"There is growing fear among companies that they are losing control of their information," said Peter Firstbrook, an analyst with Stamford, Conn.-based Gartner Inc. "So while wireless devices help with productivity -- people aren't wasting time getting rid of spyware, adware or viruses -- there is concern those devices could be used nefariously to gain access to the organization's networks."
Those worries will only deepen in coming years. More than 25% of the global workforce will be comprised of mobile workers by 2009, or roughly 850 millions users, up from 650 million presently, according to IDC of Framingham, Mass.
Gartner, meanwhile, reports in a recent survey that U.S. companies plan to increase IT spending by 5.5% in 2006 and "mobile devices will become a major purchasing priority" for many of them.
According to experts, the challenge for companies is to develop security controls and policies that take into account not only architectural issues, but also the information stored on devices and how employees use them.
Locking up laptops
Firstbrook said securing laptops is relatively straightforward: You use the same security software and operational discipline that you apply to larger desktop computers. Security problems can
"Users aren't always online, so you have to have some way of dealing with them asynchronously. That's what network access controls are all about: to maintain the integrity of the laptop when users try to reconnect, whether through a virtual private network or by plugging into a wall outlet inside the organization," Firstbrook said.
Brown Smith Wallace, a professional services firm in St. Louis, Mo., equips about 90 mobile employees with laptops furnished with cellular modems and 802.11 wireless cards. Perpetually on the road, these employees -- including risk auditors, CPAs and financial services professionals -- need access to company databases, applications and customer information.
"Wireless access points are a big issue for us. We try to make our mobile users aware that hackers will put up rogue access points and use them to intercept and copy communications. Our message to them is simple: 'Don't connect unless you know for certain it's secure,'" said Joshua Knapp, the firm's security manager.
Many people operate under a "huge misconception" that laptops are inherently secure, said Matt Malone, vice president of security services for Veridyn Inc., a security consulting firm in Austin, Texas. Since most laptops run on the Microsoft Windows operating system -- designed to enable users to easily access most applications -- they also can be inherently vulnerable, he said.
"Most organizations will put up their firewall and then have what's called a protected network, which includes all trusted users [who] can do more services than people outside the network. When you connect to a wireless access point, you're saying, 'I trust these people.' And that's a bad idea," Malone said.
On top of security basics like installing locally based firewalls, encrypting VPNs and other security tools, Malone suggests restrictive access policies for users. Coupling this with intensive and ongoing user education helps reinforce to employees that information security is a business driver.
"Wireless technologies are great, but they're also like a loaded gun. Most users don't understand the technology," Malone said.
A survey of 166 companies by Sage Research points up interesting findings about the use of Wi-Fi hot spots for mobile devices. About 54% of companies said they are using either IPSec or SSL encryption for VPNs, while 9% rely on smart client software. Yet 20% of companies take no security precautions regarding use of Wi-Fi hot spots by employees, and only 6% have company policies forbidding their use.
Dumbing down smart devices
Personal digital assistants, or PDAs, and Bluetooth-enabled cell phones present different challenges. For one thing, there are design differences between leading PDA vendors. Many companies use Microsoft's Pocket PC because it offers a solid computing platform, can be customized and features numerous services. Those attributes also present hackers with "a much broader attack surface," Firstbrook said.
On the other hand, BlackBerry devices by Research in Motion Ltd. "favor security over functionality" by offering fewer features.
"How to secure these devices can be difficult to answer," Firstbrook said. "Organizations should do some information classification and start making decisions based on the type of information that users have."
Users tolerate logging onto laptops as a necessity, but they aren't willing to go through the same hoops for PDAs and smartphones, said Michael Disabato, an analyst with Midvale, Utah-based Burton Group.
"The smaller these devices are, and the more intimately bound they are to people's lives, the less likely you are to get them to accept security precautions in the first place," Disabato said.
He said smartphones that hold attachments and store e-mail raise concerns, too. If lost or stolen, it's possible for someone to put the phone in "flight mode," turn off its radio and offload data from the phone's small memory card onto a backup program, and then erase the contents from the phone's memory altogether. Erasure codes can prevent this from happening, but are useful only if the phone is powered up when they are sent.
"Encryption is the only way to protect this data, but it again raises the question of how to authenticate users" without being overly burdensome, said Disabato, adding that companies at least should encrypt attachments and e-mail.
CIOs and security administrators also need to brace for potential hacks of wireless phones equipped with Bluetooth capability. Bluetooth is a powerful technology that lets users transfer files from their cell phones to computers. Yet that same ability means other technological devices can connect to users' phones wirelessly, and without their knowledge -- a technique known as "Bluesnarfing." Malone said hackers exploit Bluesnarfing to wirelessly sniff out data packets in search of contact lists, e-mail address books and other useful data.
"It goes farther than that. They could even listen in to phone conversations," said Malone, who recommends IT departments instruct their users on how to disable Bluetooth when they aren't using it.
Garry Kranz is a freelance business and technology writer in Richmond, Va. He can be reached at firstname.lastname@example.org.
This was first published in October 2005