During his daily commute into Manhattan from Long Island, George Miller’s notebook computer can connect to dozens of networks without his even realizing it. Indeed, as Miller’s train weaves and winds its way into the city, his notebook computer discovers dozens of unsecured wireless networks emitting signals from banks, retail stores, hospitals and homes.
“I suppose it’s a hacker’s paradise, but I’m not into that sort of thing,” quips Miller.
As an electrician working on high-rises in Manhattan, Miller is both business- and technology-savvy. He has taken proactive security steps that block fellow commuters from hitching a wireless ride onto his notebook. “In this day and age, notebook computers contain critical pieces of business information,” notes Miller. “I’m not going to leave my data open to probing eyes.”
Unfortunately, many businesses haven’t followed Miller’s lead. Indeed, approximately 90 percent of mobile devices lack proper safeguards to ward off hackers, according to Gartner Inc., a market research firm in Stamford, Conn.
Equally troubling, 70 percent of successful wireless LAN attacks through 2006 will involve misconfigured access points and client software, Gartner estimates.
Those figures are especially troubling because businesses and consumers are increasingly shifting from traditional desktops toward wireless-equipped notebooks. Mobile computers accounted for more than 35 percent of all PCs sold in retail in 2003, up from 29 percent in 2002 and 23 percent in 2001, according to NPD Group Inc., a market research firm in Port Washington, N.Y.
The vast majority of those machines contained wireless network capabilities, NPD reports.
The Big Picture
The shift to notebooks has prompted smart CEOs and CIOs to rethink their broader enterprise security strategies. “The wall that used to separate your internal operations from external operations is gone now,” notes Clayton Banks, CEO of Ember Media Inc., a digital design firm in New York. “The world is now one big mobile network, and there are plenty of people who are looking to poke holes in the system.”
What’s a CIO to do? Corporations now spend roughly 8 to 12 percent of their IT budgets on security solutions, according to Richard Clarke, former Cybersecurity Advisor to President Bush. Progressive — and downright logical — businesses should route some of those dollars to “endpoint” security policy enforcement solutions. An emerging software category, the market for policy-enforced endpoint security solutions, is one of the top trends for 2005; and mobile security software will reach over $1.2 billion in revenue by 2007, according to IDC’s estimates. Such solutions allow businesses to rein in their distributed client security concerns, say analysts.
Experts advise organizations to look for an endpoint security solution that ensures strong security without sacrificing productivity, and that ensures compliance with corporate policies even when users don’t connect back to the corporate infrastructure for weeks at a time. An effective solution should include:
- A layered approach, with a firewall at the lowest layer possible in the OS stack to ward off protocol-level attacks, worms, and so forth
- Wireless connectivity control, such as ensuring connection only to approved wireless access points, and preventing strangers from accessing wireless sessions
- Policy enforcement that doesn’t depend on end-users having to take action or making complex security decisions
- The ultimate formula: An integrated approach that includes firewall protection, system integrity checks and remediation, application control, intrusion prevention, wireless connectivity control, theft protection, storage device management and more, in one centrally managed solution.
With this type of approach, policies and rules can be pushed out to all clients automatically and are updated each time the user connects to the Internet. One important side benefit: In a virus outbreak you can implement total lock-down of all services instantaneously, even before the nature of the threat is fully understood. This protects valuable resources while giving the IT department much-needed breathing room to investigate the threat and determine the best way to ensure continued productivity without risk.
While security enforcement software rides along with each notebook computer, it doesn’t keep track of the system’s physical location like a GPS system. Location-aware software makes it easy to automatically detect how a mobile device is attempting to connect to the Internet, such as from one’s home wired or wireless network, a wireless hotspot, or a remote office, and apply pre-configured security permissions based on location. But the software doesn’t play big brother — for instance, it won’t reveal Miller’s preferred train car to an IT administrator. It does, however, apply intelligent security settings that protect the entire enterprise.
Perfect peace of mind? Only if CIOs make mobile assets a priority within the broader enterprise security strategy.
Tanya Candia is a consultant and expert on information technology (most notably data management and security), business management and marketing issues. As President/Founder of Candia Communications, she consults with companies and currently serves as Vice President of Marketing for Senforce Technologies Inc. Candia can be reached at firstname.lastname@example.org.