Seen from one perspective mobile devices is a good thing. Portable computers enable access to information that is useful for being able to do a good job from remote locations. Personal Digital Assistants (PDAs) and some mobile phones make it possible for you to access your email from anywhere. Portable USB disks of several types are very efficient devices to transport data e.g from the office to your home - some of the flash disks are so small that they are extremely easy to transport (and lose).

Unfortunately - like so many of life's other aspects - there is a flip side to the coin. Not surprisingly the most important issue has to do with security. This security information will examine some of the dangers involved in relying too strongly on mobile devices; both for the corporation but also for the person himself.

Theft by common criminals

Since the devices we are dicussing in this article are becoming increasingly smaller, they are easier to forget on a coffee table or in a bag, or just to snatch by a quick runner.

The objective of the thief in this instance is most likey to steal the device and then sell it as an inexpensive (and thereby tempting) mobile phone, portable PC or whatever. It is still a fact that even though the devices are getting increasingly smaller, they are not necessarily getting increasingly cheaper - on the contrary: they are getting filled with new and/or better functionality and are still quite expensive.

This is of course irritating, important personal information that were stored in the device may be lost, your personal or your organization's insurance may not cover such a loss, but seen from a more objective perspective, such a theft is mostly a minor economic loss, rather than a really serious issue (you have backed up your important information, of course!).

Stealing as a part of industrial espionage

This is when it becomes more scary, and where you as an employee or as the person responsible for security in your organization should really start to worry.

Let us assume that someone - a desperate competitor, a disgruntled former employee - systematically tries to obtain your personal or your organization's information. In such a scenario, portable devices are an extremely tempting target to focus on.

USB disks are tiny devices, but their capasity to store information that you do not want to fall into the wrong hands, are frightening. Does your organization have a defined policy regarding what information that is allowed to be stored on such devices? Does your organization have a policy regarding deletion of information that has been stored on USB devices - remember that deleted by normal delete commands is not really deleted from one who is willing to use time and money to get the information that was on the USB disk.

Information that is present on a portable computer that is stolen, is pretty easy to access by someone who has access to the computer itself, unless the information stored on the computer is encrypted. Working from home offices is often more efficient for special tasks, and is easier to do at odd hours; however, it is a fact that most homes do not have the same security in place as most working premises.

Does your organization have any kind of policy regarding what kind of information that is allowed to be stored on a portable computer that is taken outside the organization's (secure) premises? Information in the wrong hands is potentially damaging for you as a person (identity theft), your organization (company secrets suddenly known to competitors) and your country (national secrets of numerous kinds).

PDAs and mobile phones

These are devices that to some extent are emerging into one, and the most advanced items have capabilities that are present in computers as well.

You can access your emails from several types of mobile phones, and they can be used for surfing the Internet or the organization's intranet. They can be used to access applications and information inside your organization's protected network, and such information may be stored on the PDA/phone.

It is of little comfort if the communication between a mobile device and your organization's systems is encrypted by "unbreakable" algoritms, if the passwords that are needed to access the information from the device are weak or available on a post-it note in the user's home office!

Are the security mechanisms present in the device itself and to access the device sufficient if it falls into the wrong hands? Does your organization have a policy that regulates what information that is allowed to be stored on a PDA, and what you are allowed to access from any mobile device used from outside your organization to access the information inside?

So far the treat from viruses and worms against PDAs and mobile phones has been minor, and mostly of a "proof-of-concept" character. It is likely that this will change as the operating systems on such devices are getting more advanced. Then one may assume that malicious programs may be used to spread from mobile devices to the organization's other systems, as well as to harvest information available on the devices to a person with malicious intent.

What's next

Mobile devices of different types will get more portable, get more functionality, and get more power in months and years to come. Thus, the dangers that are discussed in this article are likely to prevail for years to come.

Per Olav Førland