Best Practice for Securing Mobile Handheld Devices

by Devin Davis

November 25, 2008 —

Introduction

The primary purpose of email in an organization is to relay important information to employees, stakeholders, and associates of the institution. Many institutions do classify how and in what capacity their computer systems are to be used. My employer, NC State University, uses the institutionâ€™s website as a means of communicating the acceptable use of email and computers while in the workplace. The website is meant to provide easy access to information should anyone feel uncertain about online activity. One can find all of the rules of conduct within the Computer and Network Use Regulations page. While some companies are stricter than others, it is sometimes acceptable to use workplace email accounts as a means of personal communication. However, because the same accounts are being used to transfer critical information such as documents, client information, and business transaction details, employers are exposed to a greater threat (Flynn & Kahn, 2003). Once information is transmitted outside the organization, without security measures in place, it can be easily misused for personal gain at the companyâ€™s expense. It can even be unknowingly intercepted by a third party. An effective approach to governing the use of mobile devices should include a well written email policy, a set of monitoring and security tools, and employee training.

Pre-Mobile security Practices

Traditional practices of securing email and data focus on desktop control, server restrictions, and monitoring tools. Desktop control includes decisions on which email client to use. Mozilla Thunderbird may be chosen for its security features like anti-phishing or remote image blocking. On the other hand, Outlook may be chosen because of its seamless email and calendar functionality. Some organizations choose to limit the size of incoming and outgoing email messages or the number of recipients emails can be sent to in a given period of time. This helps reduce the possibility that an account can be used to spam large numbers of addresses. Flynn and Kahn (2003) point out that misuse of company email is so pervasive that 47 percent of large U.S. employers review email messages. These controls are intended to monitor and protect information that originates from the company. However, the introduction of mobile devices have allowed for the evasion of such monitoring. If an institution has authority over company owned devices, then that institution is also the legal custodian of data originating from that device. Employers need to obtain temporary jurisdiction over personally owned devices that are also used for official business. The policies governing email in the workplace are ineffective if they do not encompass all devices that are used for business purposes.
To get an idea of the widespread use of mobile devices in the workplace, Pew Internet and American Life Project have performed a study of networked workers. Studies show that 19% of adult workers own a PDA, Blackberry, or other device and 25% of owners use the device for email. It is not surprising that data security is a huge risk when 57% of mobile device owners use the device for both personal and business reasons (Madden & Jones, 2008).

Risks

A well written email policy would include mobile phones, Smartphoneâ€™s, and PDAâ€™s under the title of â€œcomputer,â€ since these devices are just as sophisticated. These devices can run many of the same applications as a desktop computer. Windows Mobile 6 devices, such as the HTC Diamond, are so advanced that they can be added to Active Directory domains and workgroups just as any regular computer. Handhelds today can be managed as any other node on the business network. By classifying devices appropriately, IT managers can ensure that they fall under the same guidelines as laptops and desktops as specify additional rules. For the purpose of protecting company documents and maintaining email compliance, it should be noted that any computer using network resources are subject to regulation by the company. This means that oneâ€™s personal PDA device, which has been configured to use the companyâ€™s IMAP email, must comply with the e-mail rules set forth by the company. If the email policy states that email must be retained for at least one year, then the userâ€™s device must be capable of saving sent and received emails onto the server so that they can be stored. Any device unable to comply with all of the rules of the email and data security policy should be prohibited from any business use. It would be unacceptable for an IT manager to allow a person to enter their place of business, plug a personal laptop into their network with no restrictions, and then start downloading company information. The manager has no idea if the laptop has virus protection, the latest patches, or even password protection to get into the laptop. Smartphone and PDA devices should be treated the same way. They should not be allowed to transfer and store important information without some form of governance.
Mobile devices pose a huge risk to any organization. In addition to the ease of being lost or stolen, these devices are often used to store sensitive passwords and information (Melnick, Dinman, & Muratov). As IT groups grapple with how to manage these devices, special attention must be given to how to secure the information that is being held. Data protection is a critical component of any system. If the employerâ€™s email system does not detect that data was actually sent, then the information cannot be protected. The information cannot be retrieved or evaluated as stated in the companyâ€™s policy. The fact that employees can freely send and receive documents and email while mobile not only avoids email records management rules, but also makes it difficult to perform document recovery and other services offered by the IT department. If messaging is being conducted via mobile email and one cannot locate the messages to document events, there is a potential for problems to occur (Flynn & Kahn, 2003). The same is true for documents stored on the handheld or removable storage card. Smart phones and PDAâ€™s tend to crash just as PCâ€™s do. Without rules to govern where files are to be stored, there can be potential problems recovering items that have been lost or accidentally deleted. For example, Smart phones such as the Treo use internal memory as well as expandable memory such as an SD memory card. When connected to a pc via synch cable, the SD card behaves just as any other removable storage device and appears as a separate drive (e.g. E:\, F:\, G:\). With the aid of recovery software, it can be fairly easy to recover files that have become inaccessible due to deletion or a slightly damaged memory card. It is not as easy, if at all possible, to recover these files if they were saved to the deviceâ€™s internal memory unless the company invests in pricey software such as Paraben Forensics. Currently, I am employed at an institution where it is required that certain documents, such as grant proposals and letters of funding, are stored on a network resource drive. This is because the data is backed up and would be easy to recover in the event of a catastrophe. Specification of where business related documents should be stored on mobile devices would be an important amendment to the usage policy. If an employee is ever audited or investigated for any reason, the company has allowed for a way to retrieve information from the devices.
Email has the potential to become a liability. There are heavy legal consequences that can result from a mismanaged email system. In a New Jersey Supreme court ruling, Blakey v. Continental Airlines, Inc. (2000), the court ruled that employers can be held liable for messages sent through email. If an employer fails to monitor or take measures to prevent inappropriate use of their email systems, they are indirectly responsible. However, if an employer has a written policy covering electronic communications, they can protect themselves from such suits. More specifically, if Handhelds and other mobile devices are included in the policy, and there are measures to monitor activity flowing through such devices, then the employer can have a strong argument against a plaintiff.

Minimizing Risks

Fortunately, there are some measures that IT managers can employ to minimize the loss of corporate data through mobile devices. Starting with risk management, IT managers need to quickly assess who are using these devices. Are they only for Senior Level Executives, field workers, etc? They would want to know how devices are entering the workplace. Are they personal purchases or are they part of company purchases? These types of questions can help to determine what type of information is at risk. Once the organization knows what type of information is at risk, they can begin with detailed policy information for handhelds (Melnick et al., 2003).
Few handheld devices have any kind of barriers, especially when it comes to protecting phone access, email accounts, and data stored on the phoneâ€™s removable memory card (Waxer, 2008). As with desktop computers, mobile policies should enforce password protection. If possible, the device, email application, and removable data card should all have individual password protection. The wonderful thing about most PDA and Smartphone devices is that they are manufactured with a form of password protection. Unfortunately, not many people take advantage of this security. As a Technology Support Technician, I can confidently say that of the more than 15 Palm Treo and Blackberry devices that I support, not one has ever used the password feature. Part of the reason is inconvenience. A second reason is that password security has never been enforced by the IT department. Understandably, it can be a hassle having to punch in a password each time you want to use your phone when youâ€™re used to just dialing out â€œon the fly.â€ Todayâ€™s Smartphones and PDAâ€™s are very similar in functionality to desktop computers. If we require that users must have a password to access computer systems, then we should also require that they use one for their mobile device. An optimal solution would deliver security while not adversely affecting the overall user experience of their device. End users should be able to make a phone call without entering a password but also still protect personal data (Hsieh, 2007). However, the ideal is not always the most secure solution. It is much better to have some form of protection, and little inconvenience, than no security at all. The handheldâ€™s password is the first line of defense in the event that it is lost or stolen. If the device is not password protected, but the email accounts and storage card are, there is still the potential for other information to be stolen. Many devices contain notes, calendar, and address book entries of important people, events, and information that must be protected. There are also photos and other media that are typically stored on these devices. Just recently there has been the case of Philip and Tina Sherman, whose phone had been left at a MacDonaldâ€™s restaurant. Northwest Arkansas News reports that not long after, very compromising photos of the couple were posted on a website, as well as very disturbing text messages sent to the wife. These types of events can cause big embarrassment and emotional stress for the device owners (Davis, 2008). Use of a password for entry would have prevented access to the phone.
For email, it would behoove employers to use an email server such as MS Exchange or Blackberry Enterprise Server for the purpose of remotely administering their devices. This is because many third party programs do not support password prompting when accessing email. A very well established business email application for Palm Treo devices called Snappermail is a prime example. In my organization, the IT group collectively decided that Snappermail would become the recommended email application for Palm users due to its huge advantages over other email programs. Snappermail has support for encryption such as SSL and TLS. It also handles memory efficiently and is very stable compared to other applications. In hindsight, I realized that despite all of its advantages, it is also not such a secure application. Like all of the alternatives, it stores passwords during email account creation. There is no prompt for a password when email is launched. If someone had access to the phone, and wanted to access a business email account, there would be nothing stopping them. The RIM Blackerry and Microsoft Windows mobile devices are some of the most widely used on the market today. It is no surprise that each company offers their own email server solution. For RIM, it is the Blackberry Enterprise Server. Microsoft promotes the Exchange server for email. Both solutions offer the type of protection that is not typically found in third party email applications such as Snappermail or Chattermail. For Organizations that are serious about PDA security and are willing to make the investments required to keep their information secure, one of these managed email servers are the best solution. MS ActiveSync provides an option to authenticate each time email is accessed on the mobile device. Blackberry Mobile Data Service supports RSA SecurID two-factor authentication. When enabled, users can be required to enter their username and pass code when trying to access an application requiring authorization. Once the devices are setup to use the respective servers, BES or MS Exchange, the process of tracking, auditing, and monitoring email is no longer a problem for IT managers. All information flows from the email server to the device back out the same direction. Server side security can be setup and remote administration of devices is made possible.
Another good reason for companies to have their own hosted servers is to prevent company information from flowing into third party servers like Verizonâ€™s Wireless Sync. Wireless Sync is a great program for personal email. However, because of the way it handles email, it is not a program suitable for business use. Once a companyâ€™s email settings are entered into the VZW Sync application, information is uploaded from the work email account to Verizonâ€™s email server. The information is then pushed to the wireless device. This is potentially a huge threat and also the reason why companies should specify that information should never be held on servers not operated by the organization.
If Organizations are going to allow business to be conducted with mobile devices then they must invest. Secure digital cards hold lots of information. They are the best solution for backing up devices, saving downloaded documents, and archiving email directly from the mobile device. They are also often overlooked when it comes to security. There are collections of software programs designed specifically for Palm and Windows Mobile devices that provide encryption for SD cards. Aiko Solutions provides 256 bit AES encryption standard software for encrypting cards. If the card is ever removed and inserted into another device, there will just be a string of random characters output to the screen. Secubox will always ask for a password so that no unauthorized person can retrieve information without proper authentication. These types of software should be required for secure digital cards. Once again, the policy needs to reflect that once the potential threat has been identified, and there are tools to combat it, proper measures were taken to minimize the risk. This is especially important for IT managers who carry the responsibility of ensuring safety.
Part of the reason why security on PDA and Smart phone devices is lacking is because there are no standards placed on these types of devices. Security consists of IT departments adding on tons of software to make up for the security shortfalls. Many manufacturers are using proprietary software and methods of security implementation on their devices. Because there are many different OS platforms, methods such as network connection, data transfer, and device authentication can vary. A Windows based device may use password hashing to store passwords on the device but Palm may just use a scrambled password. The Trusted Computing Group is aiming to help standardize the way these devices work. The TCG consists of major companies such as Nokia, Motorola, Verisign, and Intel, just to name a few. The TCGâ€™s specification is similar to that of the Trusted Platform Module in PCâ€™s and Servers. They will have a hardware based cryptographic processor built into the main board. This will allow certain parts of data and applications to be sealed off so that encryption keys can be delegated appropriately by the TPM chip (Leavitt, 2008). Standard like these are necessary to help thwart virus and hacking attacks.
Employees should also share the requirement of securing data security and privacy. As part of company policy, employees should be trained on proper use and security of handhelds. They should know what types of data should be stored on the device and where is acceptable to store that information. Everyone should be made aware of the threats to mobile devices, such as Bluetooth hacking. Therefore, always disable this feature when not in use. Research performed by Proofpoint proves the need for employee diligence. Proofpoint surveyed 301 Enterprise e-mail decision makers. It was found that more than a quarter (27 percent) investigated the exposure of confidential, sensitive, or private information via lost or stolen mobile devices in the past 12 months.

Conclusion

In order to protect both the company and employees, special attention needs to be given to mobile devices in the workplace. Policies need to be set, security procedures need to be put in place and investments need to be made so that these devices are up to the same level of security as company networks and PCâ€™s. A policy that includes all data storage devices and the proper use of those devices can help avoid legal issues as well as minimize negative impact on companies.