Lightweight, portable computer equipment such as laptops, mobile phones, removable storage media and PDAs has transformed working life. Employees can work from home without missing out on daily developments; information can be retrieved wherever and whenever.
But these changes have also loosened the control IT managers can maintain over the infrastructure. Each mobile device that connects to the network represents a potential point of weakness through which information can be lost, or malicious software picked up outside might be introduced to corporate systems.
Remote access to the Internet and the intranet via wireless connections has been implemented by a great deal of companies in a short space of time, "but a lot of businesses using the technology are not prioritising security, they are prioritising high speed connectivity," says Tim Pickard, marketing director at encryption and authentication vendor RSA Security.
Inherent insecurities
Part of the problem is that factory settings in WiFi-enabled laptops are usually set to make connections easily, not for security. Ensuring that employee laptops, whether owned by the business or independently, are properly configured can reduce the risk involved with mobile working. Vendors such as Check Point and iPass also sell software to manage connection policies, quarantining laptops that try to connect to company networks without the right patches and security.
Preventative measures, however, are always preferable: "A lot of risk can be reduced by telling your employees not to access the network from just any WiFi hotspot – like in your local coffee shop, for example," says Pieter Kasselman, senior research engineers at security services provider CyberTrust. Public connections, if insufficiently secured themselves, can be a source of malware and also can expose the user to falsified hotspots, known as "evil twins", established to intercept users' credit card details or other data as it passes through the airwaves onto the Internet.
Even from outside the office, virtual private networks (VPNs) let mobile workers access applications and information situated in central servers over an impenetrable dedicated connection. UK-headquartered natural gas provider BG Group, whose 2004 turnover topped £4 billion, has 12,000 users across the globe who need to have access to email and enterprise resource planning applications wherever in the world they are.
With a VPN provided by iPass, which has a network of its own wireless connectivity points, and using RSA Security digital certificates to authenticate user-devices, BG Group can trust that the connection between remote employees and the server is a secure one. "Once the authentication has been approved, the VPN essentially opens up a tunnel directly to our servers," says Nigel Fletcher, IM mobile segment manager at BG Group.
Data dispersal
Laptops' broad capabilities make them as vulnerable to security threats as PCs, but as smaller devices such as mobile phones and PDAs become more sophisticated, so too do methods of exploiting them. Viruses aimed at mobile device operating systems Symbian and Microsoft CE are not expected to be a real threat until 2007, according to research group Gartner, but other risks include the hijacking of Bluetooth, a radio technology used for short-range wireless connections, to steal information stored on phones. Experts recommend simply disabling it.
The loss or theft of the devices themselves, and insufficient memory wiping after the disposal of outdated technologies, could result in a classified information leak. "It's very easy to lose a smart phone or a PDA, or a one gig memory card the size of a cigarette lighter. Encryption at the end device removes the risk of leaking information when that happens," says Alistair Broom, head of the security unit at IT services firm Affinity.
Encrypting data stored on devices to reduce the risk of information leakage is all but a legal requirement for companies with operations in California, where legislation requires customers are informed of any unauthorised access to their personal information. But even the simple measure of using passwords on mobile devices is often overlooked as a solution to such risks.
Piecemeal measures such as these, combined with user education, can become more than the sum of their parts. "There is a whole set of things you can do to make mobile communications more secure," says CyberTrust's Kasselman. "They are all cheap, and they can quickly get you up to 80 or 90% effectiveness."