2008
Are Hardware and Software
Security Methods the Solution
for Protecting the Mobile
Workforce? - Discuss
Securing Information Assets in
Organisations
This report will discuss the current problems facing a mobile workforce and the
impacts on organizations in the case of information loss. Security methods,
both technical and social, will be discussed as methods in which to solve these
problems for the mobile workforces.
Elliot Chapple 052321917
MN30281 – Privacy, Trust and Security in Information Systems
Word Count:
Introduction
<187>
In the past five years the workforces of many organisations has become increasingly dependent on
becoming mobile, allowing routine tasks to be undertaken outside an office scenario, such that the
organisation can benefit from advantages such as improved customer service, higher productivity
and the ability to respond to emerging markets quicker (Igbaria & Tan, 1998). In addition as
advances in pervasive and ubiquitous computing technology have taken place, employees are able
to easily access smaller technologies that have network connectivity and are able to connect with
their organisations corporate IT systems and information. The devices include laptops, smart phones
and removable storage media such as USB disk drives and it is estimated that there will be over 100
million portable or media devices worldwide used within mobile workforces (Heikkila, 2007)
Since the mobile workforce can now readily access sensitive or confidential information on the
move, and with constant reports of data loss organisations or governments this essay will discuss the
question can hardware and software security on these mobile devices fully prevent data loss
through theft or through malicious practises or are there other factors affecting security?
Threats and Implications of Information Loss
<650>
As mobile devices have increased in capabilities over the past few years so have the vulnerabilities
that they present to the modern mobile workforce and to the corporate IT systems to which they
connect. Studies have shown that the main weakness in using mobile devices is accessing the
internet in public areas or through ad-hoc networks1. This is particularly critical in the forms of
mobile commerce, with a projected market value of $200 billion (Ghosh & Swaminatha, 2001), it is
vital that organisations understand the security implications of information transmission over
insecure sources.
A major concern is the susceptibility mobile devices have of being lost or stolen as they are moved
more frequently between locations, for example Heathrow airport records 900 laptops that have
been collected as lost property each week (SC Magazine Staff Writers, 2008) which is a concern due
to the amount of information stored on these devices that has been misplaced. As shown within
Secrets and Lies, Digital Security in a Networked World (Schneier, 2004) network security is a chain,
and is only as strong as its weakest link. Until these security vulnerabilities are addressed by
organisations with mobile workforces there will always be the threat of loss of information assets as
mobile devices remain the most significant point of failure in an organisation IT infrastructure and
degrade the overall strength of the security solution.
1
Ad-Hoc Networks are where different nodes (computers or other devices) forward packets of data between
each other and to the Internet
2
Information assets are an important part of an organisation and their loss can lead to multiple
implications for organisations. Information Assets themselves are apparent within every industry,
and are defined as “data that is or should be documented, and which has value or potential value”
(Hawley Report, 1994); examples can include market and customer information or more sensitive
information and are the most important aspect of a business as is argued within the Reuters report
“Information as an asset: the invisible goldmine” (Reuters, 1995) where out of 500 telephone
interviews with senior managers in the UK one in four saw information as the most crucial asset to
business practises . The primary impact through the loss of information assets is where organisation
will not be able to carry out decision making as no information will be available to reduce
uncertainty that exists within market industries today (Butler Group, 2004)..
Another concern that will impact every organisation is the financial cost of a data loss,
throughout 2007 alone, 90% of businesses suffered from a data loss at an average cost of $200,000
(Fitzgerald & Dennis, 2007).However the costs can far greater depending on the type of loss, for
example where Nationwide building society lost 11 million records of customer data which was
stolen from an employees house (BBC News, 2006) and the Financial Services Authority penalised
Nationwide with a £980,000 fine. These penalties described however, did not include the cost of
labour that was required to source the data and collect and create new hardware which would be an
additional overhead affecting the organisations budgets and time constraints as information
collection is a lengthy process (Smith, 2008).
A concern that can outweigh the financial losses of lost information due to removable media
being misplaced or stolen is that the organisational brand will be affected in a negative manner.
Consumer and stakeholder trust is an intrinsic method of security in conversing or purchasing with
an unknown third party and will be the basis of the likelihood of a transaction (Gluckler &
Armbruster, 2003) (Pennington, Walcox, & Grover, 2004). A security breach will have an impact on
the levels of trust that stakeholders will have in the organisation and in the manner in which
business is carried out using the mobile workforce (Klang, 2001), as it will be the stakeholders’
information that will be being transported between locations and across various media types.
Securing Information Assets from a Technical Perspective <726>
With a mobile workforce there a number of technical issues which need to be evaluated when
selecting the right way to protect information assets. Primarily information security technology will
need to be used through “the selection and implementation of [or the most] appropriate
technologies and products” (InfoSec, 2008), and will consist of both pro-active2 and reactive3 types of
security. The figure below shows a basic taxonomy of security methods.
2
3
Pro-Active is where data is secured before a data infringement is able to occur.
Reactive is where procedures or tasks are performed once a security breach is in progress or being attempted
3
<CHANGE OF DIAG>
FINISH ME
Figure 1 - Security Taxonomy based upon (Venter & Eloff, 2003)
There are a number of pro-active security technologies that can be applied to a range of mobile
devices that are in use, including cryptography, digital signatures and anti-virus software. The most
widely used within the mobile workforce is cryptography, where information is translated into
cipher text (encryption) and then translated back into readable information (decryption) by the
recipient of the information (Rivest, 1995). There are a number of vendors for hardware encryption
tools for organisations, the market leader being Pointsec Mobile Technologies although other
vendors are described in Appendix 1. Although the expense equipping a mobile workforce with this
sort of technology is high, for example a license for Pointsec will cost for $129 per laptop and $76
per Pocket PC or PDA (Brooks, 2005), there a number of benefits that will outweigh this cost. The
main advantage is that your workforce will have full hard disk encryption meaning that files can only
be accessed after a successful password entry upon their mobile device system start-up, preventing
unauthorised access to the files from the outset, meaning if a device is lost then the “new owner
won’t be able to retrieve the protected data” (Heikkila, 2007). However encryption does have its
drawbacks, if malicious code is able to intercept administrative access rights encryption will become
useless, as argued within “The Inevitability of Failure” (Loscocco, Smalley, Muckelbauer, Taylor,
Turner, & Farrell, 1998).
Additionally encryption can be used on removable media and other devices such as PDAs or mobile
‘smart’ phones. This is a wise organisation decision as 57% of organisations do not encrypt the data
held on their PDAs (Hinde, 2004) or removable devices and that in the United States alone 35,000
PDAs and 232,000 mobile phones were lost or stolen in 2001 (Hinde, 2004). By encrypting devices, it
is possible for a network to store the encryption key for the removable device and therefore only
when it is authorised by the corporate IT network the user will be allowed to access the information
through the device. This adds another layer of security to the mobile devices in use and makes
tracking data movement much easier in the case of loss or theft (Heikkila, 2007). Encryption can be
combined with a number of other pro-active technologies such as Tokens, Virtual Private Networks
(VPN) and Digital Certificates to create a wider range mobile corporate IT infrastructure. An example
is the RSA SecurID Token that when used in conjunction with a VPN creates a secure remote access
point to an organisations infrastructure and will encrypt bytes of information as they sent and
received over both secure and unsecure networks. The cost of implementing a solution such as this
would be high, $637,900 for 10,000 users (Entrust, 2008) for the RSA SecurID tokens alone. In
addition the installation of VPN clients, such as Nortel Networks, costs $20,000 for every 100 users
(Nortel Networks), which is large organisational decision for security to ensure the mobile workforce
is secure.
4
Reactive methods that can be applied to the mobile workforce are generally easier to implement
and will be less of a business expense with the software costing between £3000 and £15,000 for a
high number of licenses (Shinder, 2004).. Reactive security methods can include items such as
passwords, access control and firewalls that are installed or created on the devices used by the
mobile workforce. The most commonly used of these methods is the use of passwords, this is
because at a high level they will grant and block access to files or a device itself, acting as a method
of authentication (Zviran & Haga, 1999). Firewalls are often used for mobile workforces, as these
provide a simple blockade between a trusted corporate IT infrastructure and the Internet, denying
any unauthorised attempts at information interception particularly on unsecure networks (Al-Shaer
& Hamed, 2004) and are used in conjunction with anti-virus software.
Securing Information Assets from a Social Perspective
However, hardware and software based security can only protect information assets to a level.
Security of mobile devices it the largest common organisational threat and is because of a mixture of
naivety and attitudes towards security on mobile devices. This is shown in a press release from
Pointsec where the MD Magnus Ahlberg discusses that users of mobile devices “often try to
circumvent [security measures] due to the time and ‘hassle’ factor associated with them” (Ahlberg,
2004).
Awareness is a primary concern in mobile security as reports from the defence industry have
shown that the employees and internal individuals are as important as external factors where “you
are obsessed with fighting and external enemy... the last thing on your mind is to fight scrupulous
individuals within [the organisation]” (Desouza & Vanapalli, 2005). A correct training scheme or
process within an organisation is essential to effective data security, especially within a mobile
scenario as shown within a study by the Harris Interactive Service Bureau which stated that two
thirds of the organisations interviewed recognised “employees rather than hackers [pose] the
greatest risk to customer privacy” (Hinde, 2004). Organisations will need to enforce security policies
and present an information protection framework that will need be conveyed to the employees
through training or workshops. This will create an understanding of both the ethical issues of losing
data, such as the procedures for reporting data loss, and maintaining a vigilant eye on the
organisation’s mobile equipment during travelling or ‘on-the-move’ working. This will include the
disposal of IT equipment and the methods in which data is to be erased after use using software
such as the open source Eraser program. Eraser continually overwrites the information with fake
text to prevent recovery, such that this information cannot be stolen or lost to third parties (Heidi
Computers Ltd, 2008) and provides an NSA level4 of security.
If employees are trained correctly as well, and a good information security framework is in place,
it will reduce the possibilities of other human factors causing a loss of organisational information.
4
An NSA Level of security is where the data is re-written over a minimum of 7 times, normally between 20-50
times to prevent data recovery.
5
These threats include the emerging danger of social engineering5 which is becoming more persistent
with the rise of mobile devices, currently accounting for 2% of data breaches (Goss, 2008), as well as
the unauthorised removal of information by employees (DTI, 2007). In organisations with mobile
workforces today, it is training of mobile employees that is important to prevent both social
engineering issues and workforce naivety. So that items such as confidential data or employee
passwords are not given to the wrong people (Gaudin, 2002) (Pabrai, 2005), such as the case where
passwords were willingly given to a group conducting a survey outside their office (Leyden, 2003). A
clear policy on information security will also decrease the inevitability of employees that leave an
organisation taking confidential or critical information with them, as this is lacking in the current
mobile workforce environment where only a quarter of organisations have “security policies in place
to ensure employees cannot damage the organisation when they leave” (Hinde, 2004).
Understandably, organisations cannot respond to every security threat in the same way.
However, there should be a form of security framework in place that lets “managers... sort through
which risks are most likely to materialise and which could cause the most damage to the business”
(Austin & Darby, 2003). Where an information security framework is set up within an organisation it
should gain ISO certification providing a common platform for information security (Kenning, 2001).
As defined by ISO standard 17799 there are a number of ‘control clauses’ that need to be
implemented within an organisation in order to achieve the greatest level of information security as
it will define items such as a comparison between management support for security in conjunction
with business objectives as well as legislative requirements and consequences of violations of a
information loss (Yhan, 2002).
The Control Clauses of ISO 17799:
1.
2.
3.
4.
5.
Security Policy
Organisational Security
Asset Classification & Control
Personnel Security
Physical & Environmental Security
6.
7.
8.
9.
10.
Communications & Operations Management
Access Control
System Development and Maintenance
Business Continuity Management
Compliance
(Yhan, 2002)
Figure 2 - ISO 17799 Control Clauses
Security frameworks have drawbacks such as the initial expenditure and the technical staff
resources that will need to keep abreast of the current climate of potential threats to security
including the working time expense of organising the risks according to potential business damage.
In addition there will be the cost to achieve ISO certification, but as sources have shown that users
are the most likely method of where data loss occurs within a mobile workforce it is far more
beneficial to have the social practises and standards in place before the hardware and software
aspects of information security are implemented into an organisation mobile workforce (Peltier,
2003). If these items are put into place and marketed to the potential consumer market, this creates
a level of cognitive trust that will make a transaction more likely.
5
Social engineering is where users are manipulated into divulging important or confidential information and
performing actions through persuasive language, and attacks are not even necessarily performed face to face
6
Conclusion
<240>
Hardware and software security are not the final solution to the problems that the mobile workforce
encounter in terms of securing information assets. There is only so much security that technology
can achieve, especially when negligence of the workforce is a higher primary cause of information
loss than malicious third parties (Pabrai, 2005). To produce secure methods of information access
via a mobile workforce both social and technical aspects will need to be considered. Before the
hardware and software security measures are introduced an organisation must first set out the
correct frameworks for information security, this will involve creating policies surround access and
removal of an organisations information assets and hiring technical staff to keep abreast of the
latest threats to the mobile workforce. Once this is in place, the technical staff can evaluate the
hardware and software solutions that are available and apply the correct technologies appropriate
to business activities. A correct framework will allow for logs and reviews to see if the current
implementation is working for the mobile workforce. This will be an on-going cycle as shown in the
figure below:
Security threat analysis
and acknowledgement of
ISO standards
Monitor usage using
audit logs, and
viewing information
Information Asset
Security
Procedures
Hardware and Software
security implementation
and employee training
Creation of Information
Security Framework and
selection of technologies
Figure 3 - The Security Cycle, an elaboration on removable device security (Heikkila, 2007).
Therefore if a system similar to the above is in place within an organisation this will lead to the most
possible secure methods in which an organisations mobile workforce can operate and interact using
their devices with the central organisational IT infrastructure.
7
Appendices
Table of Encryption Software
8
Works Cited
Ahlberg, M. (2004). The Mobile Workforce, The Weakest Link. Pointsec Press Release.
Al-Shaer, E. S., & Hamed, H. H. (2004). Modeling and Management of Firewall Policies. IEEE.
Austin, R. D., & Darby, C. A. (2003). The Myth of Secure Computing. Harvard Business Review.
BBC News. (2006, November 18). Security Raised Over Laptop Theft. Retrieved November 23, 2008,
from BBC News UK: http://news.bbc.co.uk/1/hi/uk/6160800.stm
Brooks, J. (2005, June 13). PointSec, WinMagic Lock Down Mobile Data. Retrieved November 8,
2008, from eWeek.com: http://www.eweek.com/c/a/Security/Pointsec-WinMagic-Lock-DownMobile-Data/
Butler Group. (2004). Exploiting Corporate Information Assets. Hull: Butler Group - Technology
Management & Strategy Division.
Desouza, K. C., & Vanapalli, G. k. (2005). Securing Knowledge in Organisation: Lessons from the
Defense and Intelligence Sectors. Chicago: International Journal of Information Management.
DTI. (2007). Information Security: Protecting Your Business Assets. Business Link.
Entrust. (2008, September 1). Entrust IdentityGuard Price. Retrieved November 23, 2008, from
Entrust: http://www.entrust.com/strong-authentication/identityguard/calculator.cfm
Fitzgerald, J., & Dennis, A. (2007). Business Data Communications and Networking (9th Edition).
Virginia: John Wiley & Sons Inc.
Gaudin, S. (2002). Social Engineering: The Human Side of Hacking. Earthweb.
Ghosh, A. K., & Swaminatha, T. M. (2001). Software Security and Privacy Risks in Mobile ECommerce. Communications of the ACM, ACM.
Gluckler, J., & Armbruster, T. (2003). The Mechanisms of Trust and Networked Reputation. Sage
Publishing.
Goss, P. (2008, October 13). Hackers Account for Just 1% of Data Loss. Retrieved November 3, 2008,
from TechRadar: http://www.techradar.com/news/computing/hackers-account-for-just-1-of-dataloss-475258
Hawley Report. (1994). Information As An Asset: The Board Agenda. KPMG Impact Group (p. 7).
London: KPMG Press Release.
Heidi Computers Ltd. (2008). Eraser | Internet Security and Privacy. Retrieved November 25, 2008,
from Heidi Computers Ltd: http://www.heidi.ie/node/6
Heikkila, F. M. (2007). Encryption: Security Considerations for Portable Media Devices. IEEE Computer
Society.
9
Hinde, S. (2004). Confidential Data Theft and Loss: Stopping the Leaks. ScienceDirect.
Igbaria, M., & Tan, M. (1998). The Virtual Workplace. IGI Publishing.
InfoSec. (2008, November). InfoSec - Security Management. Retrieved November 26, 2008, from
InfoSec: http://www.infosec.gov.hk/english/business/security_imsf_3.html
Kenning, M. J. (2001). Security Management Standard - ISO 17799/BS 7799. BT Technology Journal
(Springer) , 132-136.
Klang, M. (2001). Who Do You Trust? Beyond Encryption, Secure E-Business. Elsevier.
Leyden, J. (2003, April 18). Office Workers Give Away Passwords for a Cheap Pen. Retrieved
November 9, 2008, from The Register:
http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R., Turner, J., & Farrell, J. F. (1998). The
Inevitability of Failure: The Flawed Assumptions of Security in Modern Computing Environments.
Proceedings of the 21st National Informations Systems Conference. National Security Agency
Release.
Nortel Networks. (n.d.). Nortel Networks. Retrieved October 29, 2008, from Nortel: Products: VPN:
http://www2.nortel.com/go/product_cat.jsp?parId=0&pcatId=-9965&segId=0&catId=9972&locale=en-US
Pabrai, U. A. (2005). Awareness Training - Strengthen Your Weakest Link. MediaTec Publishing Inc
[Certification Magazine].
Peltier, T. R. (2003). Preparing for ISO 17799. Information Security Journal: A Global Perspective , 2128.
Pennington, R., Walcox, H. D., & Grover, V. (2004). The Role of System Trust in Business-to-Consumer
Transactions. Journal of Management Information Systems.
Reuters. (1995). Information As An Asset: The Invisible Goldmine. London: Reuters.
Rivest, R. L. (1995). The RC5 Encryption Algorithm. MIT Laboratory for Computer Science.
SC Magazine Staff Writers. (2008, August 1). 900 Laptops Lost at Heathrow Per Week. Retrieved
November 10, 2008, from SC Magazine: http://www.securecomputing.net.au/News/118424,900laptops-lost-at-heathrow-per-week.aspx
Schneier, B. (2004). Secrets and Lies: Digital Security in a Networked World. Wiley.
Shinder, D. (2004, July 19). Choosing a Firewall. Retrieved November 30, 2008, from Windows
Networking: http://www.windowsnetworking.com/articles_tutorials/Choosing_a_Firewall.html
Smith, D. M. (2008, July 23). The Cost of Lost Data. Retrieved November 24, 2008, from Pepperdine
University: School of Business & Management: http://gbr.pepperdine.edu/033/dataloss.html
10
Venter, H., & Eloff, J. (2003). A Taxonomy for Information Security Technologies. Computers &
Security.
Yhan, G. (2002). ISO 17799: Scope and Implementation - Security Policy. International Organisation
for Standardisation.
Zviran, M., & Haga, W. J. (1999). Password Security: An Empirical Study. Journal of Management
Information Systems (ACM) , 161-185.
11