The lifespan of notebook PCs, PDAs and smartphones is falling as the pace of technology marches ever onwards. But for every new mobile device purchased by organisations of all sizes there is usually a piece of legacy hardware that gets sold, passed on to a colleague, friend or relative, or simply thrown away in the office rubbish. The hardware may be obsolete, but what about the software and data contained on the mobile device?
Pointsec Mobile Technologies has created a comprehensive set of points to consider when disposing mobile devices, and so help to educate staff in all disciplines about the complex dangers of leaving personal and company data on the mobile device when it´s no longer useful.
1. Don´t just delete your data – encrypt it.
Deleting data on your portable device rarely means that the data goes away forever. There are commercially available utilities that can un-delete `deleted´ data in seconds. To be 100 per cent secure, you should always encrypt data held on a mobile device. This ensures that the information is protected throughout the device´s lifespan – and beyond.
2. An unsecured wireless device can pose a serious security risk. Many organisations allow staff to access the company network using a wireless notebook, PDA or smartphone, with network based security software.
It´s worth noting that the latest exploits can use connection hijacking to give hackers access to the company network using the mobile device as a stepping stone, which poses a danger when the unit is passed on or falls into the wrong hands.
3. Encrypt and authenticate at all points. The increasing use of portable devices and WiFi access to company IT resources means that truly personal control of data is a thing of the past. As a result, data on PCs, laptops, PDAs and smartphones – as well as back-up data on the network – needs to be encrypted. It´s now possible to install encryption solutions on most mobile devices. You can also use authentication technology – tokens, biometrics and smartcards – to create a security system that is stronger than the sum of its parts.
4. Factory reset cancels everything – or does it?. Using a factory reset on your portable device may seem to be the easiest precaution before disposing of the unit, but factory resets are far from permanent, since they only delete the header information to your data.
This allows file un-delete software to be used. The best way to delete data forever is to use encryption as standard. That way, even if a hacker manages to un-delete your portable device´s files, it stays secure, since it is encrypted.
5. Don´t forget the back-ups. Even if your smartphone, PDA or laptop data is securely removed from the mobile device, it can continue to exist on a back up somewhere on the company´s IT network. Even deleting the data files on the back-up system is not full deletion, as network/PC restore functions can regenerate the back-up files.
The most secure approach to data deletion is to encrypt the data in the first place, as well as ensuring that the machine you are synchronising with is also protected with encryption.
6. Implement a best practice policy for mobile devices. The optimum approach to mobile device security is to conduct a risk analysis and, from the results, formulate a best practice set of policies relating to the use of mobile devices across the entire organisation.
Remember that good IT security is not just in the domain of the IT manager – it´s a responsibility that needs to be shared across all disciplines.
7. Effective data scrubbing can augment encryption. Data scrubbing – aka file shredding – is one option to delete sensitive information files. Most PDAs and laptops now have file scrubbing/shredding utilities available.
When used in conjunction with on-device encryption technology, the security of the mobile device is raised by several factors.
8. IDs and passwords give the game away. There´s more to ID/password security than avoiding writing them down. Always use a combination of letters plus numbers that only mean something to you personally.
Avoid using the same ID/password on multiple systems.
You can now replace your conventional password system with a single-sign on solution or a picture-based system such as PicturePin, which uses pictures rather than words to act as an aide memoir.
9 Don´t forget the cellular network backups.
A growing number of cellular networks now support network-based data back-ups.
Although designed to assist users in the event of a mobile phone loss or theft, the back-up poses a security risk if a third party obtains your network logon details, or if your old mobile number is re-assigned (as most are).
If you must use cellular network-based backups, remember to delete the data when no longer needed.
Consider building this strategy into your organisation´s best practice security guidelines.
10 At the end of your mobile contract?.
Upgrade your mobile, but don´t forget the data – including your contacts list – on your old handset.
Many mobiles automatically back-up data from the SIM card to the phone, so moving your SIM card can leave contact data behind on the old handset.
The best way to delete contact data on a mobile is to copy data from a new SIM card to the old phone – and so overwrite the old contacts list.
11 Not all information needs to be downloaded.
Just because a set of data is available on the company desktop resource doesn´t mean it should be downloaded.
A better option is to securely view that data on the mobile device using a `window viewing´ approach – when the connection disappears, the window-based data also disappears.
You may also want to consider an information control system to supplement the company data downloading policy.
12 And finally.
The Companies Act in the UK, and the Sarbanes-Oxley Act in the US (which a growing number of UK organisations, especially those that trade with the US, are implementing) mandate that high levels of security and compliance are introduced in companies both large and small.
Despite this, recent research has shown that 55 per cent of mobile devices in active use by UK organisations are unprotected.
Three quarters of respondents in the DTI Information Security Breaches Survey of 2006 stated that the theft of a laptop or mobile devices had been their worst security incident – proving extremely problematic, not just in terms of reconfiguring their systems, but the unknown long-term use of the data and public perception of trust.
Care should be taken when downloading or installing company data on a mobile device – even a mobile phone – as that information could easily fall into the wrong hands.
Installing data access control, encryption and similar software on a mobile device is now an easy task, especially with easy-to-use products from vendors like Pointsec now available at cost-effective prices.