The Association of British Insurers estimates that computer theft costs UK firms something in the region of GB pound 1 billion per annum. It’s little short of a plague that continues to hamper a great many businesses, but how many of those firms truly appreciate the nasty repercussions from such thefts? First, there will be the obvious repairs to property and the necessary replacement of expensive laptops, but that’s just the tip of the iceberg. Not only will all the work done on each laptop be lost, more importantly confidential data stored on file can then be accessed by the thieves.
The ensuing disruption to the smooth running of a business by way of sabotage, exploitation or damage to professional integrity is difficult to quantify or insure against. Inevitably, it’s almost always more expensive than anticipated, as several high profile incidents have shown.
Clearly, blue chip companies can no longer afford to ignore the problem, especially in light of the fact that the use of handheld computers will grow by more than 50% in the next two to three years. Indeed, by 2003 the Gartner Group forecasts that more than one billion handheld computers and mobile telephones with wireless network connectivity will be in use.
If they want to be efficient in the modern age, a great many firms cannot avoid using laptops, notebook computers, handhelds or WAP ‘phones, but passing confidential client information or carrying out transactions of any kind over the Internet has considerable security implications and legal ramifications.
This factor must be considered by security and IT managers if their parent operations are to survive in what is now an IT-rich, highly competitive world.
Palm pilots currently have a memory capacity of 8 Mb (a figure that should grow to 128 Mb in the not-too-distant future) – sufficient to store 10,000 personal or company addresses, 400 e-mail messages and 3,000 documents with attachments. A handheld computer with this sort of power containing so much information is easy to use away from the office, and just as easy to lose or steal.
If they do become as popular as mobile ‘phones – and they surely will – then thefts could reach astronomical proportions.
Securing the mobile workforce
Companies spend billions of pounds every year on IT security systems for desktop computers, but very little is invested in securing the mobile workforce. Of course, most companies should have this area covered within their overall security policy, but in reality very few have the necessary solutions in place to ensure full protection against theft and subsequent security breaches.
Figures published only recently by the Department of Trade and Industry suggest that 60% of organisations in the UK have suffered an IT security breach in the last two years, while only one in seven organisations actually have a formal policy in place to combat the threat.
Sadly, even when laptops and the like do have a security device automatically installed, users will often try to circumvent this due to the time and ‘hassle’ factor associated with actually using them. Once turned off, these devices then immediately become easy pickings for anyone who wishes to access confidential information or penetrate the corporate firewall.
An eight-point plan for security
In light of all this, what steps can be taken to secure the mobile workforce? We’ve devised a simple, eight-point plan for security managers that should be implemented as soon as possible. Here’s what you should do:
- A workable security policy needs to be put into place, the most important factor of which centres on communicating that policy to all members of staff;
- An audit needs to be carried out to find out exactly who in the company is using a mobile device, and whether those devices are owned by the company or a given individual;
- Under no circumstances should staff be allowed to use their own mobile devices to store customer and company information, unless they have been installed with the company-wide security system;
- Fast and easy-to-use access control systems and encryption devices should be put in place on all mobile devices – systems and devices that cannot be circumvented by the end user;
- Use dynamic passwords or certificates for secure, remote access;
- Employ a security product that is compatible with all mobile devices and software, and which can be managed centrally by the IT/security teams;
- Avoid using any products that leave it up to the end user to make any security-related decisions – users will ignore them, or try and find a way around the system;
- Make sure that, if handhelds are used, they are protected by the most up-to-date software which is readily able to defend against known security loopholes.
Figures published by the IDC predict that the global handheld market will explode in the next three years – from 12.9 million units in 2000 to over 63 million by 2004. It follows that, as sales of handhelds increase, so do the number of connections to corporate networks posing a potential breach of security.
Security managers will ignore such trends at their peril.