Convenience over Security: Creating Effective Mobile Security Policies
Miniaturizing Corporate Secrets
Recent research shows that nearly half of all organizations have no security policies or solutions in place regarding the use and protection of data outside the organization. Of the hundreds of privacy breaches reported by the Privacy Rights Clearinghouse since 2005, over 60 percent were endpoint mobility losses.
Mobile devices such as laptops, personal digital assistants, smart phones, and USB flash drives are rapidly increasing in capability while also declining in price. The proliferation of small and inexpensive mass storage devices and their potential for data loss has been under the radar of most organizations until now. The prevalence of these devices in the enterprise has led to significant support issues and security risks. While the cost of replacing the devices is relatively insignificant, more and more users store sensitive information on these devices, and therein lies a serious data leakage threat. Additionally, use of mobile devices can introduce viruses or worms such as the recently discovered W32/SillyFD-AA program, or "Silly worm," which automatically spreads itself via a USB storage device connected to an infected PC, and then passes itself along to subsequent machines into which the USB drive is inserted.
Whether accidental or through malice, more than 100 million personal data records have been compromised in the past two years, at an estimated cost of $16 billion in extra paperwork, lost productivity and lost customers. The loss of sensitive data can have a devastating impact on a company's bottom line and its reputation. Additionally, because of the individual responsibility associated with protecting data, IT professionals can also preserve their own careers by implementing and enforcing sound mobile security policies.
Mobile devices provide a positive productivity enhancement, but without proper management and security controls, they can also expose organizations to security breaches and compliance issues. Research indicates that fewer than 10 percent of companies have a formal mobile security policy in place.
This article examines policies and best practices that companies are employing to protect and control access to sensitive data found on mobile devices, including:
- Tracking and controlling mobile devices, including employee-owned units
- Supporting secure remote access via mobile devices
- Providing staff education and encouraging accountability
- Encrypting confidential information on portable devices
- Implementing sound mobile data security policies
- Implementing centralized management of portable devices
Vulnerable Conveniences-Mobile Devices in Modern Enterprise
Many organizations are realizing the need to constrain or control the use of employee-owned mobile devices for work activity. While companies can benefit from the increased productivity and employee satisfaction these devices provide, they also bring with them some loss of control over corporate data flows. How can organizations reap the business benefit of mobility without the loss of control?
Due to the nature of these mobile devices, they are more prone to loss and theft and often operate outside the network perimeter, making them highly vulnerable to attack. In the last few years USB flash drives (UFDs), have evolved from a novelty to a key component of modern workflow. With file sizes ballooning and email limiting the size of attachments, flash drives are the best way to move a lot of data quickly. Unfortunately, they are also the best way to steal or lose a lot of information quickly. In light of regulation and compliance issues, organizations must actively manage the associated information risk.
Tens of millions of these large capacity, highly portable and highly losable drives plug into companies every year. Yet, few companies are doing anything to control or track them. According to a recent Ponemon Institute survey, 52% of companies acknowledge that confidential data resides on flash drives. At the same time, 53% of these companies would have no way of knowing if they lost these drives. Laptops on the other hand are typically tracked and managed so their loss is noticed immediately.
The following questions will help you evaluate the USB storage security currently in place within your company:
- Does your company encrypt files on portable media such as USB flash drives?
- Does your company's security policy cover USB flash drives?
- Do your employees store confidential information on USB flash drives?
- Does IT control the USB ports on your company's workstations?
- Does IT control drive access outside the network or on untrusted PCs?
- Does your company allow workers to use mobile devices?
- Do you have a policy for reporting lost USB drives?
Maintaining Productivity and Security
Organizations must develop security policies appropriate for the type of device and the information it contains (i.e. public, confidential, restricted, controlled), and provide a program that will foster policy compliance without needlessly constraining personal productivity. Users favor convenience over security and usually follow the path of least resistance. If policies are too restrictive, people will find ways to circumvent them. At a minimum, policy should stipulate strong passwords for mobile devices. Two-factor authentication or third-party password management tools might be necessary as well. Regular backups, synchronization and desktop anti-virus software might also mitigate risk. Encryption should be mandatory for any device that carries mission critical data. Once a policy is established, organizations may also implement technology solutions that help enforce it and mitigate risks.
Once a matrix of controls and information types is identified, organizations must then evaluate the vulnerabilities and the native security controls of mobile devices. It is important to establish policies that are enforceable, concise and easy to understand, and should balance productivity with data protection. The policy should define why the policy is needed, its scope, contacts and responsibilities and how violations will be handled.
Career Preservation, Protecting Data
Communicating the content of the information security policies, explaining what vulnerabilities are being addressed
within them and what employees can do to prevent a security breach from happening is
the role of security awareness. Employees want to do the right thing, but often they do not know or understand what makes up "the right thing." In many cases, they may be doing "the wrong thing" for all of the right reasons. An awareness program should begin with an effort that can be deployed and implemented in various ways and is aimed at all levels of the organization including senior and executive managers to help all employees realize their personal responsibility to protect systems and data.
While your organization may have security policies, are they clearly communicated? Are they posted in a public
area? Does the staff know where to locate written policies? Are the policies kept current? Do employees understand
what is expected of them and why?
Often, employees see security policy as a barrier to productivity, unless they fully understand the risks and the importance of reducing these risks. Security awareness campaigns are key to getting employees to understand the reason for policy and to become active partners in security. Education programs should focus on the risk the policy is designed to mitigate and how to use appropriate controls. Training programs should also be augmented with regular communication of new threats, vulnerabilities, policies and individual accountability.
In 2005 the Federal Financial Institution Examination Council (FFIEC) issued guidance stating that organizations must address education and awareness as part of the overall risk management strategy particularly for multi-factor authentication and should address topics such as phishing, account hijacking, safe Internet use practices and spyware. People need to understand the risks and clearly realize that as individuals they are part of the solution, not just part of the problem. Another effective way to do this is by reinforcing security awareness by notifying users immediately as they are violating policies.
Many businesses do not set strict enough guidelines for their employees. This oversight, coupled with a lack of enforcement increases the risk of conscious or inadvertent breaches. Without sufficient induction processes, many companies are leaving their employees unfairly exposed. Loss of sensitive customer or employee data can mean loss of jobs for individuals responsible.
Weighing Risks and Benefits of Using USB Ports
Companies must control USB ports to ensure that only authorized drives are used with corporate computers. Many port blocking vendors offer software that restricts USB use to specific models and several include the ability to limit access to fleets of drives.
However, the knee-jerk reactions of the past, such as gluing USB ports shut or otherwise disabling USB ports, can impact productivity significantly, and are no longer viable because these ports are now the only port for key peripheral devices including keyboards, mice and printers. Employees need access to these ports and to data to do their jobs, but IT implementers and corporate executives need to weigh the productivity benefits of allowing users to take data outside the organization against the security implications of private data lost via a rogue or misplaced device.
By employing a whitelist approach, organizations can enable only authorized devices to connect to a network, laptop or PC, thereby facilitating security and systems management, while providing the necessary flexibility to the organization.
Organizations must identify their own specific needs. Once they have identified what storage media users want to plug into their machines and why, IT administrators can use emerging tools and technologies for controlling ports and managing devices. These solutions help establish and enforce specific policies for remote access and use of data. For example, IT may disallow USB access for some groups of users while permitting it for others. Or it may allow access for all groups, but limit that access to specific working hours.
Several of the port control and endpoint security vendors have established relationships with storage providers that embed their agents into the device drivers of the storage device itself. In this way, enterprises can mandate and enforce the use of certain portable devices that contain only specified access control or encryption capabilities.
Before implementing a security solution to manage ports and control devices, IT managers should also sketch out how encryption fits into their plans, including how encryption should be implemented, who must encrypt data, from where can users access encrypted data, how much responsibility falls on the user to encrypt data and how the solutions under consideration will help accomplish these goals.
They should also consider whether hardware encryption is required as this type of encryption typically requires the use of specific devices enabled with this functionality, and it tends to have introduced additional performance and cost impacts.
Centralized Management: A Crucial Element
According to a recent Forrester Research survey, only 9 percent of companies have deployed mobile management tools, while another 20 percent are piloting or plan to deploy mobile management tools within the next 12 months.
The majority of companies have not taken steps to control USB ports, manage and track the use of mobile devices, or protect and encrypt the data on these devices. Many organizations are not even aware of the number of devices connecting to their networks, or from where. How can companies ensure that security policies will travel with workers wherever they go? How can they enforce privacy and security even on public PC's where hackers wait at the ready to steal data, or log keystrokes to glean private information?
Centralized management of these devices further enables organizations to enforce security policies remotely, including the ability to lock a mobile device after a number of incorrect attempts to guess a password, or destroy data when a device is reported lost or stolen.
Additionally, centralized-management solutions often include reporting and audit logs that are invaluable in measuring and enforcing policy compliance, and also track the information required to prove compliance with industry regulations and governmental legislation.
Policies Need Real Enforcement
Policies are great, but they must be enforced. Ultimately, it comes down to controlling risks. Mobile managers need to tell users why a policy is being implemented, what it means and how it will be enforced. Policies should be socialized within an organization before and after the policies are implemented. After creating, revising, and reviewing the mobile security policy, it is still important to keep it fresh. Mobile security policies evolve and adapt along with the company that creates and enforces them.
Data security executives agree that paper policies without enforcement are worthless. Centralized policy management enables organizations to create security policies once and deploy them consistently across the organizations. New technologies are available that provide automatic enforcement of data security policies including the ability to block, quarantine, protect, encrypt, and notify.
About to Get More Complicated
IDC predicts that the number of mobile workers globally will reach more than 878 million by 2009. As the need for remote access to enterprise information grows, and the threats against these networks increase, organizations must implement economical solutions to enforce mobile security and improve productivity from anywhere in the world.
Mobile security programs should include defined policies for remote access, including acceptable network connection methods and authentication policies - who is allowed what type of access, and to what specific data. One way to extend secure authentication beyond passwords is to implement some form of two-factor authentication, and one-time passwords such as SecurID tokens from RSA.
Mobile security should fit in with the rest of the administrative and management infrastructure. Security should not create new challenges to an already over-burdened enterprise. Thus, policies should be reviewed quarterly and updated to address changing threats and risk profiles.
Proliferation of USB drives are exposing companies to significant risks of confidential data breach which must be addressed. Companies should base decisions about mobile security on actual risks to the enterprise, rather than perceived needs. Clear deployment and usage policies, coupled with user training on security and an annual review of the company's mobile security policies, can help companies make intelligent investment decisions and limit risks.
How is Your Company Protecting Itself
Careers, corporate reputation, and your bottom line are at stake.
When implementing policies for mobile data security, it is important to evaluate your specific situation, and put in place the correct balance of flexibility and firmness for ongoing enforcement.
About the Author
John Jefferies is vice president of marketing at RedCannon Security, a trusted provider of centrally-managed, secure mobile-access solutions for the enterprise.