DAN COOLIDGE WOULD NEVER WORK on sensitive documents in public. He watches his laptop so closely that if he is detained at an airport security checkpoint, he's not shy about announcing loudly that that's his bag on the conveyor belt. And he encrypts all the client-related information on his hard drive. "It's a little inconvenient," admits Coolidge, an attorney at Boston law firm Fish & Richardson and coauthor of A Survival Guide for Road Warriors: Essentials for the Mobile Lawyer (American Bar Association, 1996). "It might take 30 seconds to get at that file instead of five seconds, but I sleep nights."
Most users aren't so vigilant. In the past year, the U.S. State Department and Britain's intelligence agency both hit the headlines with embarrassing breaches of security through simple laptop theft. In a survey done by the San Francisco FBI Computer Intrusion Squad and the Computer Security Institute,
45 percent of respondents reported laptop thefts in the past year, and security vendors claim that as many as one in every 10 laptop computers is stolen. A $1,000 laptop -- a significant loss to most consumers and a tidy gain for the thief -- is a drop in the corporate bucket compared with the loss of the device's information. Not only is it inconvenient to try to rebuild files, but more significant losses can occur if someone uses the device to access sales contacts, financial records, trade secrets, military plans or even just salary records. One former systems consultant at an insurance company in the Northeast recalls that a manager's laptop computer containing all his staff's salary information was stolen right off his desk in the middle of the day. The CIO, beleaguered by the challenges of a recent merger, never found out whether the laptop was swiped by an outsider or an internal thief.
Such thefts are not uncommon, but implementing and enforcing policies that protect laptop and handheld computers is cumbersome and expensive. "Executives don't necessarily see the payback," says Adam Braunstein, a senior research analyst at Westport, Conn.-based Robert Frances Group (RFG). "Everything is always ROI -- implement a solution, make products faster, make more revenue -- versus this, which is preventing something bad that may not have happened anyway." True, technology chiefs and their lieutenants must constantly weigh risks and rewards. "Like most things in life, once you have reached a certain level of control, to make it to 99.9 percent secure, the cost becomes disproportionate to the risk," says Bud Albers, CTO of Seattle-based Getty Images. As mobile devices become smaller and their uses bigger, IS executives are faced with the challenge of establishing workable policies and procedures that protect hardware, data and network connections that may be out of their physical reach, all the while accounting for the really tricky part: getting free-wheeling mobile users to follow the rules.
Booted out of the office
IT'S NO SECRET THAT an increasing number of employees are hitting the road. The mobile computing market in tthe United States is expected to leap from 7.1 million in 1998 to 12.7 million in 2003, according to market research company Dataquest, a division of Stamford, Conn.-based Gartner Group. Within that market in the same time frame, the number of handheld computers is expected to triple, from 2.2 million to 8.8 million. Cahners In-Stat Group, a high-tech market research company based in Scottsdale, Ariz., estimates that by 2004, the average large corporation in the United States will support about 153 remote offices and 660 telecommuters, and more than 29 million wireless-enabled workers.
CIOs already fighting to keep track of the laptops IS has procured must now also monitor high-tech stocking stuffers. Traditionally seen as toys, popular versions of personal digital assistants (PDAs) may now come with 8MBps of memory and pared-down versions of PC software. Looming ahead are smarter cell phones that will make the mobile landscape muddier.
With those devices, both the pocket and shoulder kinds, comes an attitude. "The whole idea of a mobile device involves freedom, ease of use and fewer restraints, so the user is more empowered," says J. Dodge McCord, manager of telecommunications and business continuity consulting services with Atlanta-based North Highland Co. "Security is exactly the opposite." An effective security strategy is part trust, part education and part plain old-fashioned rules.
Setting a security policy
THE BEST SECURITY POLICIES must begin with company-provided mobile devices, which are easier for IS departments to manage. Laptops have been around long enough that most companies provide them or at least don't have problems persuading users to relinquish some control. But handheld computers are causing some companies to revisit their policies. The Marmaxx Group, for instance, doesn't allow employees to work on handheld computers they bring from home, although the Framingham, Mass.-based parent company of T.J. Maxx and Marshalls stores is testing a program to give non-Internet-ready PDAs to senior management. Mike Coons, a project manager at the information center, says that at Marmaxx, Windows NT is configured so that users without appropriate network access simply cannot install any software -- like that needed to synchronize a PDA to one of its beefier cousins -- and he's confident no one's found a way to sneak the devices past the IS department.
If a company allows users to purchase their own PDAs, however, IT should at least establish a short list of supported models and standardize the way they interface with the network. Mark Margevicius, a Cleveland-based research analyst at Gartner, recalls one incident where a student hired to do network administration decided to synchronize the address book on his PDA with the one on the company network and replaced the e-mail directory with his own, affecting thousands of users. "Even if you can't control the device, you can control how it accesses your data," says Margevicius, adding that CIOs may also require users to acknowledge that some of the information on the device belongs to the company. Synching PDAs through the network also lets IT track what has been downloaded where.
A statement regarding PDA usage can be incorporated into existing security policies, which often consist of commonsense advice along the standard lines -- change passwords often, don't leave them on sticky notes near your computer, watch your laptop while going through airport security, remember that others can see your screen if you use your laptop in a public place. The policies are usually given to employees who have just received a mobile device or to new hires. Users may be required to sign them and perhaps acknowledge that adherence is considered during evaluations. As RFG's Braunstein points out, "The organization has the right to say, 'This is your device, this is what you are allowed to access, and you are not allowed to do anything else. Failure to follow this will result in termination.'"
Some companies, however, are looking for ways to make security awareness more ongoing. EDS, a Plano, Texas-based global IT services provider -- where about 80 percent of the company is considered mobile -- is in the process of implementing a security awareness course that all employees will go through each year, says Terry Milholland, CIO and CTO at EDS. Rather than having the information filed away in an employee handbook, "you'll have to go to a website and acknowledge the fact that you've read the material," Milholland says. "It gets rid of the argument that 'no one ever told me.'"
The main challenge for CIOs, however, is creating an environment where people want to exercise caution, never mind the rules. It's not easy. After all, even Secretary of State Madeleine Albright, embarrassed over security problems in her department, including the disappearance of a laptop containing sensitive data, had to lecture her staff about the importance of safeguarding the nation's secrets. "We cannot and should not suggest that those responsibilities somehow interfere with the performance of our jobs," she told employees last May. "Security is an inherent, inextricable and indispensable component of all our jobs."
Across the pond -- where last March a British spy left a laptop with top-secret information in a tapas bar and another agent's laptop was snatched in a London train station -- an executive at BG Group echoes Albright's statement about security awareness. "It's a cultural thing," says Tom O'Connor, head of knowledge management systems at the U.K.-based energy company, where 220 senior executives around the world have been issued PDAs to supplement their laptops. "We tell people, 'Treat it as if it's your personal piece of property. Look after it as if it's your wallet.'"
Steps to security
Steve Sommer, CIO at Hughes, Hubbard and Reed, relies on a combination of embarrassment and peer pressure to keep the lawyers at his New York City-based firm in check. "If somebody doesn't comply and we're working on a confidential policy, then that person can ruin the whole deal for us," he says, and nobody wants to be that person. On the technology side, however, common sense isn't enough. Especially when users are accessing network resources remotely or dealing with sensitive material, the CIO needs to address three components of security: the hardware, its data and any network connections. Here are some tips for better security:
Cable locks that allow users to tether their machines to a desk or the furniture in a hotel room have been used for years, but some companies are taking physical security to another level. BG Group, for instance, marks all its handheld units with a chemical coding system from U.K.-based SmartWater, O'Connor says. This forensic coding fluid, when dabbed onto a device, dries to leave an ultraviolet marking akin to DNA.
Other companies are taking an approach similar to the LoJack system, in which a hidden transmitter allows police to track down a stolen automobile. Because laptop thefts had become 3Com's largest property theft worldwide, for the past two and a half years, the Santa Clara, Calif.-based networking company has been installing tracking software on every new laptop, says Brad Minnis, manager of security operations. Absolute Software's CompuTrace lets administrators monitor a laptop's physical location whenever and however its user connects to the Internet. If the device is reported stolen, Absolute works with local law enforcement agencies to track down the device. Users may not even be aware of the software, which is designed to survive a reformat of the hard drive. In addition, each 3Com laptop is issued with a cable lock, and the company makes individual departments pay for replacement units. "There's a real monetary incentive for departments to take care of their assets," Minnis says.
Keeping track of the hardware is the first priority but not the only one. Protection of the data on a hard drive starts with a BIOS password and good password habits. That's easier said than done, of course. Everyone knows that the longer and more unique a password is, and the more often it's changed, the more cumbersome it becomes. "It will slow users down," EDS's Milholland says. "The more secure you get, the more there is to pay at both ends: dollars and time." Besides, anything that requires a password means more calls to the service line. Already, Milholland notes that the biggest percentage of calls to help desks involve password resets for all kinds of devices.
Assuming that users won't bother with passwords unless they have to, some IS departments set up systems so that passwords must be changed at specific intervals or network passwords cannot be saved on the machine -- never mind the service calls. Some places combine these procedures with physical spot checks for password cheat sheets taped to computers.
The only way to truly keep data safe is with a sturdy encryption program, although many companies don't see the need for such a strict system. According to Ken Dulaney, the San Jose, Calif.-based vice president of mobile computing at Gartner, "You'd better be dealing in nuclear secrets" before implementing companywide encryption. He says that even on-the-fly encryption programs -- which automatically decrypt and encrypt documents as users open and close them -- slow users down and are often seen as too intrusive.
The Prudential Insurance Co. of America, based in Newark, N.J., however, decided to install encryption software on each of the 13,000 laptops that have been issued to its agents and field support staff during the past three years. Meanwhile, when users dial in to check e-mail, access customer information or download forms, laptop management software can see what they're doing and even take control of the machine to do upgrades, for instance, or check for unauthorized software. Mike Scoda, systems architect of field infrastructure, has a sunny take on getting users at the insurance giant to comply with security policies. He says his team had no trouble convincing people to follow security precautions because employees want to protect customer information. Besides, he says, "you can't get into the laptop unless you have the proper password. That really self-enforced the whole environment." The downside? If an agent forgets the password, the laptop is useless until he contacts the help desk to get one-time codes generated based on the machine's serial number. Scoda is mum on how much time the help desk spends doling them out.
Another approach to preventing data loss is to minimize the data stored on the machine, which has the added benefit of ensuring that if a user loses the unit, all of his work won't be gone, too. At Greenwood Village, Colo.-based Re/Max International, for instance, the key information on a user's hard drive regarding communications with prospects is automatically synchronized each time the user checks e-mail, says Bruce Benham, CTO of the real estate franchise, which has more than 62,000 sales associates in 34 countries. If there's an update to information on the network end, the server takes care of that, too; the synch usually takes less than five minutes. Benham says salespeople don't usually complain about this synch time because they no longer have to compile separate reports about their field activity.
Unfortunately, minimizing the data saved on a hard drive and relying instead on the network has its own problems. Tying users to a telephone line can seriously hamper productivity, and the more resources that valid users can access remotely, the greater the potential risks. Companies that want to control costs and simplify international network access are increasingly moving away from dial-in modem pools and looking to virtual private networks (VPNs) -- although what that actually means varies greatly.
Getty Images, a visual content provider, is moving core corporate data off workstations and implementing a network-centric, server-based computer model, with remote access strictly controlled by the VPN. CTO Albers says that right now, the company has a handful of ways mobile users are dialing in -- a result of the 25 companies Getty has acquired in the past five years. With the new system, each user will be able to dial in to a service provider that has thousands of access points in dozens of countries. From within the vendor's network, authenticated users will get a private encrypted line to Getty; all the network traffic will pass through one or two secure connections.
Threshold of pain
The level of security required for mobile users really depends on the company and the users. CIOs must achieve a balance between the amount of security a company needs and the time it takes a user to get through that security. "There is this real balance of protecting the data so much that it's not easy for the users to make use of it," BG Group's O'Connor says. "That's a real issue for corporate organizations." Gartner's Margevicius calls this the threshold of pain, or of inconvenience.
Executives may need to use encryption software, while other employees may not even need network access from their devices. Everyone needs to be reminded -- gently but firmly -- that no company can have an effective security policy without the end users' support. "You can't eliminate the social problems related with security," says Frank Prince, senior analyst of e-business infrastructure at Forrester Research in Cambridge, Mass. "You can only make a decision about how important security is and try to enforce it as best as you can."