08
2
In the past five years the workforces of many organisations has become increasingly dependent on becoming mobile, allowing routine tasks to be undertaken in an out of office scenario this is so that organisation can benefit from the possible advantages such as improved customer service, higher productivity and the ability to respond to emerging markets quicker (Igbaria & Tan, 1998). In addition as advances in pervasive and ubiquitous computing technology have taken place, employees are able to easily access smaller technologies that have network connectivity and are able to connect with their organisations corporate IT systems and information, including laptops, smart phones and removable storage media such as USB disk drives. With this trend likely to continue such that this year, 2008, it is estimated that there will be over 100 million portable or media devices worldwide used within mobile workforces (Heikkila, 2007).
As this evolution of the methods people work is occurring, there a number of critical issues that need to be addressed. Since the mobile workforce can now readily access sensitive or confidential information on the move, this has caused security concerns across all industries, and with constant reports of data loss from high exposure organisations or governments it poses the question can hardware and software security on these mobile devices fully prevent data loss through theft or through malicious practises?
3
As mobile devices have increased in capabilities over the past few years so have the vulnerabilities that they present to the modern mobile workforce. In the current hostile climate for mobile devices connecting to central corporate IT systems there is a need to acknowledge the main areas of weakness that organisations face when using such devices.
Studies have shown that for example that the main weakness in using mobile devices is accessing the internet in public areas or through ad-hoc networks, where different nodes forward packets of data between each other and to the internet. This is particularly critical in the forms of mobile commerce or M-Commerce, for example the buying and selling of goods between organisations, where the security risks are higher than within a standard office environment due to the nature of information that is being sent in public areas. With a projected market value of $200 billion (Ghosh
& Swaminatha, 2001), it is vital that organisations understand the security implications where contaminated nodes within an ad-hoc network and the continual changing of administrative or security domains could cause large scale problems for information security.
Another increasing threat is the rise of social engineering, which is becoming more persistent with the rise of mobile devices, and although currently only accounts for 2% of data breaches (Goss,
2008) is continuous threat to information security. Social engineering, where users are manipulated into divulging important or confidential and performing actions, where the attacker never comes face-to-face with the victim is a particular risk within mobile workforces. As the workforce becomes more decentralised it becomes harder to differentiate between colleagues and potential fraudsters, as there is less effect based trust within the workplace and assumptions are made, sometimes leading to costly outcomes or compromised security, as justified by a study by InfoSecurity Europe where 75% of employees gave their passwords immediately to a group conducting a survey outside of their place of work (Leyden, 2003).
The final major issue is the susceptibility mobile devices have of being lost or stolen as they are moved more frequently between locations, and tend to rely on the awareness of the employee to maintain its physical security. A justification for this becoming a primary concern for organisations with mobile workforces is that statistics that have been collected show just how much information is being lost per year, all of which has the potential to be restricted or sensitive information, for example Heathrow airport records 900 laptops that have been collected as lost property each week
(SC Magazine Staff Writers, 2008).
As shown within Secrets and Lies, Digital Security in a Networked World (Schneier, 2004) network security is a chain, and is only as strong as its weakest link. Until these security vulnerabilities are addressed by organisations with mobile workforces there will always be the threat of information loss as mobile devices remain the most significant point of failure in an organisation IT infrastructure and degrade the overall strength of the security solution and can cause implication for organisations.
4
As possible vulnerabilities of the mobile workforce and their associated devices have been discussed it is important to realise the effects of a security breach and loss of information assets on an organisation. Information Assets are apparent within every industry, and are defined as “ data that is or should be documented, and which has value or potential value ” (Hawley Report, 1994); examples include market and customer information, human resource information and management information and plans. The implications of a loss vary between organisations depending on the type in conjunction with the public perception of the organisation’s brand in question; however there are a number of high level implications that will affect all businesses.
The primary impact through the loss of information assets is where organisation will not be able to carry out decision making as there will be no information that will help to reduce uncertainty that exists within market industries today (Butler Group, 2004). This could be for articles such as purchase orders or could be more severe such as processing sensitive data for benefits which will have a direct implication on the organisation and customers if there is a breach of security whilst an employee is using a mobile device outside of the office environment. This in turn has the causal effect of impacting business deadlines and information throughput processes in order both maintain budget decisions as well as generate revenue for the organisation. This is argued in the Reuters report Information as an asset: the invisible goldmine (Reuters, 1995) where out of 500 telephone interviews with senior managers in the UK one in four saw information as the most crucial asset to business practises.
Another concern that will impact every organisation is the financial cost of a data loss which will both impact the bottom line for the organisation as well as the individuals whose data has been lost.
Throughout 2007 alone, 90% of businesses suffered from a data loss at an average cost of $200,000
(Fitzgerald & Dennis, 2007) however the costs can far greater depending on the type of loss, for example where Nationwide building society lost 11 million records of customer data which was stolen from an employees house (BBC News, 2006) and the Financial Services Authority penalised
Nationwide with a £980,000 fine. These penalties described however, did not include the cost of labour that was required to source the data and collect and create new hardware which would be an additional overhead affecting the organisations budgets and time constraints as information collection is a lengthy process (Smith, 2008).
A concern that can outweigh the financial losses of lost information due to removable media being misplaced or stolen is that the organisational brand will be affected in a negative manner.
Consumer, as well as stakeholder, trust is an intrinsic method of security in conversing or purchasing with an unknown or little known third party and will be the basis of whether or not a customer is likely deal with the organisation in the first instance as argued in (Gluckler & Armbruster, 2003) and
The Role of System Trust in Business-to-Consumer Transactions (Pennington, Walcox, & Grover,
2004). A security breach will have an impact on the levels of trust that stakeholders will have in the organisation and in the manner in which business is carried out using the mobile workforce decreasing the likelihood of a transaction, as it will be the consumers information that will be being transported between locations and across various media types . This is also shown in the figure below:
5
<<<INSERT FIG 1 DIAGRAM ABOUT TRUST>>>
Therefore mobile workers and their devices must be properly protected to circumvent these outcomes and showing that an initial expenditure into the correct methods will be far better for the organisations reputation.
6
With a mobile workforce there a number of technical issues which need to be taken into account when selecting the right way to protect your business. Primarily information security technology will need to be used through “ the selection and implementation of [or most] appropriate technologies and products ” (InfoSec, 2008), and will consist of reactive and pro-active types of security. The figure below shows a basic taxonomy of methods that can secure a mobile device and are shown in respect to whether they are reactive or pro-active.
Information Security
Pro-Active Methods Reactive Methods
Network
Level
Host
Level
Program
Level
Network
Level
Host
Level
Program
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Network
Level
Needs to be done in VISIO in order to get the connectors etc done correctly.
Network
Level
The taxonomy that is shown above is dependant on two main features, firstly whether or not the security method reacts with the data instantly or at a different time and secondly at which layer within organisations IT infrastructure the technology exists. A pro-active security technology is where the data is secured in some manner before a data breach has the chance the to occur, whereas reactive security technologies are where procedures or tasks are implemented and performed once a security infringement is in progress or being attempted.
7
There are a number of pro-active security technologies that can be applied to a range of mobile devices that are in use in the modern methodologies of working today. The first and most widely used in the current mobile workforce is that of cryptography, where information is translated into cipher text (encryption) and then translated back into readable information (decryption) by the user or recipient of the information (Rivest, 1995). There are a number of hardware encryption tools that are readily available for businesses to use, the current number one being Pointsec Mobile
Technologies closely followed by PGP Universal and a number of other vendors as described in
Appendix 1. <<<IN APPENDIX 1 show TABLE 1 from Heikkla Crypto paper>>>. Although the expense equipping a mobile workforce with this sort of technology is high, for example a license for Pointsec will cost for $129 per laptop and $76 per Pocket PC or PDA (Brooks, 2005), there a number of benefits that will outweigh this cost. The first of the advantages is that your workforce will have full hard disk encryption meaning that files can only be accessed after a successful password entry upon their mobile device system start-up, preventing unauthorised access to the files from the outset, meaning if a device is lost then the “new owner won’t be able to retrieve the protected data”
(Heikkila, 2007). Encryption with these tools also allows for devices such as virtual drives where all the encrypted data can be stored and accessed simultaneously in real time, such that the process of encryption and decryption is transparent to the users and will not have any effect on the speed in which their work is undertaken. However encryption does have its drawbacks, if malicious code is able to intercept administrative access rights encryption and most other pro-active security measures will be significantly reduced in terms of security level, which promotes the need for reactive security measures as well, which is argued within “The Inevitability of Failure” (Loscocco,
Smalley, Muckelbauer, Taylor, Turner, & Farrell, 1998).
Encryption can also be used on removable media and other types of ‘smart phone’ which do not encompass the same level of security as PDAs or Pocket PCs. This gives an organisation a higher level of safety, especially when used in conjunction with laptop hard disk encryption, as it means that the likelihood of information disclosure to unauthorised users is reduced. This is a wise organisation decision as 57% of organisations do not encrypt the data held on their PDAs or removable devices and that in the United States alone 35,000 PDAs and 232,000 mobile phones were lost or stolen in
2001 (Hinde, 2004). By encrypting devices it is possible for a network to store the encryption key for the removable device and therefore only when it is authorised by the corporate IT network the user will be allowed to access the information on the device, adding yet another layer of security to the mobile devices in use. This is a useful tool as this can be used to create logs which will help IT administrators review or monitor the amount of data, and what specific data, an employee has transferred to a removable device making the auditing of data movement much easier in the case of loss or theft (Heikkila, 2007). In turn encryption can be combined with a number of other technologies such as Tokens, Virtual Private Networks (VPN) and Digital Certificates to create a wider range mobile corporate IT infrastructure. An example is the RSA SecurID Token which is used in conjunction with a VPN to create a secure remote access point to an organisations infrastructure and will encrypt bytes of information as they sent and received which only the recipient and sender having the appropriate decryption keys in order to return the cipher text back to clear text. The cost of implementing a solution such as this would be $637,900 for 10,000 users (Entrust, 2008) for the
RSA SecurID tokens alone plus the installation of VPN clients such as Nortel Networks including VPN enabled routers and the client software is around $20,000 for every 100 users (Nortel Networks),
8
which is large organisation security decision so that a mobile workforce is secure, however when compared to the cost of peace of mind, this may not seem such a large expenditure.
REACTIVE METHODS?!!
Taxonomy of security procedures
Layering of security solutions
Software in use
Costs / Benefits / Disadvantages
Reactive and proactive methods
Lead into why technology is generally less needed than social aspects
-
9
Security of mobile devices has never been more of a risk than it is today, this is through a mixture of naivety and attitudes towards security on mobile devices, and this is shown in a press release from Pointsec where the MD Magnus Ahlberg discusses that users of mobile devices “ often try to circumvent [security measures] due to the time and ‘hassle’ factor associated with them ” (Ahlberg,
2004).
Awareness is a primary concern in mobile security as reports from the defence industry have shown that the employees and internal individuals are as important as external factors where “ you are obsessed with fighting and external enemy... the last thing on your mind is to fight scrupulous
individuals within [the organisation]” (Desouza & Vanapalli, 2005). A correct training scheme or process within an organisation is essential to effective data security, especially within a mobile scenario as it will reduce the likelihood of costly mistakes or loss of devices occurring initially as within a study by the Harris Interactive Service Bureau it stated that two thirds of the interview organisations recognised that “employees rather than hackers [pose] the greatest risk to customer
privacy” (Hinde, 2004). Organisation will need to enforce security policies and present a form of information protection framework that will be conveyed to the employees within a mobile situation such that there is an understanding of both the ethical issues of losing data, such as loss of personal trust as well as the procedures for reporting data loss and maintaining a vigilant eye on the organisation’s mobile equipment during travelling or ‘on-the-move’ working. This will include the disposal of IT equipment and the methods in which data is erased using software such as the open source Eraser program where the information will be continually over written with fake text to prevent recovery of this information if it was misplaced or stolen (Heidi Computers Ltd, 2008).
If employees are trained correctly as well, and a good information security framework is in place it will reduce the possibilities of other human factors causing a loss of organisational information including the emerging threat of social engineering, and simply the unauthorised removal of information (DTI, 2007). In organisation with mobile workforces today it is training of the mobile employees that are important such that items such as confidential data or employee passwords are not given to the wrong people, especially with the increase of social engineering. This is a method of hacking whereby persuasive techniques are used to extract secure or confidential information from employees, without much or any actual contact with them, and can be stopped simply by training the workforce correctly with regards to who to talk to about access controls and other information divulgence (Gaudin, 2002) (Pabrai, 2005). A clear policy on information security will also decrease the inevitability of employees that leave an organisation taking confidential or critical information with them, as this is lacking in the current mobile workforce environment where only a quarter of organisations have “ security policies in place to ensure employees cannot damage the organisation when they leave ” (Hinde, 2004).
It is understood that an organisation cannot respond to every security threat equally however there should be a form of security framework in place that lets “ managers... sort through which risks are most likely to materialise and which could cause the most damage to the business ” (Austin &
Darby, 2003). Where an information security framework is set up within an organisation it should, where possible, attempt to gain ISO certification for the level of information security. As defined by
10
ISO standard 17799 there are a number of ‘control clauses’ that need to be implemented within an organisation in order to achieve the greatest level of information security as it will define items such as a comparison between management support for security in conjunction with business objectives as well as legislative requirements and consequences of violations of a information loss (Yhan, 2002).
The Control Clauses of ISO 17799:
1.
Security Policy 6. Communications & Operations Management
2.
Organisational Security
3.
Asset Classification & Control
4.
Personnel Security
5.
Physical & Environmental Security
7. Access Control
8. System Development and Maintenance
9. Business Continuity Management
10. Compliance
(Yhan, 2002)
Figure 1 - ISO 17799 Control Clauses
Security frameworks have drawbacks such as the initial expenditure and the technical staff resources that will need to keep abreast of the current climate of potential threats to security including the working time expense of organising the risks according to potential business damage.
In addition there will be the cost to achieve ISO certification, but as sources have shown that users are the most likely method of where data loss occurs within a mobile workforce it is far more beneficial to have the social practises and standards in place before the hardware and software aspects of information security are implemented into an organisation mobile workforce. If these items are put into place and marketed to the potential consumer market, this creates a level of cognitive trust that will make a transaction more likely.
11
Hardware and software security are not the final solution to the problems that the mobile workforce face in terms of securing information assets. To produce secure methods of information access via a mobile workforce both social and technical aspects will need to be considered at the appropriate times. Before the hardware and software are introduced an organisation must first set out the correct frameworks for information security, this will involve creating policies surround access and removal of an organisations information assets and also hiring the necessary technical staff to keep abreast of the latest threats to the mobile workforce.
Show image of successful planning and implementation process – crypto paper.
12
Ahlberg, M. (2004). The Mobile Workforce, The Weakest Link. Pointsec Press Release.
Austin, R. D., & Darby, C. A. (2003). The Myth of Secure Computing. Harvard Business Review.
BBC News. (2006, November 18). Security Raised Over Laptop Theft. Retrieved November 23, 2008, from BBC News UK: http://news.bbc.co.uk/1/hi/uk/6160800.stm
Brooks, J. (2005, June 13). PointSec, WinMagic Lock Down Mobile Data. Retrieved November 8,
2008, from eWeek.com: http://www.eweek.com/c/a/Security/Pointsec-WinMagic-Lock-Down-
Mobile-Data/
Butler Group. (2004). Exploiting Corporate Information Assets. Hull: Butler Group - Technology
Management & Strategy Division.
Desouza, K. C., & Vanapalli, G. k. (2005). Securing Knowledge in Organisation: Lessons from the
Defense and Intelligence Sectors. Chicago: International Journal of Information Management.
DTI. (2007). Information Security: Protecting Your Business Assets. Business Link.
Entrust. (2008, September 1). Entrust IdentityGuard Price. Retrieved November 23, 2008, from
Entrust: http://www.entrust.com/strong-authentication/identityguard/calculator.cfm
Fitzgerald, J., & Dennis, A. (2007). Business Data Communications and Networking (9th Edition).
Virginia: John Wiley & Sons Inc.
Gaudin, S. (2002). Social Engineering: The Human Side of Hacking. Earthweb.
Ghosh, A. K., & Swaminatha, T. M. (2001). Software Security and Privacy Risks in Mobile E-
Commerce. Communications of the ACM, ACM.
Gluckler, J., & Armbruster, T. (2003). The Mechanisms of Trust and Networked Reputation. Sage
Publishing.
Goss, P. (2008, October 13). Hackers Account for Just 1% of Data Loss. Retrieved November 3, 2008, from TechRadar: http://www.techradar.com/news/computing/hackers-account-for-just-1-of-dataloss-475258
Hawley Report. (1994). Information As An Asset: The Board Agenda. KPMG Impact Group (p. 7).
London: KPMG Press Release.
Heidi Computers Ltd. (2008). Eraser | Internet Security and Privacy. Retrieved November 25, 2008, from Heidi Computers Ltd: http://www.heidi.ie/node/6
Heikkila, F. M. (2007). Encryption: Security Considerations for Portable Media Devices. IEEE Computer
Society.
Hinde, S. (2004). Confidential Data Theft and Loss: Stopping the Leaks. ScienceDirect.
13
Igbaria, M., & Tan, M. (1998). The Virtual Workplace. IGI Publishing.
InfoSec. (2008, November). InfoSec - Security Management. Retrieved November 26, 2008, from
InfoSec: http://www.infosec.gov.hk/english/business/security_imsf_3.html
Leyden, J. (2003, April 18). Office Workers Give Away Passwords for a Cheap Pen. Retrieved
November 9, 2008, from The Register: http://www.theregister.co.uk/2003/04/18/office_workers_give_away_passwords/
Loscocco, P. A., Smalley, S. D., Muckelbauer, P. A., Taylor, R., Turner, J., & Farrell, J. F. (1998). The
Inevitability of Failure: The Flawed Assumptions of Security in Modern Computing Environments.
Proceedings of the 21st National Informations Systems Conference. National Security Agency
Release.
Nortel Networks. (n.d.). Nortel Networks. Retrieved October 29, 2008, from Nortel: Products: VPN: http://www2.nortel.com/go/product_cat.jsp?parId=0&pcatId=-9965&segId=0&catId=-
9972&locale=en-US
Pabrai, U. A. (2005). Awareness Training - Strengthen Your Weakest Link. MediaTec Publishing Inc
[Certification Magazine].
Pennington, R., Walcox, H. D., & Grover, V. (2004). The Role of System Trust in Business-to-Consumer
Transactions. Journal of Management Information Systems.
Reuters. (1995). Information As An Asset: The Invisible Goldmine. London: Reuters.
Rivest, R. L. (1995). The RC5 Encryption Algorithm. MIT Laboratory for Computer Science.
SC Magazine Staff Writers. (2008, August 1). 900 Laptops Lost at Heathrow Per Week. Retrieved
November 10, 2008, from SC Magazine: http://www.securecomputing.net.au/News/118424,900laptops-lost-at-heathrow-per-week.aspx
Schneier, B. (2004). Secrets and Lies: Digital Security in a Networked World. Wiley.
Smith, D. M. (2008, July 23). The Cost of Lost Data. Retrieved November 24, 2008, from Pepperdine
University: School of Business & Management: http://gbr.pepperdine.edu/033/dataloss.html
Yhan, G. (2002). ISO 17799: Scope and Implementation - Security Policy. International Organisation for Standardisation.
14
Table of Encryption Software
15