Mobile Worker Security

At Ordovician, we believe that mobile worker security is an important frontier for Managed Security in 2008. No doubt, assisting your clients to benefit from mobile working is smart. Mobile workers extend their work weeks and are more accessible and productive when they travel. Laptop and PDA sales are surpassing any other form of enterprise computing and communication. Almost of these devices are wirelessly enabled for maximum connectivity and productivity.

With more than half of all enterprise data being replicated on laptops and PDA’s, they are becoming larger risks and easier targets for data theft and loss than the hardened firewalled data repositories found at most enterprises. True, there are no silver bullets for securing the desktop, no matter how much a client spends. There are however a few easy steps you can take with your clients to secure their data when it is moving around the globe on laptops and PDA’s.

A good place to start is to have a conversation with your client about two factor strong authentication. Make sure to look at all external access to lock down the remote access VPN, outlook web access and web logins with security tokens and other forms of two factor authentication. The technology choices in this arena can be dizzying and your guidance and expertise can be extremely valuable for your client.

Physical security is often overlooked. Mobile workers are not always “plugged in” like servers and desktops where hackers have time to pick apart and test multiple intrusion vectors. However, these workers are physically transporting your clients’ data from place to place and connecting from multiple public locations such as coffee shops, hotel lobbies and airports. Spoofing wireless signals is one tactic hackers may use, but the more common danger is the physical theft of a device.

To address the physical security of lost or stolen devices, offer a poison pill that wipes data from drives in the event a mobile worker’s device is no longer in their possession. This is also effective with a terminated employee that for whatever reason retains a device with sensitive data. This can be an important discussion to have with the HR department and executives when you are working on compliance and incident management plans. Make certain that you not only provide this for the laptops but also the PDA devices.

Another easy but important measure is to encrypt and password protect mobile USB drives. These removable drives can easily carry gigabits of sensitive data and unfortunately can be lost or misplaced just as easily. Many enterprises do not have any idea how many of these devices exist and how exposed they really are. Detection, inventory and controls on these little gadgets can be eye opening.

Surprisingly, even many large enterprises do not have a solid strategy for these basic security measures. A primary reason for this is that much of the research and development for software and laptop management to date has focused on the connected state and the associated threats such as viruses and malware rather than real life experiences that these mobile workers endure each day.

Evermore, the small to medium businesses (SMBs) rely heavily on the mobile workforce. These clients require the same level of security as large enterprises and many times will be hurt more acutely if data is leaked. As their MSSP, you can greatly reduce the risk of your client’s data and your client’s customer’s data falling into the wrong hands with these simple steps. Two factor strong authentication, poison pills and USB drive security.

Of course there are plenty of additional risks and ways to prevent against them. These three however are many times overlooked by the IT department, provide high value and low cost for your clients and will help them address incident response, not just prevention. We would be happy to share best practices or discuss case studies with fellow MSPA members as we are dedicating resources at Ordovician to stay on top of this important issue.
Mike Backers is President and CEO of Ordovician, an MSSP headquartered in Cincinnati, Ohio.