Servers and the data they house are generally secure. The same is only partially true for desktop computers residing within the enterprise and permanently connected to the corporate network. It is not at all true for mobile PCs. For those users, neither physical nor data security exists to a satisfactory degree, presenting a never-ending danger to the business. What is at risk? Consider these facts presented by various industry pundits and market research firms:
* Two-thirds of critical business data resides on employee workstations or notebooks, NOT on servers (1)
* Around 90 percent of mobile devices lack the necessary security to prevent hackers from gaining access (2)
* "Everyone has been focusing on the [wireless] access point as the intrusion point. But no one is looking at the client." (3)
* Each year, more than one million mobile computers were lost or stolen - and according to the FBI, less than 2% of them are ever recovered. (4)
* A laptop theft results in an average loss of $89,000 (5)
How Bad Is the Situation?
According to the Aberdeen Group, enterprises in the United States spent more than $3.5 billion managing security vulnerabilities in 2002. Of this, 92 percent was in the form of IT staff time, with the other eight percent spent on technology solutions. In the first quarter of 2003, revenue growth among providers of data security technology grew 12.7 percent while revenue in the CRM shrank 17.4 percent, compared with the same quarter one year earlier.
Corporate security remains the top priority of IT professionals, according to IDC. Forty per cent of IT managers surveyed by IDC rated IT security as their highest priority. Worldwide, the total IT security market, including software, hardware, and services, is expected to reach $45 billion in annual revenue by 2006, compared with revenue of just $17 billion in 2001, according to IDC. (6) Wireless Poses the Greatest Threat
With thousands of public wireless hotspots now available in airports, hotels, restaurants and coffee shops, corporate policies must be created defining best practices and identifying under what circumstances connectivity is allowed. Unfortunately, even the strictest corporate policies for secure mobile computing are meaningless if they cannot be enforced. Prohibiting wireless connectivity completely, for example, still does nothing to stop users from purchasing and using readily available aftermarket wireless devices.
Enterprises are looking for solutions allowing them to define, implement, and deploy security policies for mobile computers that can provide flexibility by location for each employee. For example, an enterprise security policy might allow wireless connectivity while at headquarters, but only to the secure corporate WLAN. Attempted access to rogue networks should be detected and stopped automatically, without user intervention. However, wireless access at a coffee shop might be allowed, as long as the user is running a kernel-level firewall and using a VPN.
Perhaps The Meta Group sums it up best: "Given the heavy grassroots push for adoption of wireless LAN technologies, IT organizations must be proactive in establishing a corporate-wide wireless policy. A policy must either eliminate wireless use or force compliance across enterprise deployments, including guidelines on governance, security, and enforcement." (7)
Risks Associated with Mobility
Although mobile users are not always connected to trusted networks, their portable computers almost certainly contain sensitive data they have downloaded from the corporate network. Even data stored on corporate servers may have heightened security requirements. The risk of theft of sensitive information through removable storage devices such as CD-RW's or USB thumb drives is multiplied when users are mobile. Similarly, a device or even an entire network could be infected with a virus introduced on a thumb drive, or through a mobile device with outdated anti-virus software. Another risk is the use of dangerous network applications such as peer-to-peer file sharing, which often introduces malware (viruses, worms, Trojan horses, keystroke logging programs and the like) to the device.