Insight Community

As much as information security can be enhanced by procedures, hardware, and software, the final safeguard of security are the employees of a company.  Each individual is responsible for taking a moment before doing something or to analyze a situation, and ask themselves a few questions:

1.  is this action going to cause a security risk? (if the answer is NO, carefully reconsider.  Every action has some kind of security risk.  If management is saying that something has no security risks, then you are personally responsible for communicating what the real risks are.)

2.  Since the answer is Yes, what are the security risks that this action might cause? 

3.  What is the severity of the risk compared with the easy of preventing or mitigating the risk?

 Perhaps a given action (i.e. "an intern takes home the backup tapes") only has one risk ("the tapes get stolen") but the ease of mitigation is near zero. (how do you un-steal the tapes?)  This would be considered a risk too great to the security of an operation.  If a given action has a variety of risks, i.e. web browsing, where the risks can be mitigated by whitelisting or blacklisting websites, etc. then this would be considered a risk worth taking in most cases.  Regular virus and malware scanning plus a firewall are required software security tools these days.  Beyond these, all workers must take responsibility for the actions they have the authority to execute.  Companies should go out of their way to expose people to the types of security risks they face most often.  Companies must make sure their workers know how to respond, and that their workers understand the severity of a breach.

For the mobile workforce there are three pillars of security:

· Physical security

· Browsing behavior

· Data security

Physical security

From the way the worker carries the laptop through to where and how they leave it there are considerations to be made. Laptop bags are frequently targeted at airports and hotel lobbies. Don’t make yourself a target, use a less conspicuous bag. Get in the habit of locking your laptop to something solid. Even in the office laptops are frequently lifted so if possible lock it down with your docking station. On the road I always use a Kensington lock. Make security habitual, not just when you plan to be away from your machine. If you are on a park bench lock your laptop to it!

Access to the machine itself: Many laptops are now fitted with biometric security devices, typically fingerprint readers. I’m not convinced of the accuracy having used a fingerprint reader for office door access and become frustrated with the making sure your finger is in the same point every time. If you want people to use it the solution must be easy.

By far the simplest layer is a BIOS password. At this level the solution is to delay and trying to prevent opportunistic theft.

Also consider where you are using your laptop. How many times have you been working in an airport lounge or a hotel when you become aware of an interesting conversation by one of your competitors? How many times do you think that person has passed by your machine while you’ve been working? Privacy screens are a simple but effective way of limiting the view of the walk-by browser.

Browsing behavior

Once on the road WiFi defaults as the normal mode of access. Workers must be aware of the threats imposed by public WiFi. As a minimum the mobile workforce should be armed with VPN solutions. This could be a hard token or a software token and they should be educated on when to use it. This is not so straightforward when working in the client site as frequently the ports used by VPN tunnels are blocked.

The VPN solutions do tend to slow down traffic due to the encryption and tunneling bottlenecks. Using some form of protected browsing is a god substitute. Products like IronKey form part of that solution.

Workers should be selective about which WiFi nodes they connect to. At all times avoid ad-hoc networks, turn off Bluetooth, infrared and WiFi when not using them to prevent exposure. In general assume that anything transmitted on public WiFi is in the public domain.

This is where IT policy becomes useful in giving guidance on when to use VPN versus less secure access. The Australian Defence Force studied the typical traffic sent over email. Around 80% of it was “noise” where workers were using email as a form of informal communication to arrange meetings, coffee drinking and networking. They decided that a public solution would suffice opposed to encrypting it all. In the end they opted for Google Enterprise solutions.

The message is clear, if it’s sensitive, contains IP or financial information use a VPN to secure it other than that use your brain.

Data security

The files on the machine form the real identity of the laptop, user and company. This is where the security effort needs to be. Most MS Office files can be password protected to stop casual browsing, not impossible to crack but a simple prevention measure.

Encrypted file systems are the next logical layer of security. However you need to consider what happens if the key is separated from the files, how do you get the data back?

Physical separation of file from operating system by placing them on an external drive works as long as the worker carries the laptop and the drive in separate bags.

The CIA Model for Digital Nomads

IT security experts apply a three-phase approach to security, considering confidentiality, integrity, and availability of systems. This so-called CIA model is equally applicable to digital nomads, and helps define the various areas they need to protect.

Confidentiality

It is critically important for most businesses to keep their data from prying eyes, both for internal business and competitive reasons and to avoid legal or regulatory trouble. This is doubly true for digital nomads, since they tend to take sensitive data with them and transmit it through a variety of means.

Laptop users should use encryption to protect the confidentiality of their data, since laptop theft is common. There are many options for encryption of data on disk, but most fall into two categories: File-level or full-disk.

Most operating systems, including most recent versions of Windows, include options for file-level encryption, and these have proven fairly solid over the years. Once they are set up, these are extremely easy to use: A user simply right-clicks on a file and selects "encrypt". There are a number of third-party encryption options as well, and these vary widely in both ease of use and security. Note that these do not necessarily hide the existence of data, however, so a lost laptop would still reveal the name and type of files contained on it.

Full-disk encryption is not as widely deployed, but can be far more effective. Rather than requiring the user to select which files to encrypt, products like PGP Desktop and Windows Vista's built-in BitLocker software lock an entire drive or partition, requiring a password on bootup. Note that BitLocker requires special hardware to work effectively, making it unsuitable for some laptops. Some disk drives also feature built-in encryption hardware, but these are much more rare.

Regardless of the encryption method used, however, key management is critical. No one wants to be locked out of their own data if they forget a password or experience a software or hardware failure, so make sure some alternative mechanism is in place to recover the data. And if a thief was to guess the user's password or gain access to a running system, the data could still be compromised.

Remember the data on removable drives as well, since these can be even easier to steal or misplace. Portable hard drives used for backup or USB flash drives used to transport data must also be encrypted to avoid data loss.

Finally, road warriors must be careful about which networks they use to transmit data. Open Wi-Fi access points might seem to be a handy bargain, but they have also been used to gain access to sensitive data. Hotel and corporate guest networks can also be used in this manner. It is better to rely on 3G modems which are harder to snoop. One should also always use VPN software or secure web sites when dealing with sensitive data.

Integrity

Keeping people out is sometimes less important than ensuring that one is working with valid data to begin with. Most people are aware of so-called phishing attacks, where an email entices a user to hand over their credentials, but there are many other potential attacks on the integrity of data. The same vectors used to give unauthorized access can be used to substitute untrustworthy data, and this can be just as damaging.

Many of the same technologies that protect confidential data can help with integrity. Encryption systems will ensure that data read from disk matches what was written, something that most filesystems surprisingly do not do. But no amount of encryption can protect from a user's inadvertent writing of un-trusted data.

The first line of defense, especially for mobile workers, is training. Once again, open Wi-Fi hotspots and other untrustworthy networks should be avoided, and virus scanning and firewall software is a must. The Firefox web browser recently introduced a friendly mechanism to verify many popular web sites, but this is not widely deployed for corporate systems. Mobile users should also avoid relying too much on emailed content, since it can be compromised in transit, and should instead use more secure repositories and applications.

Availability

The final element in the CIA model, availability, is often overlooked. Constant travel can cause one to adapt to losses of connectivity by carrying more and more data along, but this opens the door to breaches of confidentiality and integrity of data. Conversely, an extremely secure system could be entirely inaccessible to a traveler, especially for those who spend a great deal of time in the air.

Road warriors need to strike a balance, carrying enough data to get their work done but protecting the interests of the company (and themselves) by protecting it. Remote network-based backup can be a useful way of protecting laptop data, but these services can demand greater network resources than are available on the road, and restoring a great deal of data can be prohibitively time consuming. Road warriors will augment these with mobile backups (to encrypted disk) in case a laptop is lost or damaged, since these allow for much quicker recovery.

The availability of 3G data is a tremendous help to the road warrior as well, since they can be confident that their data will be accessible from wherever they are (on the ground). And nothing can substitute for a solid smartphone, giving quick access to critical email, calendar appointments, contacts, and light web browsing.

By paying attention to all three axes of the CIA model, road warriors can enhance their ability to get the job done.

Stephen Foskett is a professional information technology consultant, providing vendor-independent strategic advice to assist Fortune 500 companies in aligning their storage and computing infrastructures with their business objectives. He has been recognized as a thought leader in the industry, authoring numerous articles for industry publications, and is a popular presenter at seminars and events. In 2008, he was awarded Microsoft's Most Valuable Professional (MVP) status in the area of File System Storage. He holds a bachelor of science in Society/Technology Studies, from Worcester Polytechnic Institute.

Physical Security for the Road Warrior

In this digital age, it is easy to overlook the critical element of physical security. Put simply, it is often far more efficient to steal or gain access to a physical object like a laptop or flash drive than to break into a computer system. And despite the sanitary and controlled environments many mobile employees often travel in, risks to personal safety are real. Therefore, it is sensible to consider the physical security needs of the road warrior.

Protecting Your Data

Road warriors love gadgets, but so do thieves. According to a 2008 Ponemon Institute study for Dell, over 12,000 laptop computers are lost in US airports each week, and 70% of these are never reclaimed. Other studies have shown similar losses at public places like restaurants, hotels, and parking lots. Thumb drives, portable hard drives, and smart phones share the top of the most-stolen list with laptop computers.

Because these are often crimes of opportunity, the simplest protective measure is to keep these devices under ones personal control at all times. Never ask a stranger to watch your bag, and do not leave computers or peripherals unattended in conference rooms or hotels. Special care is needed when passing through airport security: Never put your laptop or other valuable items through the scanner first, since you may be delayed while passing through the metal detector. Instead, place them in the middle or rear of your items so they will remain inside the x-ray machine longer.

Most hotel rooms have safes available, and these should be used whenever you must leave your laptop or other valuables behind. Although they are not foolproof, they are much more secure than car trunks, cable locks, or bell desks. If a safe is not available or is too small, use a Kensington lock to secure your laptop computer to a bulky and sturdy object like a desk. These will not stop a determined thief, but should be enough to discourage a snatcher.

Protecting Yourself

Many of us wrongly assume we are safe in the familiar surroundings of offices, hotels, airports, and restaurants. The rolling suitcase, airline ticket, and laptop bag marks us as targets even in these environments, and serve as enticing evidence of loot to be had.

One of the best ways of protecting one's safety when traveling is always to be aware and prepared. Get directions ahead of time instead of asking or driving around. Consider whether your surroundings put you at risk: Select hotels in safer neighborhoods or where access is more controlled. Avoid public transportation when toting cumbersome bags, even if you would happily take it alone. Spending a bit more money is preferable to losing your valuables or coming to harm.

When you are away from the office or hotel, dress like a local and watch out for too-friendly strangers. Most people are helpful to others, but avoid those who ask prying questions of offer extravagant services. Con-men often prey on travelers, waiting near hotels, airports, and offices. For example, never take an un-licensed limousine or taxi since these nearly always end up being more costly or risky than desired.

Business travel can be enjoyable, but one must always be careful to avoid becoming a victim!

Stephen Foskett is a professional information technology consultant, providing vendor-independent strategic advice to assist Fortune 500 companies in aligning their storage and computing infrastructures with their business objectives. He has been recognized as a thought leader in the industry, authoring numerous articles for industry publications, and is a popular presenter at seminars and events. In 2008, he was awarded Microsoft's Most Valuable Professional (MVP) status in the area of File System Storage. He holds a bachelor of science in Society/Technology Studies, from Worcester Polytechnic Institute.

In the U.S. market, many traditional company CIOs and IT managers still apply a draconian approach to managing the perceived threat of mobile data solutions -- they outlaw any and all wireless enabled mobility applications for employees.

However, there's one low-threat application that even the most conservative company can apply today, but unfortunately it's somewhat of a mystery to many people.

Put simply, most mainstream U.S. subscribers (consumer and business) are still uniformed about the value in learning to fully use the basic features on their existing mobile phones and associated wireless services. Yes, they need help.

But don’t assume that what’s good for a consumer’s needs is good enough for business user’s needs. Let me clarify this point. We know from empirical research that mobile-originated SMS message composition may be tolerable to teenage girls, but it’s not viable to most mainstream business subscribers (because they resist composing messages on their phone’s tiny keypad).

In contrast, mobile-terminated SMS messages that are composed and sent by a PC user, or automatically generated by a software application, are more likely to be embraced. Therefore, wireless network operators need to acknowledge the differences in user value orientations, and thereby market and promote SMS usage accordingly. Particularly, to potential business users who are uninformed.

Here’s a case in point: We still find most people don't know that every U.S. wireless subscriber has a unique e-mail address that corresponds to their mobile phone number. Therefore, they're unaware of basic SMS business applications such as the potential for creating individual short e-mail notes sent to employees, customers and business partners mobile phones (directly from MS Outlook, as an example).

As a result, most businesses aren’t thinking about the incremental potential to utilize a productivity tool already at their disposal -- wireless e-mail distribution lists.

What’s inhibiting simple one-to-many SMS distribution list applications? Wireless network operators don’t provide any information on the e-mail addressing format of their competitor’s SMS gateway (and because there’s no standard, they’re all different). In fact, it’s odd that even the CTIA doesn’t provide this pivotal information.

Therefore, the burden is currently on the wireless subscriber to know his or her addressing format, or the sender must quiz the message recipient about their mobile service provider and then make a determination of the appropriate addressing format (again, assuming that they know that particular carrier’s format).

Why all the fuss about basic text messaging? Just as the desktop personal computer and an e-mail account are ubiquitous tools in every office environment today, mobile phones enabled with SMS are the de facto common denominator for mobile text communications.

Why is this profound? After approximately two decades of commercial applications development on the Internet, e-mail is still by far one of the most valued applications. Moreover, SMS-enabled mobile phones have already reached saturation in the U.S. market, whereas most other technologies are still in the early-adopter (wireless gadget geeks, etc.) stage of market development.

So, armed with this information, what are some compelling business applications for SMS? Well, consider these three simple SMS scenarios for time-sensitive information alerts. You’ll see, with a little imagination, you too can create your own benefit-oriented commercial text messaging applications:

Executive Office Administrator sends a broadcast message to 10 traveling board members: “Today’s 10:00am board meeting has moved to 12:00 noon due to an unanticipated event.”

Medical Facility Management sends a broadcast message to eight remote surgery team members: “Due to a schedule conflict, Mr. Jones surgery has moved from OR#2 to OR#4. Reply to confirm message receipt.”

International Airline Customer Service sends a broadcast message to 15 stranded Business Class passengers: "Flight #227 to Toronto has been delayed, please accept a complementary admission to the Exec Club in Term #3 (your access code=3127).”

I am a digital nomad. I've telecommuted from home and worked from various coffee shops between appointments for about 4 years. I'm a sales executive, not an IT person or a developer. Those folks should know how to maintain a secure computer. Corporate IT simply can not control all those laptops being used by remote employees. They have no control over how they are used, where they are used, or what software gets installed. If you are a digital nomad it is (or should be) incumbent on you to take control of your machine and learn enough to not be a menace to the corporate IT support staff. If I was in corporate IT I might consider making it a quasi requirement that remote users get educated enough to be at least partly self-sufficient. If you need to call the help desk for help rebooting your wireless router you are not going to be a productive remote employee.

Corporate can support that by providing training that enables remote users to make smart decisions, and by making smart decisions themselves about what goes on the remote laptops. However, that probably doesn't happen often. That said, safe computing is not rocket science. As a digital nomad I've found that just a few simple things can dramatically improve the security and stability of a remote corporate laptop, making life easier for both end users and IT support staff.

1. Use Up to date anti-virus software. You would think this would be obvious, but I've seen a frightening number of corporate owned laptops with expired AV applications. Operating a company owned computer running a MS operating system without antivirus should be a punishable offense. Laptop security is just as important as company car security, and leaving the keys in teh car while you run into the donut shop is a definate no-no.

2. Use Firefox as the primary browser. It's free, and it can auto update just like IE. However, it is inherently more secure because it is not tightly tied into the MS application stack. The improved standards compliance from Firefox may also lead to less support calls complaining that some web site doesn't work for the user.

3. Use anything other than Outlook for email. I don't allow Outlook on the computers I own, and I don't use Outlook on my work laptop. I use Outlook Web Access when I need to do something with my Outlook calendar. I use Thunderbird for email. You can either connect to the exchange server via IMAP or POP, or you can go even further. I use Gmail to pull all my corporate email into a dedicated work Gmail account, then use IMAP from Thunderbird with the Gmail account. This gives me far better virus and spam filtering then the rest of company gets from the Exchange tools. It also gives me access to all my mail from any Internet connected computer. Of course, this all depends on corporate IT allowing POP or IMAP access to the server.

4. Don't open any attachment you are not sure about. Again, that should be common sense by now, but it's not.

That's it. Follow those 4 steps with your corporate laptop and you'll be more secure than many of the office dwellers in your company.

Organizing a mobile workforce requires a certain amount of trust and faith that those workers will do the right thing. Security is a particularly tricky issue in this space because it can hamper productivity and frustrate employees. At the same time, some level of protection is prudent and should scale depending on how exclusive the work is. In other words, if a worker is focused on producing the latest tweak on an instructional brochure, biometric scanners with dynamically generated passwords broadcast to a mobile receiver is generally overkill. That is, unless those instructions are describing how to assemble bleeding edge explosives or specific mechanics behind a unique business model.

Before looking at any technology a frank business discussion is necessary to determine which mobile workers, if any, will engage with a part of the business that is mission critical and must be protected. This includes decisions on whether or not the business will pay for tools like laptops, mobile phones, software and vehicles.

On one end of the spectrum, the employee receives an agreed upon wage and provides all of their own equipment. This is usually a compatible model because it communicates to the employee that they are responsible completely for all of their own decisions. That means handling security threats like viruses and phishing attacks, as well as protecting higher cost items like laptops from theft.

Mobile employees who are closer to the business though may require some additional security. Once again, the key is to make security as smooth as possible so that it protects assets while at the same time feeling transparent to the employee.

I've worked in both environments, one where the employer insisted that Novell Netware be installed on my laptop with various security restrictions on what I could install, how long I could use the same password to log in and which types of applications I could install. They also paid for my laptop, software and mobile phone but I found that the restrictions on what software I could install were constantly hampering my ability to perform. There are so many open source applications available that this sort of barrier felt like a handicap. Additionally, support for the equipment was minimal. Calling support on occasion for assistance with updating an existing software package or for assistance to change a setting blocked by Novell Netware always resulted in long hold times and disgruntled helpdesk staff. Everyone seemed aggravated by the underlying business decisions.

But, some businesses take a more laissez faire approach. For example I've worked for a company that tasked me with accomplishing a certain number of articles per month and however I accomplished that goal was up to me, my pay stayed the same. This enabled me to use whatever applications and resources that I wanted to online and encouraged a sense of independence and trust. You can guess which employer I worked for longer.

Mobile workers are typically accustomed to, and often insist on, accomplishing goals on their own terms. Companies that seek to overburden them with security restrictions will see short-term and long-term consequences for getting in the way. It's also difficult to protect against every type of threat, just look at Windows XP and Vista for an example of how a heavy investment in security still results in regular breaches.

The business first has to decide which employees are working with mission critical material, then implement appropriate security that's effective but seamless as possible.

As wireless connectivity becomes an essential standard for the mobile workforce many experts believe that significant security problems are in store for many businesses.   As smartphones become the most used standard device for virtually every digital nomad working remotely (and often also used working from home and offices), the smartphone has become a potential point of vulnerability in terms company and individual security.

The huge increase in use is combining with open software platforms to create something of a "perfect storm" for smartphone security challenges.    Apple has opened their iPhone platform to developers while Symbian, a key operating system for many phones such as the Treo, has announced they are moving towards open source as well.   Perhaps most significantly Google's Android smartphone operating system is open source and appears destined to become a huge player in this market - in fact my prediction is that Android will be the most used phone operating system within two years.

Although open source solution do not necessarily bring more trouble, they do mean devices no longer enjoy the protection of proprietary code.   Some would argue this effectively "lowers the bar" for what it takes to become a smartphone hacker since many details of the OS are both available and details are under continuous online discussion.

CTIA-The Wireless Association, a nonprofit based in Washington D.C., is the key international group representing all sectors of wireless communications from smartphones to mobile radio.  This week at CTIA's "I.T. and Entertainment conference a panel of experts discussed how to secure mobile data.

Mark Kominsky of Bluefire Security noted that bandwidth improvements, easy developer access to the OS, and the ability to actually load programs to the device are the factors that led to an explosion of viruses in the PC environment. 

Khoi Nguyen of Symantec noted that Symbian is already struggling with viruses designed to exploit vulnerabilities in Symbian OS number 7 and 8, which is why Symbian 9 is less open than earlier versions.    

Panelists discussed problems with malicious programs that can activate phone cameras or audio and then collect sensitive data or create charges for the user they don't want, but the panel appeared to agree that data theft and data loss are the key threats to an enterprise that depends on workers with mobile phones.

Although one should note that these speakers are in the business of providing security and therefore have a vested interest in people following this advice, the solutions recommended by the panel included the following:

* Protect employee mobile phones with the same security policies and procedures applied to other devices and data.

* Use security software on the phones.

* Update the mobile security applications regularly. 

* Inventory mobile devices.

* Disable non-business features on the devices.

* Use password protection on data.

* Encrypt your data.

* Have a remote data wipe capability for devices.

The "Securing Wireless Data" video interview with Bill Dudley is available here:
http://daily.ctia.org/wirelessit08/

PC World reports on the CTIA Security Panel

Unseen Attackers

Reason for concern

There are many security concerns for the mobile professional.  Every mobile worker should be briefed on

the basics of security.  These concerns should be akin to keeping a wallet or purse secure, it becomes

second nature for most people.  Would anyone take their private files out of their file cabinets and

post them on a billboard or hand them out to others?  Probably not, but many of us are doing that every

day with our electronic files.  The issue of mobile security can be broken down into three categories: 

physical security, data encryption, and wireless security.

Physical security

One of the most obvious aspects of protecting electronic data and devices while traveling is their

physical security.  The best way is also the most simple; keep an eye on those electronic devices at all

times.  Some suggestions that may not be as obvious include bringing a locking cable while traveling. 

The laptop should be locked down while at remote locations or anywhere it may be left out of sight.  The

cables are not theft-proof, but are usually effective deterrents.

Encryption

Another important security measure that mobile workers should take is to encrypt their portable

electronic devices.  Laptop hard-drives should be encrypted with either Vista BitLocker, or a third-

party program such as Pointsec.  Users must know that encryption is easily defeated if the machine is

logged in or left in a "sleep mode".  Encryption is only truly effective when the laptop is shut down

and turned off.  Also, it's nearly useless if there is no password at boot-up.

Wireless security

Though the only sure way for a laptop to be secure when it is off, there are several tips for the mobile

worker to stay safe when networking.  In addition to using anti-virus software and firewall software, it

is really not a good idea to connect to any wireless network or hotspot.  If absolutely necessary to

connect to a WiFi network that is not yours, at least do not connect to any adhoc network.  This could

easily be a stranger's computer, and usually is.  The best way to be safe is to use a more private

connection, the type you would get when using a wireless broadband card.

There are many aspects to staying secure, but these basics will set the framework and provide a good

starting place.

Digital Nomads Gone Bad:  Good security technology does not necessarily mean good security.

Security discussions usually focus primarily on how to make sure devices are secured with software and how data or access is encrypted (e.g. wireless network security like WEP, WPA, LEAP, etc).  Yet despite these legitimate technology considerations in many cases the security problems come from behavioral issues with employees. 

These behavior security challenges can take the form of simple accidents like lost laptops and phones but can also come from employees failing to follow company protocols either out of ignorance or indifference.   Simply sending an email or text message with sensitive data or accidentally forwarding to the wrong person can have significant security implications, yet these behavioral challenges cannot be prevented with any software.   More ominously an unhappy or malicious employee may choose to intentionally work to distribute confidential information or steal valuable data.  

Palisade Systems conducted a study of security suggesting that:

... employers are realizing that the biggest security threat they face to the sensitive data they are
storing and/or sending is now coming from employees who can’t get caught by the millions of dollars
of security technology designed to prevent the bad guys from getting in.

Similarly a very recent study released July 31 by ID Analytics suggested that internal security measures are critical:

"In today's data rich environment, organizations continue to struggle with the human element
at the heart of data security," "Companies should be on the alert for what may be the biggest
security threat to their customers-employees with access to sensitive customer data.
Given the balance between the need to grant employees access to information to complete
their job functions and the need to protect sensitive customer data, we encourage companies
to implement strategies that increase visibility and reduce the risk of data loss."

In cases where you are protecting your data from rogue employees, both software and physical security procedures may be needed such as keeping extremely sensitive data on devices where access is restricted, making sure access to any sensitive data is tracked carefully and parties with access are held accountable for breaches or access violations, and more.  Mobile environments can reduce that accountability if good access procedures are not in place for those entering the company environment from public or home wireless hotspots or other insecure access points.   

A recent study by Ponemon for Dell reported a staggering loss of laptops at airport security checkpoints, and suggested many were likely company units where the owner simply didn't want or could not take the time to recover the unit.  The report noted this amazing statistic:

Only 33% of laptops within the Lost and Found departments in airports are reclaimed. The other 67% of subsequently found laptops that arrive in Lost and Found departments remain in the airport until they are disposed of. As a result, there are potentially millions of files containing sensitive or confidential data that may be accessible to a large number of airport employees and contractors.

Although it is possible that the airport would wipe these machines at some point before reselling them this is another example of security challenges that are more a product of behavior than technological problems.    Theft of smartphones and laptops is very likely to increase as the number of these mobile devices increases (and the size of laptops decreases, making them a very easy theft target).     For this reason remote wiping software may be advisable for any employees with access to sensitive data.   

More Info:

Reuters on Employee Fraud Study 

Consumer Affairs on Palisade Systems Employee Error Study  |  Palisade Study

Lost Laptop Study

The increasing number of laptops and mobile devices on the market has created a situation where IT folks are facing increasing difficulties to ensure that corporate information is kept secure. If anything, the increasing number of high profile cases involving data loss should serve as a warning that the situation is untenable and is reaching critical mass.

While technological solutions abound, the very diversity of laptops and mobile devices works actively works against any single solution. For example, the release of Apple’s iPhone last year suddenly had IT departments scrambling to deal with yet another platform that employees are bringing into the office. In many cases, managers and staff might be demanding that they be allowed to access their corporate emails from these gadgets.

In this regard, we must recognize that the key challenge that we face has more to do with the issue of control rather than technology. Increasingly technology-savvy employees see no reason why they cannot be allowed to access corporate data from their personal laptops or Smartphones. To address this issue, I would like to suggest that we approach this from a different paradigm.

Companies need to wake up to the fact that the trend of staff bringing in external laptops and Smartphones will not only continue, but will in fact accelerate. But it would be difficult and unpopular for companies to demand that staff comply with certain security measures on their personal devices. However, the matter is different if these devices are actually owned by the company. This might involve loaning out company-acquired laptops, or paying an allowance for use of a personal laptop belonging to a staff. The allowance pays for depreciation of the equipment, as well as any associated inconvenience that comes with implementing various security measures. In the latter case, employees are free to bring the laptop with them upon leaving the organization – once confidential data has been confirmed as removed.

Once clear ownership of the laptops or mobile devices has been established, it becomes easier when it comes to dealing with security in the form of theft or accidental loss.

There are many options when it comes to ensuring personal security or privacy. Where a laptop is concerned, the obvious solution would be to leverage upon full disk encryption that is tied to Trusted Platform Module (TPM). Depending on various factors however, this might be impractical to implement overnight due to the fact that a complete overhaul of existing hardware and expensive software commitment might be necessary. In addition, it must be noted that full disk encryption does nothing to mitigate the ability of service personnel granted temporary access to peer into data that they have no business in. This is probably best exemplified by the case of Hong Kong-based actor Edison Chan who had service personnel pinch various scandalous photos of himself being intimate with various actresses from his personal laptop when it was sent in for servicing. The resultant outroar cut short his career and had him leaving the country in disgrace.

A more moderate and less invasive approach here would be to issue out personal flash drives with an on-board authentication and encryption. What it means is that all data on these flash drives are encrypted on-the-fly the moment they are copied in. They will only be accessibly only upon furnishing the correct password. The IronKey might be a consideration, though similar devices are now widely available on the market.

Obviously, user training will be required, especially since the drive capacities for such specialized flash drives are still relatively low at between 4GB to 8GB. However, I believe it will be relatively easy to train even novice users that only data on the encrypted flash drive should be considered secure. Another added advantage would be that users will become more conscious of following backup procedures as well. As such, it represents the best compromise between.