Bring your mobile security up to scratch

It's an expensive business having your laptop stolen, as the Nationwide Building Society found out last month — and Worcestershire County Council may soon discover.

But the biggest cost doesn't necessarily come from having to replace the lost system. Rather, in Nationwide's case, the main outlay ended up being the £980,000 fine imposed by the Financial Services Authority, for what the regulator deemed were serious information-security lapses. Much time and money were also spent in informing customers of the potential risks they could be exposed to because of the theft, which took place at an employee's home in August 2006.

As a result, although Philip Williamson, Nationwide's chief executive, said "there has been no loss of money from our customers' accounts as a result of this incident", and that if there were they would be reimbursed anyway, the situation has nonetheless led the company to commission "a comprehensive review of information security procedures and controls".

Worcestershire County Council, meanwhile, was informed by its IT supplier Serco that an employee had a laptop stolen from them in a street robbery over the weekend. The laptop contained the personal details, including bank and national insurance information, of 16,239 staff and former personnel, laying them open to possible identity theft.

The council has alerted affected staff of the incident by letter and opened a hotline for them to call in order to obtain more information on how they can protect themselves from possible fraud.

But these two organisations are not the only one to have laptops disappear on them. According to a Freedom of Information enquiry undertaken by our sister publication silicon.com in August 2006, a swathe of government departments have suffered losses of their own.

The Ministry of Defence, the worst affected, reported 21 laptops stolen between July 2005 and July 2006. The Home Office saw 19 filched, the Department of Health, 18, the Department of Trade and Industry, 16, HM Prison Service, eight and the Identity and Passport Service, four.

But theft is not the only means by which laptops go walk-about. A 2005 survey of London taxi drivers undertaken by Taxi, the magazine for the Licensed Taxi Drivers Association, and sponsored by mobile security supplier Pointsec, found that over a six-month period passengers left an astonishing 4,973 laptops behind — although 96 percent were returned to their owners after the drivers went to the effort of tracking them down.

A further 5,838 PDAs were also abandoned in this way along with an astounding 63,135 mobile phones — an average of three per cab — although in the latter instance, drivers managed to return about 80 percent.

This would all seem to indicate that, in spite of offering convenience and flexibility to an increasingly dispersed workforce, mobile devices are nonetheless generating their own set of information-security risks.

One of the key concerns here relates to data leakage and the fact that unauthorised people could potentially get their hands on sensitive corporate information if laptops are lost or stolen.

Despite this, according to the Department of Trade and Industry's Information Security Breaches Survey 2006, undertaken every two years by PricewaterhouseCoopers, four-fifths of UK companies still rely on nothing more than passwords to protect their systems.

The problem with this, points out David Perry, a principal analyst at research company Freeform Dynamics, is that passwords are notoriously insecure. "People often use an unoriginal password or have it socially engineered out of them during a quick phone call. Quite a few are also in the habit of writing them down, but thieves always know where to look. For example, if they nicked the laptop bag too, it may well be in there," he says.

The situation is compounded, however, by the growing presence of wireless networks, used by staff when they are out and about and, to an increasing extent, when working from home.

Where the difficulty comes in here is that it is currently more or less impossible for users to know whether they are hooking up to a legitimate network or to a rogue hotspot — an issue that is particularly acute for users of Intel Centrino-based laptops, which look for a signal as soon as they are fired up.

This troublesome state of affairs is not helped by the fact that wireless security technology is still in its infancy, although products such as AirTight Networks intrusion prevention software are starting to emerge to tackle the issue.

Another potentially dangerous situation, says Ian Kilpatrick, managing director at distributor Wick Hill, is that of someone creating a so-called man-in-the-middle scenario.

"The user may believe that they've successfully connected to the wireless network, but someone else may have already got onto it and they could be connecting through them," he explains. "This means that person could log in using the employee's details and see any data that's flying back and forth, although the biggest single issue is that once they've got an identity, they've got it for ever."

As a result, Kilpatrick recommends that organisations ensure staff use SSL or IPsec virtual private networks when connecting to the internet from their machines, and also that laptops come with two-factor authentication products such as tokens or digital certificates to ensure that users are who they say they are when they try to log onto the corporate network.

Another vital tool is encryption software to protect any sensitive data that is held locally on the laptop. This, Kilpatrick says, can cost as little as £70 per machine these days if purchased in volume, "which compared to potential fines and reputational damage is trivial money".

A further worry, meanwhile, is the extent to which laptops can leave the corporate network open to infection by malware. According to a study by Symantec's Enterprise Security Group in 2005, the most common source of automated worm attacks was employee laptops, with 43 percent of organisations saying that incidents had been generated in this way. A further 34 percent indicated that infections were caused by the laptops of non-staff members.

Unfortunately, however, says Phil Huggins, chief technology officer at security consultancy Information Risk Management, the use of programs other than antivirus and anti-spam to protect client devices is erratic at best.

"The concept of endpoint security tends to be a very basic thing. It's pretty accepted now that you'll put antivirus software and maybe some anti-spam on all laptops, but deploying things like intrusion prevention, personal firewalls or encryption software, all of these are patchy," he says.

To make matters worse, while organisations may be vigilant in ensuring that their internal systems are patched and security software is kept up-to-date, all too often they are haphazard in lavishing the same care and attention on their laptop estate.

This is where remote management software can prove useful. Such systems can...