Mobile data protection is an important issue as many enterprise CIOs continue to address regulatory requirements and consequences from lost and stolen laptops and other mobile devices. CIOs need solutions to protect their mobile devices and data from internal and external threats.
In this podcast, Karen Guglielmo, executive editor for SearchCIO.com, interviews Kevin Beaver of Principle Logic LLC about the various options for mobile data protection, including data encryption, endpoint threat detection and protection and network access control.
BIOGRAPHY: Beaver is founder and principal information security consultant of Atlanta-based Principle Logic LLC. He is an information security consultant, speaker and expert witness with more than 20 years of experience in the industry. Beaver has written seven books on information security including Securing the Mobile Enterprise for Dummies and Laptop Encryption for Dummies. He is also the creator of the Security On Wheels audio programs and blog.
Hello, my name is Karen Guglielmo, executive editor for SearchCIO.com, and I'd like to welcome you to today's expert podcast on mobile data protection options.
I'd like to first welcome today's speaker, Kevin Beaver, with Principle Logic LLC, based in Atlanta. Kevin is an information security consultant, speaker and expert witness with more than 20 years of experience in the industry. He has written seven books on information security, including Securing the Mobile Enterprise for Dummies and Laptop Encryption for Dummies. And he's also the creator of the Security on Wheels audio programs and blog. Welcome, Kevin.
Beaver: Hey Karen, thanks for having me today.
Great, and as I mentioned earlier, we're here today to talk about mobile data protection options. I'm going to spend the next eight-plus minutes asking Kevin to answer a number of questions about today's topic. So let's get started:
My first question today is, what type of internal policies, or consequences, even, are
companies setting up for employees who lose or have their laptop or other mobile devices
Beaver: Well, this whole area of mobile devices and data protection is getting real interesting. We've been talking about this very thing for years and years, and the thing is finally getting some traction. In fact, the time that I spend forming internal security assessments for clients is actually shifting from the traditional network devices, like operating systems and databases, to this big, gaping hole that every organization seems to have with their laptops and their smartphones.
When it comes to mobile policies and sanctions, I can honestly say with conviction, there's a little bit of bark and hardly any bite. By that, I mean there are a lot of gaps in policies and procedures surrounding mobile security. This is across the board, too, at Fortune 500 companies, nonprofits, government agencies, SMBs, you name it. I've seen it everywhere. Many organizations do actually have mobile device policies that cover things like who owns the device, acceptable usage and who to contact for support. But it's very rare to see policies that cover security or actual theft or loss.
In fact, this is something that actually needs to be documented in an incident response plan that outlines the actual steps and procedures to be taken when an incident occurs. I'm not just talking about the technical side of things, but also on the breach notification stuff -- that is, working with legal counsel, customer service and whoever on procedures for notifying people when their information has been compromised or is suspected to have been compromised.
There are currently 46 states that have laws in place for this very thing, yet many organizations I see aren't being proactive and putting things in place before an incident occurs. And interestingly, many businesses don't even have an incident response plan at all. As far as sanctions and consequences go, I'm certainly not seeing or hearing about any organizations that hold their employees responsible for theft or loss beyond just having to replace the device out of their own pockets. So again, a little bit of talk, but nothing of substance.
So what type of security features do enterprises use to enforce mobile data protection
policies in the enterprise?
Beaver: Let me answer this with something I came across during a security assessment not long ago that pretty much sums up my experience with mobile security:
I was reviewing internal documentation in the new employee orientation materials. There was a quiz question that said something like, "What secures your laptop when you're away from it?" And the quote-unquote "correct" answer for them to choose was, "Control-Alt-Delete and selecting 'Lock workstation.'" This is the mind-set that a lot of people, even technical people, have regarding mobile security. It's really the assumption that Control-Alt-Delete and locking your screen is going to keep your laptop protected, and it's crazy.
So I believe that the general perception of risk is still not there. I hear everything from, "We require users to log into Windows, so our laptops are protected," to things like, "Well, we don't have anything sensitive on our smartphones, so we don't have any security controls on them." And this is amazing stuff to me, Karen. I've seen some enterprises use power-on passwords for their laptops, but those are easily defeated. I've seen other organizations encrypt everyone's documents and settings folder, but that still doesn't protect all the other sensitive information, like files and passwords that are outside of that encrypted area on the drive.
One of the things that I do when I'm performing these assessments is to look at the security of a sample laptop and see what I can get into, and it usually only takes a couple minutes to get into a laptop with full administrative privileges -- and you wouldn't believe what I find. This is the same stuff that anyone that comes in contact with a laptop can access, and it doesn't take any mad hacking skills to do it.
I assume that most companies are really most concerned with the loss of data from employee
laptops. But what about some of the other mobile devices, like BlackBerrys? Are theft and data loss
from those also on the rise?
Beaver: Well, another thing that I do in these assessments is look at random smartphones and BlackBerrys and whatnot, to see what I can find and get into. As with laptops, it usually takes just a minute or two to get in and browse around -- and sometimes even be able to sync up with the device and get unprotected emails, Word documents, spreadsheets, whatever.
It's funny to me -- as much as people, especially managers have their heads in the sand about laptop security, they really have them down deep when it comes to smartphones and BlackBerrys. In fact, I was told recently by a C-level manager in a prominent organization that no controls are being placed on these devices, because users just don't like them. No power-on passwords, no encryption, no antivirus, no remote delete, nothing. And, of course, it was also because they don't have anything of value on their smartphones. This is the reality of any given organization's mobile security that I look at, and it's not very good. I'm not complaining -- this is the kind of stuff that keeps me busy and keeps me employed. But it is a pretty big problem.
I would say regarding theft and loss being on the rise, I think they are. Most likely because more and more people are just using these devices. I remember seeing a study last year showing that over 12,000 handheld devices are forgotten in the back of taxis in London and New York City every six months. The one thing to keep in mind here is that people aren't always stealing and accessing these mobile devices just to recover the sensitive data off of them. Just because a mobile device is lost or stolen or whatever, it doesn't mean that you have a breach on your hands. But in reality, you'll never know if you don't have the right controls in place.
Are options for protecting data on laptops different than those for protecting data on some
of these other mobile devices, like smartphones?
Beaver: Yes, they are. There aren't as many choices for smartphones and BlackBerrys, and whatnot. But there are some specialized vendors out there that have some pretty good, centrally managed products to help with things like encryption, remote deletion, antivirus, backup and things like that.
The downside that I've seen, which I think is contributing to the hesitation we're seeing in the deployment of these types of controls, is that it's yet another piece of software that has to be managed on its own, so there's no one piece of software that you can go and buy and deploy to manage your laptops and your smartphones and your BlackBerrys and all that stuff. It's yet another hurdle, yet another system that has to be managed on a daily basis, so it's creating some hesitation.
And finally, in your opinion, what would you say are the best options for mobile data
protection today? Data encryption, endpoint threat detection, network
access control, or anything else?
Beaver: Well, every organization has different risks and different priorities when it comes to locking down their mobile systems. That said, there are some common weaknesses that affect pretty much everyone across the board -- the biggest of which is sensitive data exposure. And that's something that well-implemented and well-managed encryption controls can solve. There are also backup solutions, which are really important, since most laptops and many smartphones that I see are not being properly backed up. There's also remote tracking, remote delete, antivirus protection and so on.
Again, it just depends on what the organization's needs are, what the budget is, what the culture is, and generally what management believes is a priority. The thing is, with most current devices out there, there are actually built-in controls that are often overlooked -- things like power-on passwords for smartphones, and built-in encryption software on Windows laptops. Those are the bare minimum controls you need, and until you have them in place on every mobile device within reason, you're exposing your business to one of the greatest risks I've ever seen. More than unsecured Web applications, more than vulnerable databases sitting out on the Internet, more than unsecured wireless, and really even more than unpatched servers.
More podcasts | Subscribe | Contact us | Follow SearchCIO.com on Twitter
This was first published in September 2010