Mobility might be transforming the working lives of office staff but it can make a mockery of security techniques, according to Anu Nayar, manager of security and privacy services at Deloitte. “We are now in a culture of convergence, it’s the anytime, anywhere, anyhow syndrome,” he says. “Mobile devices bring collaboration and efficiency but the technology is changing so rapidly it’s almost impossible to keep up.”
While devices like laptops, PDAs and cellphones “bring tremendous value” to an organisation, Nayar says there is a price to pay in terms of security.
One of the side effects of the increased use of mobile devices is that they are intrinsically hard to keep track of. Whereas a desktop PC can be difficult to move without attracting attention, a laptop can be stowed away in a carry case in a matter of seconds.
Nayar says that while a recent report by Gartner revealed 70 per cent of laptop thefts in the US are inside jobs, mobile PCs can easily go astray for other reasons. The same research showed, on average, IT departments could accurately report on only 60 per cent of their computing assets.
Peter Benson, founder and CEO of Auckland-based security consultancy Security-assessment.com, says poorly secured data stored on laptops poses a security hazard.
“Laptops tend to go missing with alarming regularity and they contain a lot of data that people are interested in.”
In the US, Benson says 58 per cent of companies have suffered laptop thefts and these computers are increasingly being stolen for their data rather than the hardware value.
In New Zealand, laptop theft has so far been much less prevalent, Benson says around seven per cent of companies have been affected.
As mobile devices are becoming increasingly sophisticated, they are creating new user-management issues. “Mobile devices are not simple anymore, these days a mobile phone can have a camera, GPS, Bluetooth and wifI,” says Nayar. “One of the key problems is that organisations haven’t figured out how much they should trust their employees or how much they should appropriately monitor them.”
Nayar says New Zealand is gaining a reputation as a “dumping ground” for mobile devices, which would be regarded as being obsolescent elsewhere.
“We are about two years behind the rest of the world and when it comes to security, a lot of these devices are not quite cutting the mustard.”
In particular, Nayar says there is no consistency in the handling of residual data — the data that remains on a device after the user has specifically deleted it. Questions like these mean that stolen mobile devices can be very useful tools for identity thieves.
“Mobile devices might be storing your calendar, tasks, shopping lists or your mobile banking details. If this information was pieced together well enough it could be used to build up a pretty good profile of someone.”
Nayar says the security problems posed by mobile devices are best addressed by employee education and policies, rather than technological countermeasures.
Organisations should regularly update their appropriate use policies, carry out regular audits, manage the use of mobile technologies to reduce the risk and educate users to alert them to the potential dangers.
“Security for mobile devices is well beyond a technical problem,” he says. “Security should start with people first and work its way down to the technology layer.”
Join the CIO New Zealand group on LinkedIn. The group is open to CIOs, IT Directors, COOs, CTOs and senior IT managers.