ICCA-GBC Newsletter Article

Portable Devices Carry Risks Along with Data

By Vin Damico, Founder and President of DAMICON, LLC

The news stories and resulting public attention around the Research in Motion versus NTP patent dispute show how dependent we have become on portable computing devices. There was widespread fear that RIM would have to shut down its email service leaving millions of customers stranded. Luckily, the companies have settled out of court so we can all sleep better at night. Or can we?

Having your mobile communication service shut down is not the main thing you should be worried about. Damage, loss and theft of mobile devices are far more common and complex.

The cost of replacing a lost or destroyed mobile phone, PDA or laptop PC is often far less than the value of the information it contains. In addition, privacy laws and federal regulations may result in serious consequences and fines when client information is mishandled.

Today's consulting world is a mobile one. The days of sitting behind a desk all day are gone for most of us, as are the days of the tightly defined network defense perimeter. We need the ability to go anywhere and access anything. The possible loss of mobile devices is an acceptable risk.

Here are some things you can do to mitigate the risks and minimize the resulting inconvenience.

Start by educating yourself and your clients about the risks. Many mobile device losses or thefts occur in airports, lounges and taxi cabs. Increased awareness about the risks in these areas can prevent many mishaps that result from simple carelessness.

The physical security of portable devices and the data they contain is your responsibility. This includes passwords, encryption keys, digital certificates and security tokens.

Anyone who has an expensive and sought-after device should be discreet. Don't flaunt the fact that you have the best and most expensive PDA on the market. You'll attract opportunists looking for a new toy and professional thieves looking for a big payday.

Next, prepare for the inevitable. No amount of training will eliminate all the risks. Some devices will be lost, stolen or damaged no matter what you do.

Here is a list of preemptive actions to improve the odds of getting the device back and to make it difficult for anyone to use the information it contains:

Consider using an alarm. Many types of mobile alarms are available. Some alarms detect motion. Some sense the distance between the owner and the device. These will alert you should someone attempt to walk off with your equipment.
Use a cable lock. These locks are designed to secure a device to a piece of furniture. One end connects to the device while the cable is wrapped around something immobile.
Use a password to protect the device. This mechanism varies among device types and manufacturers. On PCs, there is a BIOS-level password and an operating-system level password. For maximum security, use them both. Most PDAs and mobile phones also provide a password feature.
Use complex passwords. Common passwords like "password", your name, a family member's name or your pet's name are almost worthless. Mixed upper and lower case letters with numbers in random sequences create nonsensical but secure passwords. (Contrary to popular advice, it is okay to write down passwords and keep them in your wallet with a few simple caveats. Do not write down which password goes with which account. And, do not keep bank or credit card PIN numbers in your wallet along with the cards. Keep passwords and PINs separate from whatever they protect.)
Configure the PC BIOS to boot from the hard disk only. Do not allow the system to be booted from a floppy or CD. This prevents a thief from bypassing Windows security and operating the computer with his own software.
Encrypt the contents of the device. Windows, Linux and Mac computers provide various means of encrypting hard disk contents. Even if a thief snatches the laptop, the information it contains will be useless.
Invest in recovery software. Several companies sell software that quietly "phones home" when it is connected to the Internet. This feature enables law enforcement authorities to track the location of the device and recover it. CompuTrace, CyberAngel, XTool and zTrace are tools in this category.
Try to save as little information as possible on the device. The more information you carry around, the more hassle it will be to protect it and re-create it in the event of a loss. Access the corporate network, preferably through a virtual private network, to download files as needed. Upload new information frequently and erase the local copy unless absolutely necessary.

Another form of theft that is no less dangerous is virtual theft. This happens when someone obtains access to your device without your knowledge or consent and copies files. Devices that support WiFi and/or Bluetooth are at increased risk.

WiFi can be configured for "ad hoc networking" which allows any two WiFi devices to communicate. Neither device needs to be connected to a network. Bluetooth devices will connect to any other Bluetooth device by default.

These communication facilities should be turned off when not in use to prevent malicious connections. In addition, any shared resources such as folders or peripherals should be protected by passwords to prevent random sharing.

Lastly, be sure you have an up-to-date backup of the information on the device. Replacing a piece of hardware is easy and cheap compared to the cost of re-creating its contents.

Vin D'Amico is Founder and President of DAMICON, LLC, your ADJUNCT CIO™. He is an expert in IT Disaster Response Planning, Network Security Management, and Freelance Technical Writing. DAMICON services firms throughout New England. He can be reached at vin@damicon.com or view his website at http://www.damicon.com/.