biggest gaps within many organizations.

Much of security awareness comes down to common sense, like locking the laptop in the trunk of a car instead of leaving it on the passenger seat. Rampado says he also never goes through the airport scanner until his bag has gone through before him.

When it comes to putting controls in place to implement effective security, companies need to enforce password protection and limit network access to devices that have good security. “This should be enforced at the corporate level,” says Rampado.

Passwords can be enforced by the device’s server on the network, so that after five minutes of inactivity, for example, the device locks and the user is prompted to enter a password for continued network access.

Another example is the BlackBerry’s self-destruct mechanism. Users are allowed 10 attempts to enter the correct password before the server wipes the device of all data and renders it useless.

Individuals can certainly step up to assume greater personal responsibility simply by using the power-on password authentication. In most cases, a strong password will provide adequate protection even at a corporate level, says Jordan Silverberg, director of enterprise sales for Palm Canada Inc.

“If the password authentication is being used, there really is no way to get into the device,” says Silverberg. The problem is, he adds, most users don’t bother using it because it’s an irritating extra step.

Rampado says mobile employee access should be restricted to only certain data on the network, by enforcing synchronization policies and preventing devices from connecting to certain components of the network.

“Passwords are relatively well adopted, but we are starting to see network connectivity software that allows organizations to more centrally control the remote devices and create policies that they can enforce from the network level,” he says.

An example of this is the remote kill feature. If a device is lost or stolen, an employee can immediately report the incident and, when the device next attempts to connect, a signal is sent that will remotely destroy all the data on the device.

The IT administrator can send out a kill packet which will wipe the user information, including e-mail, contacts and any application data, says David Heit, a senior product manager for BlackBerry maker Research In Motion Ltd. (RIM).

Silverberg cites a number of corporate security companies — Good Technology, Trust Digital and Credant — that provide remote wipe or “kill pill” functions, as well as network-based password enforcement, application control and Bluetooth synchronizing restrictions.

Rampado also highly recommends encrypting any privacy-sensitive information, in addition to password protection. RIM for example offers a content protection service that uses 256-bit AES (Advanced Encryption Standard).

Companies may also want to investigate a second or third authentication mechanism, such as a USB token or smart card.

Source: IT World Canada

Save Internet Security.ca's URL to the list of your favorite web sites in your Web browser by clicking here.

Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.

You can link to the Internet Security web site as much as you like. Read our section on how your company can participate in our reciprocal link exchange program and increase your rankings in the major search engines such as
Google and all the others.