The Prudential Insurance Co. of America, based in Newark, N.J., however, decided to install encryption software on each of the 13,000 laptops that have been issued to its agents and field support staff during the past three years. Meanwhile, when users dial in to check e-mail, access customer information or download forms, laptop management software can see what they're doing and even take control of the machine to do upgrades, for instance, or check for unauthorized software. Mike Scoda, systems architect of field infrastructure, has a sunny take on getting users at the insurance giant to comply with security policies. He says his team had no trouble convincing people to follow security precautions because employees want to protect customer information. Besides, he says, "you can't get into the laptop unless you have the proper password. That really self-enforced the whole environment." The downside? If an agent forgets the password, the laptop is useless until he contacts the help desk to get one-time codes generated based on the machine's serial number. Scoda is mum on how much time the help desk spends doling them out.
Another approach to preventing data loss is to minimize the data stored on the machine, which has the added benefit of ensuring that if a user loses the unit, all of his work won't be gone, too. At Greenwood Village, Colo.-based Re/Max International, for instance, the key information on a user's hard drive regarding communications with prospects is automatically synchronized each time the user checks e-mail, says Bruce Benham, CTO of the real estate franchise, which has more than 62,000 sales associates in 34 countries. If there's an update to information on the network end, the server takes care of that, too; the synch usually takes less than five minutes. Benham says salespeople don't usually complain about this synch time because they no longer have to compile separate reports about their field activity.
Unfortunately, minimizing the data saved on a hard drive and relying instead on the network has its own problems. Tying users to a telephone line can seriously hamper productivity, and the more resources that valid users can access remotely, the greater the potential risks. Companies that want to control costs and simplify international network access are increasingly moving away from dial-in modem pools and looking to virtual private networks (VPNs) -- although what that actually means varies greatly.
Getty Images, a visual content provider, is moving core corporate data off workstations and implementing a network-centric, server-based computer model, with remote access strictly controlled by the VPN. CTO Albers says that right now, the company has a handful of ways mobile users are dialing in -- a result of the 25 companies Getty has acquired in the past five years. With the new system, each user will be able to dial in to a service provider that has thousands of access points in dozens of countries. From within the vendor's network, authenticated users will get a private encrypted line to Getty; all the network traffic will pass through one or two secure connections.
Threshold of pain
The level of security required for mobile users really depends on the company and the users. CIOs must achieve a balance between the amount of security a company needs and the time it takes a user to get through that security. "There is this real balance of protecting the data so much that it's not easy for the users to make use of it," BG Group's O'Connor says. "That's a real issue for corporate organizations." Gartner's Margevicius calls this the threshold of pain, or of inconvenience.
Executives may need to use encryption software, while other employees may not even need network access from their devices. Everyone needs to be reminded -- gently but firmly -- that no company can have an effective security policy without the end users' support. "You can't eliminate the social problems related with security," says Frank Prince, senior analyst of e-business infrastructure at Forrester Research in Cambridge, Mass. "You can only make a decision about how important security is and try to enforce it as best as you can."
This story, "Remote Control" was originally published by CIO.