By Chris Jenkins
MAY 08, 2007
THE scenario is all-too familiar. A big deal signed off, a few drinks to
celebrate. Push on for a bit, then cab it home. A good time had by all.
But, oh dear, where's the BlackBerry?
If it's not the BlackBerry, it's the laptop. Come back to the car, the
window's smashed and the computer is gone. And not only the laptop. Gone
too are the contact lists, the sales plan and the intelligence on
competitors, all worth far more than a $2000 piece of kit.
With more companies giving staff laptops or handhelds to take home,
concern over the security of these devices, and the data that resides on
them, is growing. Vodafone business product manager Mark Corless says
some laptops lack even basic password protection, an oversight brought
home very quickly when the hardware goes astray.
"That can be a stake in the heart for some customers. There's a very
quick realisation of how important that information is," he says.
Sometimes, the consequences take on national significance.
In 2003, Australian officials were left scrambling when thieves using
forged identities stole a laptop from the Department of Transport in
Canberra and servers from the Australian Customs service in Sydney.
In the US last year, the personal information of more than a million
former US servicemen and women was compromised by the theft of a laptop
used by an employee of the US Department of Veterans Affairs.
In Australia, the theft of companies' mobile computing hardware is
In last year's AusCERT Computer Crime and Security Survey, 58 per cent
of companies surveyed reported having laptops stolen, up from 53 per
cent in 2005.
Nine per cent of companies said handhelds had been stolen last year, up
from 8 per cent in 2005.
Forrester ICT consulting director Andrew Milroy says the risks are
growing in line with increased usage of mobile devices.
At the same time, hardware such as PDAs and smartphones grows ever more
capable of storing large amounts of data.
"It's difficult to put a number on, but the risk is increasing
substantially," Milroy says. "Not many people understand the risks they
are taking by putting so much mission-critical information on these
"It's a risk that people have been talking about for the past couple of
years, but it has become a lot more real lately."
After five years of being relatively flat, business interest in mobile
applications has tripled in 2007, Vodafone's Corless says.
Many industrial-strength applications such as enterprise resource
planning and customer relationship management systems from the likes of
SAP and Oracle are now commonly available in mobile form.
The risk is amplified by the fact that devices and the applications they
run are often linked to corporations by high-speed mobile data networks.
Forrester predicts overall demand for mobile data services in Australia
will grow at 18 to 20 per cent annually over the next five years.
In Australia at present, Milroy says, the theft of a laptop or handheld
is more likely to be the work of an opportunist.
Fortunately, while devices are stolen regularly, it seems there has been
little effort dedicated to exploiting the information many of them
There is also no real evidence of deliberate industrial espionage,
Milroy says. "I can't imagine that you would tell someone to follow a
guy around and nick his BlackBerry."
Such actions remain a possibility, though, and awareness of the security
required for devices used outside the office is gradually increasing,
just as awareness of identity theft has cranked up over the past couple
of years, Milroy says.
Nevertheless, there is still some way to go before organisations realise
what they are up against, he says.
"It's just going to take a few years before people start taking that
risk as seriously as they really should."
The reluctance of organisations to talk about their security
embarrassments could be masking the true extent of the problem in
Australia, IDC senior software analyst Patrik Bihammar suggests.
"One problem is that we don't have the same disclosure laws here in
Australia as the US does," he says.
In California, for example, companies are required by law to notify the
public if personal data has been compromised. As with all security
problems, awareness is a key issue in the battle to prevent laptops and
handhelds from handing over the keys to the castle
"Although security is a big issue, I don't think it is paramount in
people's minds. They are just thinking about how they can do more and
more with these devices in different locations," Milroy says.
Dealing with the security of portable devices needs to be part of the
overall approach to IT in a company, Milroy says. "Ideally it would all
go in line with effective backup and business continuity. It's one of
these cultural things that it's going to take people a while to catch up
Many people don't follow basic backup procedures, such as saving to
network drives, on their desktop PCs, so archiving data is even less
likely to happen with mobile devices, he says.
There are also more concrete approaches. Corless says the BlackBerry is
possibly the most secure mobile device at present.
After five unsuccessful password attempts, it will automatically wipe
all data, he says.
Safeguards are built in to prevent the data being wiped accidentally.
Because BlackBerries are often used as a mobile extension of the
desktop, they tend to carry a lot of critical information.
This also means that if they are regularly synced, data-wiped or lost,
they can easily be restored to a new handset.
The ability to use a wireless data connection to remotely wipe the data
on a device has become a popular safeguard, with products available for
a range of device classes.
Companies need to have policies in place before things go wrong to
ensure that appropriate action can be taken, Corless says.
For example, it can be a problem for carriers when people ring up and
ask to have devices either struck from the network or wiped altogether
if the person making the request is not the owner of the device or is
not authorised to make the request.
For some users, Vodafone creates custom access point names (APNs), which
define a group that is allowed to access the network.
If a device is not in the group definition, it doesn't get access.
"Unless we have enabled you to communicate back to your corporate
office, it won't happen," Coreless says.
Coca-Cola Amatil and electricity utilities are among the Vodafone
customers employing this strategy, he says.
Some organisations restrict mobile devices to being thin clients that
store no data locally.
That way, if they are stolen, all the thief gets is a basic operating
system and some hardware.
But such a strategy limits the device to online-only use, meaning that
if a network is not available, neither is the data. Using data live from
the data centre also places greater demands on network performance,
which can easily fluctuate while operating in a wireless environment.
IDC's Bihammar says data on mobile devices should be encrypted as a
matter of course.
"Laptop and device encryption and data leakage protection are not as
common as they should be," he says.
"Data or whole-disk encryption is clearly the first step to make it
difficult for criminals to access any data on the device," he says.
"Organisations need to have the right policies in place and the right
technologies to enforce the polices and lock down intellectual property
from leaking out of their organisations.
"Whether through loss of mobile devices and physical media or through
email, instant messaging and other messaging protocols." As ever, the
organisations most at risk of having their data compromised or stolen
via portable devices are the ones that lack the resources to enforce
Small and medium businesses are considered at particular risk.
For larger companies, compliance, both with external laws and with
internal policies, is looming as a larger issue and is forcing
organisations to develop appropriate security policies, Milroy says.
"Organisations are being forced to be much more transparent. If you are
public and you are being scrutinised, you want to be seen to be
complying with certain standards, whether they're mandatory or not," he
Like the growth of internet use in organisations, the arrival of fleets
of mobile devices is a tidal change unlikely to be held back by security
For that reason, security is eventually going to have to be built into
devices, Milroy says.
"If it's not built in, you're not going to be able to sell it."
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com