Requires Free Membership to View

More on mobile device security

Learn the essential components of an effective mobile device security policy.

Visit our Messaging Security School and learn essential practices for mobile device security.

Two thousand six was the year of laptop theft. In February, a laptop was stolen from an Ernst & Young employee's car containing tens of thousands of Social Security numbers belonging to its clients' employees. Also, in December, a Boeing Co. employee's laptop that contained the SSNs, dates of birth, salaries and other confidential information on more than 300,000 individuals was stolen. And, those are only two of the dozens of high profile incidents occurring last year that compromised the personal information of millions of Americans.

Fortunately, there are a few simple measures that enterprises can take to protect data while it's "on the road," several of which are outlined below:

1. Start with policy. As with any security issue, the foundation of a good response is solid, clear policy that's effectively communicated to all stakeholders. Ensure employees understand what constitutes appropriate and inappropriate use of enterprise information assets and the consequences of failing to comply.

2. Know where the data lives. As the old saying goes, "knowing is half the battle." You can't protect assets that you aren't aware you own. If an organization has ever handled sensitive data, there's a good chance its employees have it stashed on laptops, desktops, CDs, floppy disks, USB memory devices and any other storage device imaginable. Make sure employees are aware that they're not only responsible for knowing what data they have, but also -- according to the enterprise data retention policy -- purging data that is no longer needed.

3. Encrypt data on mobile devices. Most computers are stolen during a random theft. In the majority of these cases, the thief only sees a valuable electronic device without having any idea what data is stored on it. Using encryption technology can help ensure that the theft of a $2,000 laptop doesn't become a headline that costs your company millions. One option is to use a whole-disk encryption product to protect the contents of an entire hard drive with a boot password. Be warned, however, that this layer of control may fail if a device is stolen while suspended, rather than shut down. But, despite this potential obstacle, it goes without saying that it's always a good idea to supplement whole-disk encryption with application-layer encryption for highly sensitive documents.

4. Use standard security controls on mobile devices. It sounds simplistic, but mobile devices are often exempted from the security controls routinely applied to desktop computers for fear of interfering with the actions of traveling users. Consider that mobile devices are much more likely to be stolen or attached to a hostile wireless network than desktops that are stored securely in a corporate office behind several layers of perimeter protection. With that in mind, be sure to apply the same, if not stronger, controls to systems that go on the road. It's also wise to make sure these devices all have current software firewalls, patch management, antivirus and antispyware software.

5. Keep the administrator password out of users' hands. In most cases, there's no reason for a normal user to have an administrative account on his or her corporate computer. Providing this access is tantamount to asking for problems, as it creates the ability for a traveling user to circumvent your security controls, albeit accidentally.

6. Cover all mobile devices. Remember that laptops aren't the only devices that leave offices with confidential information. The BlackBerrys, Treos and other PDAs and smartphones used by executives and line employees are also juicy targets for an identity thief. Be sure to include them in the enterprise protection plan.

Although some organizations have taken draconian steps, it's usually not necessary to completely eliminate mobile computing to protect an organization. Implementing these controls will help build a solid foundation for secure enterprise mobile computing.

About the Author:
Mike Chapple, CISA, CISSP is an IT Security Professional with the University of Notre Dame. He previously served as an information security researcher with the National Security Agency and the U.S. Air Force. Mike is a frequent contributor to SearchSecurity, a technical editor for Information Security magazine and the author of several information security titles, including the CISSP Prep Guide and Information Security Illuminated.

This was first published in January 2008

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.