Office Memo 6

Home > Office Jotter > Office Memos > Office Memo 6

Time for a snack at Office Jotter?

Office Memo 6

26 March 2003

Securing your organization's portable assets

How often have you played the 'scruples' game among your friends? How much would they rob a bank for -- £5 million, £10 million, £25 million -- and so on? Change the stakes. You've just lost your job, you've remortgaged your house and you've got two children at private school. Now how much would you rob a bank for?

It's just a game. Most of us live on the right side of the law and work hard to make an honest living.

Most, but not all. In tightening economies, crime rates go up. With Internet technology available to most office workers, white-collar crime is taking on new meaning in the 21st century.

Worldwide criminal activity on the Internet is growing in frequency and complexity. Thieves are getting smarter at targeting the ever-increasing flow of money through cyberspace, making the pickings more tempting than ever.

The price of sensitive data and intellectual property also goes up in leaner times. A great database of sales leads, new product specifications or competitors' marketing plans to trade off is a tempting target. You stand a much better chance of winning a new business contract or landing a well-paid job if you can lay your hands on it.

Companies now want tighter security on their mobile devices, as more laptops and PDAs disappear. In a survey for the UK National High Tech Crime Office, 98% of companies interviewed had experienced a computer-enabled crime in the previous 12 months. Theft of laptop computers dominated, with 77% of organizations having suffered it.

It is not so much the cost of replacing the laptop or PDA that concerns these organizations as where the information has gone:

in Toronto recently, the theft of a computer hard drive resulted in 180,000 customers of a Canadian insurance company being warned about possible identity theft

in Kentucky, a hard drive on sale at a second-hand office supplier still had confidential files on it. These contained the names of thousands of AIDS patients and people with sexually transmitted diseases

in Arizona, the names, addresses, social security numbers and, possibly, medical records of more than 500,000 US military personnel were stolen in a break-in.

These organizations should never have put their customers or employees at risk. Nevertheless, examples of organizations' laxity over security methods are frequent. We don't get to hear about them all, because of the financial damage it could do to these careless organizations.

Last spring, for instance, hackers broke into a bank's database and gained access to the accounts of wealthy customers. Millions of dollars went overseas. The bank managed to undo most of the transfers but total losses, including a security clean-up, were more than $1 million. Customer confidence hit rock bottom, with many leaving to find more security conscious banks.

Often, organizations that have added many new technologies to their computer systems now find themselves lacking the resources to secure those systems against break-in. You could argue that this is unavoidable in a weak economy, with budgets and personnel stretched to the limit.

That is not a valid justification for doing nothing. In Britain, it is contrary to Principle 7 of the Data Protection Act 1998. This obliges organizations to put reasonable and satisfactory security measures in place. A similar principle applies in the rest of the EU.

The good news is that it need not cost a fortune to secure an organization from insiders or outsiders wanting to get at valuable information. The most important starting point is a sensible and easily run security policy that includes all the company's mobile devices.

Here are a few simple ways of securing your handheld devices and keeping your organization secure from breaches.

1. Put a workable security policy into place. Then, tell the workforce about it. Employees need to understand the security implications of using mobile devices, and what happens if they ignore the policy.

2. Fit all mobile devices with access control systems and encryption devices. These should be fast and easy to use and proof against users' efforts to get around them.

3. Use dynamic passwords or certificates for secure remote access.

4. Conduct an audit of who is using a mobile device and whether the organization or the employee owns it.

5. Do not allow staff to use their own mobile devices to store customer and organization information unless those devices are secure.

6. Use a security product that is compatible with all mobile devices and software versions, and that can be managed centrally.

7. Avoid using products that leave the user to make security decisions. Users will ignore or find a way around the system.

8. Protect handheld computers with up-to-date software that can defend against known security loopholes.

By following these steps, an organization can secure and protect its data while in transit as though the devices were in use in the office. Mobile computing is about being free to work outside the office.

***

Magnus Ahlberg, Managing Director of Pointsec Mobile Technologies, contributed this article. Our thanks go to him. To contact Magnus, telephone 01223 451 251 or email magnus.ahlberg@pointsec.com .

About Office Memos

An Office Memo is an extended comment on what is happening in the world of the electronic business and elsewhere. Some memos will have appeared in Office Jotter; others are simply referred to in it.

You are free to disagree with, amplify or even agree with anything that appears in Office Jotter or an Office Memo. Of course, the rest of us will never know this unless you write in with your views, so please comment*.

Content from Office Jotter or Office Memo may be circulated freely, so long as you remember to credit its source.

Thanks,

Roger Whitehead

Publisher and editor

*No more than 1,000 words at a time, please. I edit material for publication but as lightly as possible.

Copyright Roger Whitehead, 2003. I hereby assert and give notice of my right under section 77 of the Copyright, Designs and Patents Act 1998 to be identified as the author of these publications.