Two thousand six was the year of laptop theft. In February, a laptop was stolen from an Ernst & Young employee's car containing tens of thousands of Social Security numbers belonging to its clients' employees. Also, in December, a Boeing Co. employee's laptop that contained the SSNs, dates of birth, salaries and other confidential information on more than 300,000 individuals was stolen. And, those are only two of the dozens of high profile incidents occurring last year that compromised the personal information of millions of Americans.
Fortunately, there are a few simple measures that enterprises can take to protect data while it's "on the road," several of which are outlined below:
1. Start with policy. As with any security issue, the foundation of a good response is solid, clear policy that's effectively communicated to all stakeholders. Ensure employees understand what constitutes appropriate and inappropriate use of enterprise information assets and the consequences of failing to comply.
2. Know where the data lives. As the old saying goes, "knowing is half the battle." You can't protect assets that you aren't aware you own. If an organization has ever handled sensitive data, there's a good chance its employees have it stashed on laptops, desktops, CDs, floppy disks, USB memory devices and any other storage device imaginable. Make sure employees are aware that they're not only responsible for knowing what data they have, but also -- according to the enterprise data retention policy -- purging data that is no longer needed.
3. Encrypt data on mobile devices. Most computers are stolen during a random theft. In the majority of these cases, the thief only sees a valuable electronic device without having any idea what data is stored on it. Using encryption technology can help ensure that the theft of a $2,000 laptop doesn't become a headline that costs your company millions. One option is to use a whole-disk encryption product to protect the contents of an entire hard drive with a boot password. Be warned, however, that this layer of control may fail if a device is stolen while suspended, rather than shut down. But, despite this potential obstacle, it goes without saying that it's always a good idea to supplement whole-disk encryption with application-layer encryption for highly sensitive documents.
4. Use standard security controls on mobile devices. It sounds simplistic, but mobile devices are often exempted from the security controls routinely applied to desktop computers for fear of interfering with the actions of traveling users. Consider that mobile devices are much more likely to be stolen or attached to a hostile wireless network than desktops that are stored securely in a corporate office behind several layers of perimeter protection. With that in mind, be sure to apply the same, if not stronger, controls to systems that go on the road. It's also wise to make sure these devices all have current software firewalls, patch management, antivirus and antispyware software.
5. Keep the administrator password out of users' hands. In most cases, there's no reason for a normal user to have an administrative account on his or her corporate computer. Providing this access is tantamount to asking for problems, as it creates the ability for a traveling user to circumvent your security controls, albeit accidentally.
6. Cover all mobile devices. Remember that laptops aren't the only devices that leave offices with confidential information. The BlackBerrys, Treos and other PDAs and smartphones used by executives and line employees are also juicy targets for an identity thief. Be sure to include them in the enterprise protection plan.
Although some organizations have taken draconian steps, it's usually not necessary to completely eliminate mobile computing to protect an organization. Implementing these controls will help build a solid foundation for secure enterprise mobile computing.
About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.
