INDIA MANAGING MOBILE SECURITY BREACHES Managing mobile security breaches


CONVERGENCE
Managing mobile security breaches
With the use of mobile devices by corporates on the rise, IT departments have their hands full combating data loss and security breaches

MEGHA BANDUNI
Posted online: Monday, January 30, 2006 at 0000 hours IST

The battle between technology and security seems to be never-ending. When mobile computing devices such as PDAs, laptops, handhelds and smartphones were introduced, few would have thought about the related security concerns if they were lost or stolen. “At Patni, for ensuring data protection, we try not to store critical information on mobile devices,” says Ajay Soni, senior manager, IT, IMD Patni Computer Systems.

According to a recent Mobile Usage Survey, it was discovered that almost 30 percent of users store their PINs, passwords and other critical information on their handheld devices without enabling the basic security features present on the system.

With an increasing number of people storing company data on mobile devices such as smartphones, PDAs, laptops and USB drives, and with Bluetooth-enabled devices entering the mainstream, IT departments are confronted with security issues. Information such as customer contacts, e-mail details, passwords and bank account details, as well as that related to private matters, is getting stored in devices without much consideration to security.

A lost PDA or smartphone with no protection makes easy pickings for thieves, hackers or competitors with regard to corporate information. This could have an impact on customer confidence and damage a company’s reputation. Since mobile devices have become a necessity among all top-rung executives, the demand for security within an organisation is growing rapidly. Hence, the first step that most CIOs practice and recommend is encryption of data. Other solutions could be creating awareness, conducting training, and using passwords.

The key security issues faced by users of mobile devices are misuse of data if stolen, the ease with which data can leak out, and unauthorised access. Encrypting data, factor authentication and blocking data transfer to pen drives are some of the measures that CIOs can consider to ensure security on their mobile devices.

According to Ajay Soni, Senior Manager, IT, IMD, Patni Computer Systems, the three main issues in using mobile devices are data security, theft and virus infection. “There are various ways through which one can take precautions such as encryption of data, dual factor log-on, and so on.”

But in spite of encryption, the chances of losing information are high. In many organisations, mobile devices are issued to the users only on a need-to-use basis. Still, it is a matter of concern. “Information from the mobile device is transmitted through a wireless network, therefore the risk of unauthorised access is high. I agree that encryption is not widely-used, and even if used it is prone to hacking. Another side-effect of encryption is that it degrades the performance of mobile devices. There is a need to have a standard encryption,” comments G Radhakrishna Pillai, Head of IT at Ranbaxy.

“At Patni, for ensuring data protection, we try not to store critical information on mobile devices. However, since this is not always possible, the next step is encryption of all the data stored in the device,” explains Soni. He says that all critical data is kept on the servers, and that no downloads are allowed. They use dual-factor authentication which prevents access to any PDA/laptop by a stranger. Also, every mobile device has a lock, so if the device gets lost its data cannot be accessed.

“We encrypt all the data on mobiledevices,and periodically conduct training and internal awareness programmes on encryption. “Zoeb Adenwala Chief, IT Pidilite. “ Information from the mobile device is transmitted through the wireless network, hence the risk of unauthorised access is high” RadhakrishnaPillai Head, IT Ranbaxy. Today, the security threat perceived by CIOs is the main obstacle to wireless devices. Pillai believes that authentication, privacy and authorisation are the critical issues in mobile devices, and that the technology needed to address them is still emerging