The staff, the thief, the device and its data

The staff, the thief, the device and its data

Data being leeched from company databases by less secure mobile devices is a common occurrence, making data leakage the big technology issue of 2008. With the increasing use of mobile phones, PDAs and laptops as work tools, important company data is removed from the office every day.

This increase in data sharing promotes an environment suitable for data leakage and is aggravated by the associated use of hot-desking, home working and wireless hotspots. It is further complicated by the shuttling of data back and forth between staff on USB sticks, CDs, DVDs, backup tapes and even iPods. As a consequence, security breaches are on the increase.

Whether it is HM Revenue & Customs losing 25 million records on CDs, the Ministry of Defence losing details of 600,000 servicemen and women in a laptop theft, or the recovery (from beside a bicycle shed) of a USB drive containing the personal details of Perth & Kinross Council workers, cases of data loss appear with uncomfortable regularity.

The Payment Card Industry Data Security Standard (PCI DSS) that is currently being implemented, as well as the forth-coming governance regulations in the Companies Act, will force UK businesses to focus on the problem of data leakage.

Public knowledge

Unlike many other parts of the world, in the UK there is no requirement to disclose data breaches. The Identity Theft Resource Center (ITRC) reports that data breaches doubled to 167 in the US during the first quarter of this year, compared with the equivalent a year ago.

That figure is probably similar in the UK, even without the ITRC figures accounting for the encrypted files that may have been compromised. However, there remains no real breakdown of the number of breaches that are directly related to mobile data.

In all fairness, and in terms of numbers, the incidence of data breaches as a result of mobile device theft is perhaps not as high as scaremongers would have us believe, simply because it is not as anonymous as covert internet hacking. If someone wants to steal data, doing so by taking a laptop means they run the risk of discovery, perhaps being seen by someone, or monitored on a security camera. But it does happen, and the theft of one laptop can do more to expose a company's data than any concerted hacking or social engineering exploit.

However, theft of mobile devices is a problem for many reasons, not least of which is because access permission is often set on the mobile device and there is no local security to prevent a thief from booting up the computer. For this reason, even allowing remote access can open a back door to systems.

Maxx hack

The biggest hack to date is the well-publicized attack on retailer TJ Maxx, where an estimated 45 million customer records were stolen. The attack started by compromising a wireless LAN that only used Wired Equivalent Privacy (WEP) encryption that can be cracked within 10 minutes by an experienced hacker.

The compromised network allowed entry to other systems and the breach has, according to the company, cost an estimated $12m (£6m), but analysts believe this may actually stretch into more when the full cost of the remedial work and harm to the brand is taken into account.

However, before the issue of mobility can be addressed, it is necessary to understand the extent of the problem by taking an audit of all the mobile devices used within a company. Capricode has developed SyncShield, one of a growing number of mobile device management products that help to manage smaller mobile devices such as smartphones and PDAs. "The first step is to get information on the types of phone you have and the software used into one database. And while you can do it with Excel or with asset management products, it entails extensive manual work," says Erkko Vainio, business development director at Capricode.

"A mobile device management product which is really designed for business use can allow you to collect the information over the air after you've installed a client on the phones," explains Vainio.

According to Vainio, this could extend the problem as it introduces some unpleasant surprises. "You may find that some people, even though most will have business phones, will be using their own private phones. This means that even though a company may have issued, for example, Nokia phones, the actual mix could include iPhones and BlackBerries."

Vainio recommends limiting the number of operating systems and phone models to make the system more manageable. "When you commission a new laptop, it will have been standardized so you have a limited number of configurations. You can decide what kind of software you want to have on it and what the settings should be, whether it's done by the reseller or using your own image. This is what IT managers know how to do, and this is what to aim for with the smartphones as well," he comments.

Remote risk

Phil Huggins, chief technical officer at Information Risk Management, agrees with Vainio. "The big problem -- and mobile is a really obvious indicator -- is that people aren't clear what their data is, or where it is," he says. "As enterprises expand, more work is being done by people over remote browsers on BlackBerries and other mobile devices rather than at desktops. The big challenge is to understand how much risk you have already placed outside your traditional boundaries."

Huggins adds that there are several issues that need to be considered around mobile device use. "Mobile devices are very easy to lose. As a valuable item to sell, these devices are quite highly targeted. I don't think people are necessarily stealing these devices to get hold of data, but this could change. People are using their phones to store data and they're also using USB drives. Companies are deploying applications specifically developed for mobile devices that allow employees to access dashboard applications, financial spreadsheets and such. The key problem is that people aren't aware of the risks they are taking in the first place."


The obvious solution to this is to devise policy documents and train staff to be aware of security issues. Staff members are rarely savvy about security and a lack of understanding can lead to errors. They are often working to meet deadlines and such pressure can lead to shortcuts. It is not unusual for pressurized staff to take copies of documents relating to their work so that it can be finished at home.

The best practice is to disable any port that can be used for copying. USB ports are obvious candidates, but there are also issues with Bluetooth, Wi-Fi and CD/DVD drives that must be addressed.

Huggins says: "Questions that must be asked are, do you have Bluetooth open to the world? Are you connecting to the internet constantly? It's more to do with the configurations of the devices rather than the software security that is deployed on them. One interesting thing I have seen deployed on BlackBerry Enterprise Servers and also on other mobile manufacturers' offerings is a 'remote-kill' feature. When you have a standard platform, you're able to put in a server that can send remote-kill commands. If a device is endangered, you press the button and it eradicates its memory and kills itself. This is incredibly valuable, especially when combined with local device encryption."

Various companies, including mobile device suppliers and network operators, aside from BlackBerry manufacturer Research In Motion, are starting to offer remote-kill facilities. There is also a burgeoning market for remote-kill services for laptops. In these cases, it is wise to ask what kind of service is being provided. Does the erasure process only delete files, or does it overwrite the data on the disk? If it merely deletes data, then an undelete application, freely available for download on the web, can retrieve the files.

Encryption protection

There is no substitute for encrypting information to protect mobile data. It is common practice to encrypt transmitted data, but not many people encrypt hard drives, optical discs, backups and USB drives. Huggins believes that this is essential. "If we're talking about laptops, I advise full disk encryption,' he says.

"Some people seem happy to go with encrypted areas of the disk, where people are supposed to put secure files. Good security in business is about people making the best decisions based on training awareness and policy, but technology should also support them because they may not necessarily make the best decisions. Full disk encryption means people don't have to be relied on to make the right decision -- it's just done."

The idea is to reduce the value of any stolen device to the hardware costs. The harder it is to get at the data, the less valuable the device becomes to professional thieves seeking industrial espionage potential. Eszter Morvay, senior research analyst for European personal computing at analyst firm IDC, feels that even more protection is required.

"In terms of security, there are three things to consider," she says. "Nowadays, it is good practice to ensure that any business notebook comes with a biometric fingerprint reader on board, as well as disk encryption. The second element is being provided from an original equipment manufacturer perspective. When Intel or AMD design a new processing platform, security is one of the key features they focus on. Basically, you get additional pieces of software that work together with the processing platform to enable higher data security and higher data integrity, though how much this can achieve is debatable.

"The third element is putting really secure software, such as McAfee, Symantec and Check Point ZoneAlarm, on top of the operating system to offer all-around protection," explains Morvay.

"The principal shaper of future security policies will be governance regulations," she adds. The onus is on companies to prove they are taking all possible measures to protect sensitive information -- and that requires a massive amount of work to increase the awareness of employees to best practices. The size of this task may change the face of future infrastructures, especially on the client side.

Morvay explains: "There are several client solutions emerging at the moment that have no hard drives or USB ports. These thin clients are basically access devices. When you type in your username and password, the remote server allocates processing power and the applications you are going to be using."

Thin is in

Morvay points out that the availability of mobile thin clients, which look like conventional laptops and cost between £300-£400, makes the proposition even more attractive. In vertical markets such as financial services, retail and healthcare, where data security is crucial, the lack of data storage on the device greatly simplifies the security structure.

A mobile thin client without server access is a fairly useless device, which is both a blessing and a curse. The good point is that security training is simplified to protecting the login process and not leaving the equipment turned on and unattended. The downside is that some form of network has to be available in order for the device to be useful.

The mobile thin client may not be to everybody's taste, but a thin-client phone or PDA may be the way ahead to ensure that data is not stored locally and, therefore, cannot easily be compromised.

Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Show Comments