Far from remote: The risks of mobile working
Bear in mind the huge variety of ways in which employees take information home, such as on laptops, memory sticks, or external hard drives, and the danger of theft increases proportionately. Factor in the way mobile workers connect back to the office, via the Internet, Bluetooth, or wireless, and it becomes obvious that danger can come from any number of directions. No wonder IT professionals everywhere agree that mobile working is a risky proposition.
Mark Osborne, chief information officer, Interoute
When you're in the office, your PC will usually be regularly updated, there will be software preventing access to certain websites, your e-mail will be scanned, and there will be a central administrator bearing some sort of responsibility. "When you plug in at home, the connection may be secure but the overall regime may be severely impacted," says Mark Osborne, chief information security officer at Europe's largest independent data network operator Interoute.
"The average firm dives into [mobile working] without considering it properly. You're going to need stronger authentication for a start."
Abracadabra no longer magic
As far as many companies are concerned, IT security stops at the firewall. But remote connectivity requires greater vigilance. Your password at the office may not be particularly secure, but at least you're sitting at your desk, in your office, behind a locked door that is possibly controlled by a security guard. In contrast, remote working environments can be anywhere.
Stronger authentication could come in a number of forms. Osborne lists CRYPTOCard tokens, RSA SecurID, or digital certificates as possible measures. What all these things have in common is they are dynamically-generated, two-part passwords. Often, these are also known as one-time passwords (OTPs). In a token-based solution, for example, the 'token' might be time-synchronized with a clock on the authentication server. A password is generated using an algorithm based on the time of log-in: naturally, even if intercepted, such passwords expire after use.
Some developers are already looking at the possibility of using mobile phones and PDA's as OTP tokens, thus reducing costs. But whatever dynamic password you use, they're essential. "Simply put, without them, you've got bad security," says Osborne.
Worryingly, in a recent survey IT security analyst SafeNet recently found that 61 percent of IT security managers were still relying on static passwords to protect their corporate networks. In the wireless age, that may not be enough.
There are a lot of myths circulating about IT security and one of them may be that people are more security conscious. The rising costs of identity fraud and cyber fraud suggest otherwise. The Javelin 2006 Identity Fraud Report indicates that identity theft cost U.S. businesses and consumers $56.6 billion in 2005. "These things happen because people aren't careful," says Osborne. "The number of times I've been asked by clients if they can have the same password for remote access that they use for internal access because it's more convenient – it shows a complete misunderstanding.
"The reason firms have a different external security regime is to provide what's called defense in depth. The hope is that if your external password is cracked, your internal password will be able to hold on."
The home front
Passwords are of course just one aspect of the remote access which makes mobile working possible. The real driver behind the growing popularity of mobile working is wireless connectivity, and this is fraught with its own risks. While Osborne considers mobile working to be a welcome development, the bad news is that he also believes wireless will always be inherently vulnerable.
Osborne's research in this area has been picked up on by the international intelligence community and featured at the International Symposium of Electronic Warfare. Osborne won't specifically comment on the extent of the work he's carried out in this field, but his work has certainly prompted at last one large, reputable organization to change their plans.
While "chief techie" on KPMG's UK security team, he set up a dummy wireless network around central London, what he refers to as "a honey pot". Accounts had circulated in the press about worrying levels of wireless hacking in the City and Osborne's team wanted to find out just how much was going on. "We found there wasn't a huge horde at the door but despite rain and snow outside, there were still serious attempts on every link we had to gain access to the network," he says.
It's something small businesses need to bear in mind as well. Many employers install a virtual private network (VPN) to facilitate mobile working but never ask what's on the other side. If a mobile worker is working from home on his own terminal, is it a shared PC? Has it got anti-virus software? Is the user able to browse the internet while connected?
Many home workers have little networks of their own, whether they know it or not. House shares are one thing but if the employee owns a wireless router, it's not beyond the realm of possibilities that it's not only his PC that's connecting in – it's everyone in his street.
Loss of control vs. out of control
Given the inconsistency of mobile working environments and the attendant loss of centralized control, the biggest factor in mobile working security will be the mobile worker himself.
Ed Wilding, chief technical officer and director, Data Genetics International
Ed Wilding is chief technical officer and director at IT security consultancy Data Genetics International. He's also the expert that re-constructed journalist Andrew Gilligan's palmtop hard drive for the Hutton Enquiry. "You don't know what someone is doing at home, what system they're using, or who they're in communication with," he says. "You have no records or logs, you can't retain e-mails, you can't retain documents, and so you have no real power. You are putting trust in the employee, which is a probably good thing, but at the same time you are losing that oversight."
As well as technological insecurities, mobile working can put employers on shaky legal grounds as well. Once people are working outside the office, employers don't necessarily have an automatic right of inspection to their hardware. Such problems can be solved with a clause in the employment contract giving companies a right of inspection or access. However, as Wilding knows only too well, such clauses are far from common.
Decent exit and suspension procedures should help employers recover information and lock down systems, as well as secure evidence in some circumstances. All this is an absolute must, especially if the cynicism of some IT professionals is warranted. And the idea that the weakest IT links are found inside of the corporate firewall is not unusual in the computer industry. "Nine times out of 10 it's some kind of inside job," said one source, speaking of the huge number of company laptops that leave the office with huge amounts of valuable data on them, never to return.
After all, unscrupulous competitors or organized criminals will pay large sums of money for such data – which means the final irony about mobile working security may be that employee access is as critical as outside intrusion.
1. Dynamically generated passwords: conventional static passwords are "a menace", says Wilding.
2. Proper exit and suspension procedures: make sure you close the digital door after they've gone.
3. Right of inspection/audit in employment contract: the biggest IT problems can occur outside of the office.
4. Inform employees that data will be monitored: sets the correct tone, and pre-empts accusations of snooping.
5. Total disk encryption for laptops: if information goes astray, prying eyes should be unable to see it.
6. Specific firewall policies about data transmission: don't circumvent the firewall on a whim.
7. Risk seminars for all mobile workers: everyone should know about the dangers of "taking it outside".
Adapted from an article by Rob Lewis, for our sister site, AccountingWEB.co.uk