Managing the Risk of Lost Mobile Devices
By Mary Shacklett

Mobile technology offers enormous benefits to corporate productivity and flexibility. It enables real-time communications and problem solving from virtually anywhere around the globe, and is a real asset when it comes to mobilizing businesses to create opportunities and resolve the daily issues that invariably arise with work. Unsurprisingly, Gartner in a 2005 survey reported that 64 percent of North American and European networking and technology businesses said they planned to increase wireless local-area network (WLAN) deployment. The chief driver was corporate productivity gains from wireless communications.

Unfortunately, deploying all this mobile technology in the form of notebooks, Blackberries, personal digital assistants (PDAs), cell phones and other devices also has its risk and loss management side. It was again Gartner that recently projected that companies with more than 5,000 employees could save between $300,000 and $500,000 annually by tracking and tagging PDAs and mobile phones. Gartner also estimated that the cost of an unrecovered PDA or mobile phone is at least $2,500 per unit because of the expense of compromised proprietary data. Over 250,000 mobile phones and handheld devices will be left behind at U.S. airports alone annually this year, with a 25-30 percent recovery rate, according to recent information from the Wisconsin Technology Network.

Clearly, losing mobile devices is serious business. Yet, 40 percent of enterprises still do not have mobile device security policies, as revealed by a survey conducted by the Business Performance Management Forum. Sixty-five percent of those businesses say that it's because senior management is focused on other areas of compliance--ironic, given that mobile devices should be a key component of any security and compliance initiative.

Risky Business

When mobile devices are lost or stolen and information is compromised, there are immediate sensitive information risks to organizations—and also risks that come in the form of lost “good will”. Many states now have statutes that require companies to tell the public when information has been compromised--a publicity “black eye” for enterprises and a career risk for those charged with being corporate stewards of such information. Appropriately, risk management should be part of any organization’s mobile device data policies.

Mobile applications today encompass email, instant messaging, database and corporate application access, sales force and customer service software, and customer relationship management (CRM) and enterprise resource planning (ERP) applications. Since most mobile devices have multiple wireless interfaces for access, they are increasingly vulnerable to attackers who know how to exploit the weaknesses in these interfaces to crack corporate information repositories. Unencrypted and unsecured mobile devices that are lost also become prey to unauthorized access and exploitation.

Device Loss Prevention and Mitigation

The compactness of mobile devices make them easy candidates to slip out of pockets or to be left behind in restaurants, airports and other public areas. Each month, Los Angeles International Airport reports that 400 mobile phones are lost in its facility. PointSec, a data encryption developer, reported that London’s Heathrow airport auctions off 730 unclaimed laptops and 1,460 unclaimed mobile phones annually. On top of this, there are companies that are lax in their “checkout” procedures for employees leaving their employ. Many employees fail to return company equipment when they leave--and sensitive information walks out the door with the equipment.

Even people who don’t lose their portable devices often have careless device use habits that expose sensitive information to compromise. Users continue to share userids and passwords. Understanding these risks, solution providers are delivering security solutions for mobile devices that can assist with mitigating the risk of critical information loss.

Microsoft via its Microsoft Exchange Server presents tools for data security policy enforcement that can be provisioned to mobile devices. The software allows sites to remotely track mobile devices, as well as to configure these devices for corporate-grade security. Other security solutions providers offer data encryption, “three strikes and you’re out” userid/password sign-in routines that allow three login attempts before locking out a device, device alarms that sound when a device is removed from its cradle without appropriate password entry within a certain period of time, and even the ability to “lock down” data on lost mobile devices from a centralized administrative site so that data on these devices cannot be accessed by unauthorized persons—or to remotely wipe out the data altogether.

Security: The Heart of the Matter

Businesses can cope with lost mobile devices if they have the peace of mind that information carried on these devices cannot be accessed. Recognizing this, many companies are now taking steps to protect these devices as much as they safeguard their mission-critical data repositories.

One IT security strategy is working together with corporate HR to train new employees and refresher-train existing employees on corporate information security policies and on the usage practices for mobile devices. User ids and passwords, for example, should never be shared.

User sign-ins can be done through two-factor authentication, using information only the user would know. This makes it harder for others to break into the device. If the device is still broken into, the encryption of all mission-critical data will make it very difficult for a hacker to gain much. This is especially important for users who utilize flash drive plug-ins and other minute devices for data storage that can easily be lost.

Commercially available data encryption solutions for mobile devices include:

• User-accessible file and folder encryption built into the operating systems for both Apple- and Microsoft-based systems;
• File, folder and full disk encryption software for PCs and Pocket PC devices; and
• Device encryption software for PCs and Pocket PC devices.

IT should also implement backup and restore methods, secure communications software, mobile firewalls and antivirus software.

Best Practices for Mobile Devices

Mobile device security protection and data encryption were discussed earlier, but there are also several other strategies that IT can implement for mobile device “best practices.”

1. These best practices for mobile devices start with clear policies that employees throughout the organization can understand and apply. The policies are carried out through directives in IT and throughout the organization, and should be agreed upon between IT and end users before they are implemented. The corporate mobile device use policies that result should ideally be coordinated by IT with Human Resources, which trains new employees and ensures that existing employees stay up to speed with current regulations. IT should also adopt centralized monitoring and enforcement software that can administer mobile devices—and it should label and inventory mobile devices.

2. Once policies are in place, organizations should bear in mind that the most critical area of enforcement is with employees themselves. Especially if they are not in IT or other security-cognizant areas, employees may not understand the risks of sharing passwords or of leaving devices unattended. They might also assume that mobile technology is as safe as internal desktop technology, which it is not.

3. On the technical side, it is important to keep patches up to date. This includes software patches that prevent intrusions and exploitations. Computer logins should lock out users without the correct passwords, and it should be required that these passwords are changed regularly (preferably, every 30 days). Locking cables can also be purchased and used with portable computers.

4. If you are using wireless connectivity features (e.g., 802.11, 802.16, Bluetooth), make sure that mobile device security settings are set as strong as possible. It is common practice for factories to set device defaults to maximum openness.

5. Disable any options and applications that the user will not use. This further reduces security risk.

6. Regularly backup data, and be sure to have a backup copy of any necessary data in case your mobile device is lost or damaged.

7. Train users to immediately report lost or stolen devices. Software is available that can remotely deimplement or lock down these lost devices.

8. Use safe mobile device disposal practices. This is be done by requiring end users to turn in mobile devices to IT, leaving proper disposal (such as removing sensitive data) to IT.

Conclusion

A 2005 Nokia study revealed that 21% of US employees carried PDAs and that another 63% used cell phones for business. These figures have continued to build year by year, to where the mobile device value proposition is firmly entrenched in enterprises.

This makes risk management and the danger of lost devices and data a greater concern than ever for IT. Technologies like bio-recognition, mobile encryptors and GPS tracking are all on the horizon and in some cases, in early trials. However, these technologies also have their drawbacks and are not yet perfected.

The best policy for mobile device and data loss prevention is to acknowledge that it will happen—and to have security policies and procedures in place to prevent and mitigate those losses. Much can be done on the IT and technical sides of the issue, but a major impact area is enacting strong employee policies and training for stakeholders throughout the company.

NaSPA member Mary E. Shacklett is President of Transworld Data. She is listed in Who’s Who Worldwide and in Who’s Who in the Computer Industry.