To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://hardware.silicon.com/pdas/0,39024643,39169250,00.htm

Staff mobile devices increase security risk
Senior employees are worst offenders

By Marcus Browne

Published: Friday 23 November 2007

As employee-owned portable devices become more sophisticated, they become less secure, according to one analyst. And the more senior an employee, the less compliant they are when it comes to protecting the information on those devices.

Jay Heiser, research vice president and security specialist at Gartner, speaking at the Gartner Symposium in Sydney, said: "It's likely that people higher up in an organisation will be the ones who own the more sophisticated devices and these are the types of users who resent having security imposed on them."

James Turner, security analyst for research company IBRS, said he recently hosted a roundtable discussion with a number of IT managers who voiced this complaint.

Turner said: "Some people were talking about their executives wanting the latest capabilities but resisting the use of authentication technology."

He added: "I think this tends to be a fairly common problem and the important thing I say to IT managers is not to respond by hitting the panic button. You're far more likely to convince an executive of the importance of protecting their data by reminding them just how many mobiles and PDAs get left in cabs."

Gartner's Heiser made the assertion that the security risks posed by portable devices are growing exponentially in accordance with their sophistication, level of use and the number of devices owned by individuals.

Heiser said: "The more sophisticated the device, the more likely it is to contain sensitive data."

Turner said: "I think it's fair enough to say that the more sophisticated devices are harder to protect but the tricky thing about security is that you can't just lock everything down to cover against every feasible risk."

According to Turner, technically minded security specialists can often overlook the fact that accessibility is equally as important as protection. "As soon as a security process becomes too complicated users will switch off and stop taking even simple precautions."

Gartner's Heiser believes encryption will become one of the most important factors in securing portable devices, predicting "in five years all laptops will be encrypted".

Turner said: "Encryption for laptops will be essential eventually. I think it's a no-brainer, especially when we're finding ways to use encryption that are unobtrusive but provide a high level of protection."

Throughout the Gartner Symposium, Heiser suggested many security woes - not just those involving portable devices - can be solved through access-control measures.

Heiser recommended security officers employ mandatory access control (MAC) measures over information they thought was likely to end up on employee-owned portable devices.

While Heiser rated laptops and high-capability PDAs as being the highest-risk objects when it comes to portable devices and security, he also noted that highly prevalent consumer devices such as iPods pose a threat, given their tendency to be used as storage devices by some users.

Turner said: "It's a good economy of scale to try to break something that most people have."

He added: "I think Apple is going to have to learn the same painful lesson that Microsoft did; the bigger your market share, and the more popular your products are, the more likely it is you'll get attacked."

Marcus Browne writes for ZDNet Australia