When all of your users and devices are attached to the network, you can do some pretty amazing things with security policy. But when users pick up those devices and walk out the door, all bets are off.
That's the frustrated attitude expressed by many security pros who answered Dark Reading's portable and mobile security survey. Despite the development of stringent policies and technologies for protecting the wired environment, they say, there still is no good way to ensure that users will follow those policies once they take their high-powered devices out into the world.
"If you tell users that they can use [portable] devices for certain uses but not for others, then you have two problems," says Greg Lyons, a security research analyst for a large consumer-packaged foods company. "One is making users truly understand what 'acceptable use' is. The other is trying to enforce or audit such a policy, which is practically impossible."
In our survey of 229 security professionals, many respondents expressed similar frustrations. In fact, nearly half of those surveyed said their organizations have no clearly-stated policy for the use of portable storage devices; more than a third said they don't have a clear policy for mobile and wireless device use.
"We don't have a policy because upper management says they can't justify the expense of creating one," says Daniel Cotelo, an MIS technician for Central Coast Community Health Care in Monterey, Calif. "They say we haven't had an incident yet."
Other respondents expressed similar woes. "Our organization doesn't understand the threat because management doesn't," says Phil Long, field support engineer at Goss International Americas Inc., an Illinois-based manufacturer of printing equipment. "I'll bet most companies without such policies are in the same situation."
Some companies say they have put policies in place, but they have no sure way to enforce them. Some 22 percent of respondents in the survey said they have developed unenforceable policies for the use of portable storage devices; about 14 percent of respondents said they have unenforceable policies for the use of mobile and wireless devices.
The problem, in a nutshell, is that IT has no way to prevent employees from misusing portable devices when they are out of the building and off the network. WiFi-equipped laptops can ride any network that's handy, leaving them vulnerable to eavesdroppers or the introduction of malware. Portable storage devices, such as USB drives or smartphones, can be infected with viruses or stolen outright.
Without an IT-driven means of controlling access, portable device security depends largely on the end user, administrators say. And end users generally are not security-savvy.
"These devices are very convenient, and there is not a great motivation to make a convenient tool more complicated for the purpose of making it more secure," notes Tom Hofstetter, a security analyst at Southwest Power Pool, an electric utility in Little Rock, Ark. If users have to type a password into a Treo or other handheld device every time they check their messages, then that convenience is lost, he says.
But while IT administrators agree that portable device security policies are difficult to enforce, they also agree that the absence of enforceable policies leaves their organizations at risk. More than 40 percent of security administrators said they aren't sure whether they've shut down all of the vulnerabilities in their mobile and wireless network environments, despite having policies in place. About 20 percent said the same thing about portable storage media.
With all the publicity surrounding the problems at the Department of Veterans Affairs and other large organizations, it's not surprising that the theft of laptops and portable storage devices is at the top of most IT managers' lists of fears. (See VA Data Loss Worse Than Expected.) Sixty-two percent of respondents ranked the loss or theft of a laptop as one of their top two concerns in mobile and portable device security. Thirty-seven percent put the loss or theft of a portable storage device among their top two concerns.
"Beyond the loss of data, a laptop generally contains phone and contact lists, APIs for access to corporate applications, templates for reports, and user interfaces," notes David Kubista, president of Helimeds, a Tucson, Ariz.-based manufacturer of air ambulances. "For a spy, thief, or individual wishing to do harm, all of this information reveals how your enterprise operates. From this knowledge, it is easy to convincingly duplicate your systems or shadow your activities."
Other security professionals agreed. "Loss of a laptop is more dangerous to our organization than other mobile threats because our users tend to put sensitive data on laptops for convenience," says Lyons. "Users like to fiddle with data in Excel or Access, and they often don't stop to think about the difference between a physically secured desktop PC versus a laptop."
More than 80 percent of respondents said they suspect their employees of using WiFi-enabled laptops outside company walls, whether their policies allow that usage or not.
Although most security administrators concede that their policies surrounding portable device security are difficult to enforce at best, most of them also feel that the potential dangers associated with these devices are even greater than the dangers associated with traditional wired systems. Fifty-three percent said that the threat of security violations coming from the portable device side is "more serious" than the threats to the wired environment.
Portable device security, even more than wired device security, depends largely on the user, administrators observe. "The most difficult and frustrating part is creating a sense in users that there really is a problem, for which they are part of the solution," says Hoffstetter. "And that the problem is not going to go away if it's ignored."
Next week: Security managers sound off on the effectiveness of currently-available technologies for securing mobile and portable devices.
Tim Wilson, Site Editor, Dark Reading