Custody of our personal, private customer information is a concern: hardly a month passes without us hearing of yet another lapse in corporate custody of our personal, private customer information. The proliferation of highly portable data storage devices – laptops, USB sticks, PDAs, 3G handsets – has forever changed the boundaries of where we store our data. It has effectively eliminated any notion of a 'fixed perimeter fortification' as a tool for preventing data leaking out of your organisation.
Yet many firms still stick with a half-hearted way of defending information assets – with results like all those recent declamations against T-Mobile’s data breach, where personal details of thousands of mobile phone customers have been stolen and sold on in possibly the largest data breach of its kind in this country.
Poor information security should be the most pressing issue for today's Company Board after controlling cost and meeting service delivery expectations. Yet patently it isn’t.
Meanwhile our mobile and distributed ways of working, which gives us so many operating efficiencies with laptops, PDAs and smartphones all offering substantial opportunities to improve personal communications and business flexibility, is here to stay. With that boon, a problem arises – removable storage media now enable enormous quantities of data to be literally carried around, making it available to use on demand in any location.
But such devices are not just great ways to store vast amounts of corporate information, they are also vulnerable to loss, theft and damage, as well as offering open doors to various forms of electronic attack.
Ten years ago, mobile phone subscribers and operators only had to worry about two security threats: eavesdropping and fraud. Those problems have largely dissipated as the industry converted to digital radio technology, as we know. The 3G technologies being deployed today make hacking mobile phones over the air difficult and expensive. However, as mobile phones have become more capable, a constellation of new security threats have emerged. This, remember, is an ongoing ‘arms race’ – you defend, but the hackers like the challenge of breaking your new defence down.
A growing percentage of mobile phones can download user applications and content over the air. That means they can also download viruses and spyware. Today's smartphones are basically PCs, with operating systems, storage, applications, and wireless access to enterprise networks. IT teams are replacing some laptops with a smartphone equipped with wireless broadband, a desktop-class browser, the ability to read and even edit Office-suite files, and lots of storage for any kind of data.
Given the complexity of modern mobile operating environments, the same criminal approaches that we've seen used for many years on PCs can now plague handsets. The focus to date has mostly been on Windows, but as mobile device platforms become more common, this threat is clearly real. Data belonging to Sidekick smartphone users has been lost following a disruption at a T-Mobile Cloud-based data services provider, for instance. And any new technology (Windows 7, the latest version of the iPhone) all introduce new security risks, as hackers immediately start finding ways to burrow in and exploit their vulnerabilities.
This all means that getting the security element right the first time is more important than ever in this mobile environment.
Technology has a part to play here. But culture and people can’t be ignored either. You need to make your staff your best allies in the war against data loss. If your employees are not trained on how to follow and enforce your security policies, how will you stop that enemy walking in the front door to get access to all that data you are safeguarding on behalf of your customers?
How to ensure mobile data security
There are measures businesses can and should be taking to shore up their porous perimeter and avoid data simply walking out of the door. Steps in successful and sustainable information security programmes include encrypting all personal data on laptops and any and all removable and portable media. Carrier networks have good encryption of the airlink in every case but the rest of the value chain between client and enterprise server remains open unless explicitly managed. Always use a VPN connection when dealing with sensitive data, and sensitive data should be available only to authorised users.
Other steps: order the physical destruction of redundant computer drives, magnetic media and paper records in line with a clear data retention timetable, and so on. (And the Gold Standard here in any case is the ISO27001 framework, which sets out how to manage data systems securely while BS10012 shows how to meet the requirements of the Data Protection Act.)
You also need to be very aware that most mobile users at the moment take a very relaxed approach, and believe that mobile phones are immune from viruses. The sensible data hygiene approach is to shadow what you do with the mobile with the PC – don't visit arbitrary websites, don't download anything that's not authorised by IT, and use mobile device management capabilities from your carrier or implemented within the enterprise to verify and control the configuration of your mobile devices.
No one wants the headlines saying you’ve revealed thousands of client records or watched someone waltz out of your doors with the whole customer database. I strongly believe that implementing a business-driven access control policy using industry best practice combined with the best software is the best way to make sure you avoid this kind of publicity, and thus avoid becoming next month’s T-Mobile for data leakage.
Alan Calder is an information security author and chief executive of IT Governance, the one-stop shop for information security books, tools, training and consultancy. IT Governance is the publisher of ‘Mobile Security’.