How often have you played the ‘scruples game’ amongst your friends, to question how much they would they rob a bank for - £5 million, £10 million, £25 million?
Change the stakes - you've just lost your job, you've re-mortgaged your house and you've got two children at private school - now how much would you rob a bank for?
It's just a game and thankfully the majority of us live on the right side of the law and work hard to make an honest living. However, historically, in tightening economies crime rates go up, and with internet technology available to the majority of office workers 'white collar crime' is taking on new meaning in the 21st century.
According to security specialists, worldwide criminal activity on the internet is growing exponentially both in frequency and complexity as thieves are getting smarter at targeting the ever increasing flow of money through cyberspace - making the pickings more tempting than ever.
The price of sensitive data and intellectual property goes up too in leaner times. You stand a much greater chance of winning a new business contract or landing a well paid job if you have a great database of sales leads, new product specifications or competitors' marketing plans to trade off.
We're not condoning these methods. Far from it, as over the last six months we have seen a significant increase in customers requiring tighter security on their mobile devices, as more laptops and PDAs have gone missing and as a result we have developed a whole host of encryption and access control devices to prevent internal and external perpetrators from trading information.
According to a survey conducted for the U.K.'s National High Tech Crime Office, 98 percent of the companies interviewed had experienced a computer-enabled crime in the last 12 months. Theft of laptops dominated these crimes, with 77 percent of organizations having falling foul to laptop theft.
Obviously it is not so much the cost of replacing the laptop or PDA which is of concern to these large organizations, but the ramifications of where the information has gone to:
- In Toronto recently the theft of a computer hard drive resulted in 180,000 customers of a Canadian insurance company being warned about possible identity theft.
- In Kentucky, a second-hand hard drive up for sale at a second-hand office suppliers, contained confidential files with the names of thousands of AIDS patients and people with other sexually transmitted diseases
- In Arizona, sensitive information, including names, addresses, social security numbers, and possibly medical records of more than 500,000 retired and serving U.S. military personnel, was stolen in a December break-in.
All these large organizations should never have put their customers or employees at risk and yet these examples of organizations lax over their security methods are more frequent that we are led to believe, or get to hear about, because of the financial damage it could do to them.
Last spring, hackers broke into a U.S. dollar-based bank's database and gained access to accounts of wealthy customers. Millions of dollars were transferred overseas. The bank managed to undo most of the transfers, but total losses, including a security clean-up, were more than $1 million. Customer confidence hit rock bottom, with many leaving to find more security-conscious banks.
You could argue that, in a weak economy with budgets and personnel stretched to the limit, organizations that have added many new technologies to their computer systems now find themselves lacking the resources to secure those systems against break-ins.
That is not a valid justification for doing nothing and, in the U.K. (and similarly in the rest of the E.U.), is actually contrary to Principle 7 of the Data Protection Act 1998, which puts a legal obligation on organizations to put reasonable and adequate security measures in place.
However, it need not cost a fortune to secure an organization from insiders or outsiders wanting to get at valuable information. The most important starting point is to have a sensible and easily administered security policy, which takes into account all the company's mobile devices. Here are a few simple ways of securing your mobile workforce and keeping your organization secure from breaches.
Eight Steps to Securing Your Handheld Devices
1. A workable security policy needs to be put into place, with the
most important factor being to communicate the policy to the
workforce. Staff must be told about the security implications of
mobile devices, and told what action will be taken if employees
ignore this policy.
2. Fast and easy to use access control systems and encryption
devices should be put in place on all mobile devices, which
cannot be circumvented by the user.
3. Use dynamic passwords or certificates for secure remote access.
4. An audit needs to be carried out to find out who in the
organization is using a mobile device and whether it is owned by
the organization, or the employee.
5. Staff should not be allowed to use their own mobile devices to
store customer and organization information on them, unless
they have been installed with the organization security system.
6. Use a security product that is compatible with all mobile devices
and software versions, which can be managed centrally.
7. Avoid using products that leave the user to make security
decisions - users will ignore them or find a way around the
system.
8. Make sure that if handhelds are used, that they are protected with
up-to-date software, which can defend against known security
loopholes.
By following these mobile security steps an organization can secure and protect its data while in transit as if they were building virtual walls and instilling the same physical security measures that you would normally find in an office environment. Mobile computing is about being free to work outside the office environment. With the technology readily available to secure all information stored on these devices, nothing should stand in the way of a free, flexible and secure mobile workforce.
Magnus Ahlberg is managing director of Pointsec Mobile Technologies (www.pointsec.com).
