Mobile Workers Cut Gaping Hole in Security
As a growing army of mobile workers hit the road with their trusty laptops, few of them are properly secured. And that could mean big trouble for the corporate network... and critical corporate data.
While IT shops are increasingly telling end users to take advantage of the convenience of wireless connections, securing those connections -- and securing the mobile worker in general -- is an afterthought. And this is leaving a gaping hole in a lot of corporate networks.
''Most mobile workers are unprotected, and it's as scary as the value of the data on that machine,'' says Ken van Wyk, principal consultant for KRvW Associates, LLC and a columnist for eSecurityPlanet. ''You lose a laptop and it's worth maybe $1,500 or $2,000. So what? In the grand scheme of things, it's not a big deal. If you're processing information on your laptop that is worth a lot more than the laptop itself, then its foolhardy to not protect that data.''
And many end users are not protecting their data, says van wyk. Most likely following the lead of their IT administrators, they probably have anti-virus software on their laptops, but is it updated? Are they patched? Are they running a firewall? Encryption?
The answer is most likely not. And that's a dangerous game to be playing, say industry analysts.
Having an undersecured mobile workforce is especially dangerous when that workforce is growing by leaps and bounds.
According to a survey from Senforce Technologies Inc., an endpoint security company based in Draper, Utah, 87 percent of critical business data is found on endpoint machines. And 56 percent say their current wireless network security strategy is inadequate.
''The worry goes back to the phenomenon that the endpoint user is not just working on the corporate network,'' says Kip Meacham, director of product management at Senforce. ''They're going to be moving through a variety of networks while they do their jobs -- the corporate infrastructure, hotels, airports, coffee shops, their homes. Looking at the world as being either trusted or untrusted is an oversimplification of how the world is working.''
Tim Cranny, a senior security architect at Senforce, says IT shops just aren't putting enough effort and muscle into securing their mobile workers.
''Companies aren't taking enough steps to secure them, to secure wireless,'' says Cranny, noting that the problem stems from a lack of money, a lack of time and a lack of knowledge. ''What we're talking about here is a need for a cultural change to realize that the ground is shifting beneath their feet. There are fundamental new challenges.''
The Senforce survey shows some of these shifts:
''Well, we know that security is difficult at best in today's complicated world,'' says Ken Dunham, a senior engineer for VeriSign iDefense Intelligence based in Mountain View, Calif. ''It's hard enough on a corporate network keeping machines fully patched and updated. It's exacerbated when you have a mobile user. One of the weakest points of network security today is the mobile user. When people have laptops for use in the home office, as well as the corporate office, they tend to be less compliant and less up-to-date as the office computer.
''What it means is this is a whole different medium to manage,'' he adds. ''If you're going to have mobile users, you have to manage them. Companies struggle to identify what the risks are for mobile users. They don't have good models in place because they're not used to dealing with it. But today a lot of people are using laptops so we're going to see better security than we have in the past. It does mean there are unique challenges to making sure laptops are secured and locked down.''
van Wyk says the first line of defense for mobile users has to be up-to-date anti-virus software and a personal firewall on every laptop. And he adds that users need to use the firewalls to close down all incoming services except the ones absolutely needed. Add to that encryption software.
''Another very real concern is physical theft of the laptop,'' says van Wyk. ''All the other software just goes to crap if the laptop gets stolen. That's when you need to have some sort of encryption. That way if somebody were to steal your machine, they'd get the laptop but not your data.''
The problem, says van Wyk, is that very few mobile workers are using encryption, and many aren't even using firewalls.
''From my over-the-shoulder glances on airplanes, I'd say hardly anyone,'' says van Wyk. ''I think the number is nearly inconsequential when you're talking about encryption. I almost never see somebody doing that... I think companies are just handing out a laptop and maybe they give them anti-virus. But it's pretty darn rare for companies to hand out more protection than that.''