Today's mobile workers are walking around with their company's most valuable assets -- their intellectual property -- stored in handheld devices tucked in their back pocket or purse. While corporations refresh their PC desktops on an average of three years, handhelds such as smartphones and PDAs are replaced more frequently -- and not necessarily because users want to upgrade to the latest eye-catching gadget. Recently Pointsec completed a global survey of 900 taxi drivers from nine major cities around the world, which revealed that thousands of valuable mobile phones, PDAs and laptops are forgotten in taxis every day. In Chicago, for example, 85,619 mobile phones and 21,460 PDAs were left behind in taxi cabs over a six month period.
Without the proper security measures in place, the exposure of data on mobile devices can result in serious consequences including damage to the corporate brand, financial loss, breaches of network security, regulatory penalties and expensive litigation. While organizations are properly concerned if a unit is lost or stolen, they have failed to consider the risk of residual data when the device is retired. In this sense, a defunct PDA can be as dangerous as an open server.
Securing residual data on mobile devices
The high turnover rate of mobile devices challenges the ability of IT managers to collect and "sanitize" them. Further complicating matters, removable media (such as flash cards) are rapidly becoming standard features and must also be secured. Unfortunately, approximately 90% of mobile devices lack the protection to ward off hackers, according to Gartner Inc., a market research firm based in Stamford, Conn.
How should security-minded organizations protect themselves?
- First, implement policies and procedures that assure the security of data stored on handheld
devices, both during and after the device's useful lifespan.
- Second, take care to either destroy the device or prepare it for safe recycling or disposal by
erasing any residual data in built-in memory and on removable memory cards. Re-initializing a
device to factory settings does not overwrite stored data; in fact the limited re-write capability
of removable media has compelled manufacturers to optimize software specifically to minimize
re-writes. In short, removing residual data from these devices is a time-consuming, costly manual
- Third, implement security that eliminates the need to worry about residual data. Utilize the same type of security technology that protects the data if the device is lost or stolen such as automatic encryption. By encrypting all stored data, the protection remains effective regardless of whether a device is lost, stolen or decommissioned. Because strong user authentication is required to decrypt data stored within the device or on a removable memory card, there is no need to manually remove residual data. Other alternatives such as "Power-On" passwords or file encryption have clear weaknesses. For example, "Power-On" passwords are available for almost all devices, but frequently users turn them off or pick trivial but convenient passwords. File encryption utilities are undependable because users must store sensitive information in a specific folder or worse, manually encrypt the file. No consistent security program can be maintained where the task is left to users to determine what is confidential and how it should be stored.
About the author: Thomas Blitz is the president of Pointsec Mobile Technologies, Inc., USA., the global leader and the provider of the de facto standard for enterprise security software for laptop and desktop PCs, PDAs and smartphones. Prior to joining Pointsec, Mr. Blitz, a well-respected expert on IT cost efficiencies, was co-founder and co-chairman of the Compass Group, a global management consulting firm that delivers fact-based business and IT performance improvement recommendations to large organizations. Prior to co-founding the Compass Group, Mr. Blitz was responsible for IBM's sales and marketing to the banking sector in Sweden. Today, Mr. Blitz serves on the board for two international management consulting companies as well as the Swedish American Chamber of Commerce, Washington D.C. Chapter.
About Pointsec: Pointsec is the worldwide de facto standard for mobile device security – with the most customers deployed, highest level of certification, and more complete device coverage than any other company. Pointsec delivers a trusted solution for automatic data encryption that guarantees proven protection at the most vulnerable point where sensitive enterprise data is stored – on mobile devices. By securing sensitive information stored on laptops, PDAs, smartphones, and removable media, enterprises and government organizations can protect and enhance their image, minimize risk, shield confidential data, guard information assets, and strengthen public and shareholder confidence. Founded in 1988, Pointsec AB is a wholly owned subsidiary of Protect Data AB, publicly traded (PROT) on the Stockholm stock exchange.
This was first published in April 2005